WEBVTT - Authentication Tech and You 0:00:04.160 --> 0:00:07.200 Get in tech with technology with tech Stuff from how 0:00:07.240 --> 0:00:13.720 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:13.800 --> 0:00:17.720 I'm your host, Jonathan Strickland, senior writer with how stuff 0:00:17.760 --> 0:00:21.000 works dot Com, and today we're going to explore the 0:00:21.160 --> 0:00:26.000 wonderful world of authentication technology and how it's evolved and 0:00:26.040 --> 0:00:29.920 what could be in store for us in the future. 0:00:30.840 --> 0:00:33.559 So the reason why I picked this topic before I 0:00:33.640 --> 0:00:36.559 jump into the whole thing, is because I feel like 0:00:37.159 --> 0:00:41.080 security is becoming a bigger and bigger concern as it 0:00:41.080 --> 0:00:43.959 should be for a lot of people. People are more 0:00:44.000 --> 0:00:46.920 aware of it, I think than they were perhaps five 0:00:47.000 --> 0:00:50.800 years ago. Not everyone is practicing good security measures. Not 0:00:50.880 --> 0:00:54.959 everyone's practicing two factor authentication or multi factor authentication. We'll 0:00:55.000 --> 0:00:58.040 talk about that in this episode, and if you aren't 0:00:58.080 --> 0:01:01.760 familiar with what that's all about, that's why I wanted 0:01:01.800 --> 0:01:04.720 to do this show, was to kind of explain what 0:01:04.720 --> 0:01:09.240 what that actually means and why it is important. Authentication 0:01:10.200 --> 0:01:13.000 is something that we should probably define. First of all, 0:01:13.120 --> 0:01:18.919 it's the process or action of proving something to be true, genuine, 0:01:19.440 --> 0:01:23.760 or valid, So that covers a broad spectrum right authentication. 0:01:23.800 --> 0:01:29.319 You could be talking about authenticating a historical artifact, that's 0:01:29.360 --> 0:01:32.360 a great example. You bring a historical artifact to an expert, 0:01:32.800 --> 0:01:37.120 they authenticate that it is in fact a historical artifact 0:01:37.360 --> 0:01:40.200 and not something that was whipped up in some sort 0:01:40.240 --> 0:01:43.440 of souvenir shop and some out of the way place. 0:01:44.400 --> 0:01:48.720 But authentication has a very special role in the world 0:01:48.760 --> 0:01:51.480 of technology and the world of computers and electronics. It 0:01:51.520 --> 0:01:55.320 gets a bit more specific. It's the process of verifying 0:01:55.440 --> 0:02:00.400 the identity of a user or a program or process. 0:02:01.120 --> 0:02:03.880 You want to make certain everything is authentic so that 0:02:04.040 --> 0:02:08.720 a program or person doesn't get unauthorized access to a system. 0:02:08.760 --> 0:02:13.720 So you're probably familiar with a lot of authentication processes, 0:02:13.760 --> 0:02:17.040 even if you didn't call them that, because you yourself 0:02:17.280 --> 0:02:22.400 have to employ them on a regular basis. Programs do too. 0:02:23.160 --> 0:02:25.840 But I'm not gonna really spend a lot of time 0:02:25.840 --> 0:02:27.639 talking about programs. In fact, I'm really not going to 0:02:27.760 --> 0:02:30.280 dive into it at all because that gets super technical, 0:02:30.840 --> 0:02:33.160 um and really I think it's more important to focus 0:02:33.160 --> 0:02:36.440 on the stuff that you have a direct involvement with, unless, 0:02:36.480 --> 0:02:40.080 of course, you're a programmer, in which case mia culpa. 0:02:40.160 --> 0:02:43.799 So I'm going to focus on authentication technology targeted at humans. 0:02:44.600 --> 0:02:47.200 So one day, maybe I'll do a software one if 0:02:47.200 --> 0:02:49.520 there's a lot of requests for it, but I feel 0:02:49.520 --> 0:02:51.280 like that might just get a little too deep in 0:02:51.320 --> 0:02:54.840 the weeds. So I'm gonna talk about the stuff you 0:02:54.880 --> 0:02:58.119 and I encounter when we try to access or protect 0:02:58.680 --> 0:03:02.040 our technology and our data. Now, there are a ton 0:03:02.080 --> 0:03:04.800 of different ways to do this. Some of them are 0:03:04.840 --> 0:03:10.799 inherently stronger methods of authentication than others and are better 0:03:11.480 --> 0:03:16.120 as far as you know, being more secure. And all 0:03:16.160 --> 0:03:20.600 of these authentication strategies can be divided into three broad categories. 0:03:21.320 --> 0:03:27.840 Those categories are inherence factors, knowledge factors, and ownership factors. 0:03:28.120 --> 0:03:31.920 So when you hear about two factor authentication, we're talking 0:03:31.960 --> 0:03:40.920 about a specific strategy that employs different uh different approaches 0:03:41.320 --> 0:03:46.040 belonging to different factors. Now, that doesn't really mean anything 0:03:46.080 --> 0:03:49.240 unless I expand on it. So an inherence factor relies 0:03:49.760 --> 0:03:53.240 upon the user him or herself. In other words, it 0:03:53.240 --> 0:03:57.360 has something to do with you as a user. It 0:03:57.560 --> 0:04:02.160 has to do with either your physical traits or behavioral traits. 0:04:02.160 --> 0:04:05.320 So a very easy to understand example of this would 0:04:05.320 --> 0:04:09.160 be a fingerprint scanner. Right like you, your fingerprints are 0:04:09.320 --> 0:04:12.880 unique to you. It is something you have inherited is 0:04:13.000 --> 0:04:17.400 inherent in who you are, so it's an inherence factor. 0:04:18.000 --> 0:04:19.920 But there are lots and lots of others, and I'll 0:04:19.920 --> 0:04:23.640 talk about some of those later on this episode. Knowledge 0:04:23.640 --> 0:04:27.200 factors are pretty self explanatory. Those are authentication strategies that 0:04:27.240 --> 0:04:30.960 rely on something that the user knows, like a password 0:04:31.080 --> 0:04:34.920 or a personal identification number otherwise known as a pen. 0:04:36.120 --> 0:04:39.919 Ownership factors are also pretty easy to understand. Those rely 0:04:40.040 --> 0:04:43.479 on something the user possesses, like a key card for 0:04:43.560 --> 0:04:47.560 security door. That would be an ownership factor. Now, on 0:04:47.600 --> 0:04:50.320 top of those categories, you have the additional strategies to 0:04:50.440 --> 0:04:54.960 enable authentication, which includes that two factor authentication that I 0:04:55.040 --> 0:04:58.560 talked about before. And maybe you don't know exactly what 0:04:58.600 --> 0:05:03.160 that means, well, that's why here. Really. Single factor authentication 0:05:03.160 --> 0:05:07.040 relies on just one component to access a system. So, 0:05:07.120 --> 0:05:10.200 for example, a lot of smartphones require users to unlock 0:05:10.320 --> 0:05:13.919 the device with a pin or a swipe pattern or 0:05:14.160 --> 0:05:18.080 a fingerprint scan. But that's it, right You you just 0:05:18.120 --> 0:05:21.120 have to do one of those things. You don't have 0:05:21.160 --> 0:05:24.760 to do multiple things. And once you do, whichever method 0:05:24.839 --> 0:05:27.840 you've enabled on your device, you have access to it. 0:05:28.080 --> 0:05:32.640 There's no secondary requirement. Systems that use single factor authentication 0:05:32.720 --> 0:05:38.280 are weaker than those that require more than one authentication strategy. 0:05:38.440 --> 0:05:43.360 In general, there are some different definitions for strong authentication 0:05:43.360 --> 0:05:47.560 I'll get into and you could argue that some inherence 0:05:47.880 --> 0:05:51.520 factors are so strong as to be fine on their own, 0:05:52.279 --> 0:05:55.880 But in general, going with a single factor is less 0:05:55.880 --> 0:05:59.120 secure than going for a two factor authentication strategy, which 0:05:59.120 --> 0:06:04.120 is exactly what is like. It requires two different authentication factors. 0:06:05.200 --> 0:06:08.200 That means the system will require users to provide authentication 0:06:08.640 --> 0:06:12.640 in two of those three categories. So an example of 0:06:12.640 --> 0:06:15.360 this is an a t M card. If you want 0:06:15.360 --> 0:06:17.800 to use an a t M card, you need to 0:06:17.880 --> 0:06:21.000 provide the card. That's an ownership factor. You have to 0:06:21.040 --> 0:06:23.400 be in possession of the card, and you have to 0:06:23.400 --> 0:06:28.479 supply the pen that's the knowledge factor. So you have 0:06:28.640 --> 0:06:32.360 an ownership factor and a knowledge factor. Those are two factors. 0:06:32.360 --> 0:06:36.000 That's two factor authentication. Possession of one factor should not 0:06:36.080 --> 0:06:40.640 be sufficient to access the respective system, nor should it 0:06:40.760 --> 0:06:44.359 lead to the discovery of the second factor. In other words, 0:06:44.920 --> 0:06:46.880 if you get hold of the card like you get 0:06:46.920 --> 0:06:50.680 hold of someone else's card, ideally there should be no 0:06:50.760 --> 0:06:55.520 indication on the card of what the pen is because 0:06:55.600 --> 0:06:57.400 you need both of those things in order to access 0:06:57.400 --> 0:07:00.800 someone's account. And if you make sure that only one 0:07:00.839 --> 0:07:03.159 of the two things is in possession of somebody else, 0:07:03.400 --> 0:07:06.840 they still can't get your stuff. So that's why you 0:07:06.839 --> 0:07:10.440 want the two factor authentication. You have to possess or 0:07:10.480 --> 0:07:13.760 know both of the authentication requirements independently of each other. 0:07:14.240 --> 0:07:17.960 This also applies to other factors as well. It doesn't 0:07:18.000 --> 0:07:20.080 just have to be knowledge and ownership. It could be 0:07:20.120 --> 0:07:22.840 ownership and inherence. It could be knowledge and inherence. You 0:07:22.840 --> 0:07:27.480 get the idea. So, if you've enabled to factor authentication 0:07:27.600 --> 0:07:31.360 on various online accounts, which I urge you to do 0:07:31.520 --> 0:07:34.960 for any accounts that actually offer it, you've likely had 0:07:35.000 --> 0:07:37.920 to supply a password as well as a code sent 0:07:38.120 --> 0:07:40.840 to you in some way. For example, you might have 0:07:40.840 --> 0:07:43.600 an email account that when you try and access it 0:07:43.760 --> 0:07:46.920 using a brand new device, says all right, well, what's 0:07:46.960 --> 0:07:49.160 your password? So you typed a little password in and 0:07:49.160 --> 0:07:51.160 then says all right, well, now I'm going to send 0:07:51.280 --> 0:07:55.400 you a code via text message. You need to put 0:07:55.480 --> 0:07:58.080 that code into this little box here, and then I'll 0:07:58.080 --> 0:08:02.080 give you access to your email. So the password part 0:08:02.160 --> 0:08:06.440 taps into that knowledge factor because you know the password 0:08:06.840 --> 0:08:11.480 and the text message taps into the ownership factor because 0:08:11.760 --> 0:08:14.520 there's a specific cell phone with a specific cell phone 0:08:14.600 --> 0:08:17.800 number associated with your email account, so you have to 0:08:17.840 --> 0:08:20.120 be an ownership of the cell phone in order to 0:08:20.200 --> 0:08:25.240 receive the text message and complete that authentication strategy. Many 0:08:25.280 --> 0:08:28.480 two factor authentication systems will actually allow you to designate 0:08:28.560 --> 0:08:32.880 specific devices as being safe quote unquote safe, meaning that 0:08:32.920 --> 0:08:34.720 you don't have to do that every single time you 0:08:34.760 --> 0:08:37.680 log in from that specific device. That way, you don't 0:08:37.760 --> 0:08:39.640 end up waiting for a text message every time you 0:08:39.679 --> 0:08:42.240 try and check your email from your personal laptop, computer, 0:08:42.400 --> 0:08:45.920 or smartphone. Now, there are systems that require even more 0:08:46.000 --> 0:08:50.880 forms of authentication, and we typically group these under the 0:08:50.960 --> 0:08:56.360 category multi factor authentication, indicating you've got to supply at 0:08:56.440 --> 0:09:00.280 least two methods in order to access the respective syste them. 0:09:00.320 --> 0:09:03.160 So technically, two factor authentication is a type of multi 0:09:03.240 --> 0:09:07.280 factor authentication. Most of the time, when I encounter it, 0:09:07.400 --> 0:09:10.680 multi factor is being used to mean more than two. 0:09:11.640 --> 0:09:16.000 I haven't personally ever encountered a system where I've had 0:09:16.040 --> 0:09:19.319 to supply more than two factors. But then again, no 0:09:19.360 --> 0:09:22.720 one trusts me with anything that's that important, so no 0:09:22.760 --> 0:09:27.720 big surprise there. Now, confusing matters somewhat is this term 0:09:27.880 --> 0:09:32.040 called strong authentication, which is used in a lot of 0:09:32.080 --> 0:09:36.000 different places, including the European Union. In fact, it's very 0:09:36.000 --> 0:09:39.360 prominently used in the EU. At first glance, you might 0:09:39.400 --> 0:09:43.800 think strong authentication and two factor or multi factor authentication 0:09:43.880 --> 0:09:46.640 are synonymous, that in order of it to be strong, 0:09:46.720 --> 0:09:49.880 it must be at least two factor authentication. But that's 0:09:49.920 --> 0:09:54.800 not actually the case. If a single authentication strategy is 0:09:54.840 --> 0:09:59.200 deemed secure enough, it can fall under the category of 0:09:59.320 --> 0:10:03.760 strong authentication. And so there's a lot of disagreement over 0:10:03.800 --> 0:10:06.520 what the actual definition is. It makes it pretty confusing. 0:10:06.840 --> 0:10:08.640 But let's give you an example. Let's say that there's 0:10:08.640 --> 0:10:12.480 a retinal scanner that scans the pattern of blood vessels 0:10:12.520 --> 0:10:17.079 in your eye. Now that's really difficult to replicate compared 0:10:17.080 --> 0:10:20.480 to other biometric measures such as a fingerprint, which you could, 0:10:21.120 --> 0:10:25.439 in fact, if you're very clever fake. So in the 0:10:25.480 --> 0:10:28.800 European Union, a system that looks at the blood vessels 0:10:28.840 --> 0:10:33.080 in your eye for authentication might be considered strong even 0:10:33.120 --> 0:10:35.640 though it's just a single factor. Let's say you don't 0:10:35.640 --> 0:10:38.200 have to provide any other information, it's just a quick 0:10:38.240 --> 0:10:40.960 skin of the eye and you're in if the system 0:10:41.000 --> 0:10:43.560 is robust enough, and if it's looking at something that 0:10:43.640 --> 0:10:46.480 is difficult enough to replicate, it could still count a 0:10:46.520 --> 0:10:50.679 strong authentication. He could even refer to knowledge based factors. 0:10:51.040 --> 0:10:53.240 So let's say a system requires you to answer a 0:10:53.240 --> 0:10:56.360 series of unrelated questions when you set up your account. 0:10:57.040 --> 0:10:59.640 Accessing the account at a later time requires that you 0:10:59.720 --> 0:11:02.200 rep like hat those answers. You've got to remember how 0:11:02.240 --> 0:11:04.240 you answered the questions when you first set it up. 0:11:04.240 --> 0:11:06.720 It's kind of like the security questions a lot of 0:11:06.760 --> 0:11:10.640 different systems used right now now, Because these questions are 0:11:10.760 --> 0:11:14.560 unrelated and knowledge of one answer doesn't provide any of 0:11:14.600 --> 0:11:19.120 the other answers, that could be considered strong authentication. Now, personally, 0:11:19.160 --> 0:11:20.520 I find that method to be a little on the 0:11:20.520 --> 0:11:23.320 flimsy side. But I'm not the one making definitions. I'm 0:11:23.400 --> 0:11:27.800 just reporting them to you guys. Now we've got the 0:11:27.800 --> 0:11:31.360 basic definitions out of the way, let's dive into a 0:11:31.400 --> 0:11:34.000 bit of history, because you guys know, I love to 0:11:34.040 --> 0:11:38.239 talk about the history of the various technologies and processes 0:11:38.280 --> 0:11:41.600 we've developed over the years. So the concept of authentication 0:11:41.760 --> 0:11:47.040 is ancient. It predates electronics by centuries. Throughout the years, 0:11:47.120 --> 0:11:50.000 people would have to provide some sort of proof of 0:11:50.040 --> 0:11:53.520 their identities. It might require someone else to vouchsafe for 0:11:53.559 --> 0:11:57.280 a person, or it might require a special seal belonging 0:11:57.320 --> 0:12:00.559 to a particular office or noble house place upon an 0:12:00.559 --> 0:12:03.280 official document. You may have heard that a lot of 0:12:03.320 --> 0:12:06.559 those documents would be sealed with wax, and then someone 0:12:06.600 --> 0:12:10.520 would use a signet ring in order to put a 0:12:10.559 --> 0:12:14.120 specific stamp in that wax. That was considered a form 0:12:14.160 --> 0:12:18.439 of authentication. If you saw the proper symbol, then presumably 0:12:18.480 --> 0:12:22.679 it came from the proper place. Not that you couldn't 0:12:23.000 --> 0:12:24.760 create a fake of that if you really wanted to, 0:12:25.080 --> 0:12:27.839 but you know, that was the idea. Or you might 0:12:27.880 --> 0:12:30.280 even just have a password shared between a small group 0:12:30.280 --> 0:12:32.720 of people. So as long as there have been secrets, 0:12:32.760 --> 0:12:35.320 there have been means to identify those who should and 0:12:35.360 --> 0:12:39.360 should not have access to those secrets. And secrets pre 0:12:39.480 --> 0:12:44.319 date the written word. But let's talk about passwords and 0:12:44.400 --> 0:12:47.640 authentication and electronics, because honestly, if I did a full 0:12:47.720 --> 0:12:51.440 episode about the history of passwords, that would not really 0:12:51.480 --> 0:12:54.440 be tech stuff. That would be an awesome, awesome episode 0:12:54.440 --> 0:12:57.000 of stuff they don't want you to know. Hint, hint. 0:12:57.720 --> 0:13:02.240 So computer passwords actually pre d eight personal computers. Back 0:13:02.360 --> 0:13:05.760 in nineteen sixty one, m I T created a password 0:13:05.800 --> 0:13:09.920 system for authorized access to its Compatible Time Sharing System 0:13:10.120 --> 0:13:14.520 or ct s S. Ct S S allowed multiple users 0:13:14.559 --> 0:13:18.880 to access the same computational core. So imagine that you 0:13:18.880 --> 0:13:22.040 are in a room and it's filled. Uh, there's like 0:13:22.120 --> 0:13:24.600 lots of tables everywhere, and every table has a couple 0:13:24.559 --> 0:13:28.559 of different workstations. Every workstation has a screen and a keyboard, 0:13:29.080 --> 0:13:31.559 but not a computer. They just have the keyboard in 0:13:31.600 --> 0:13:36.439 the screen, which are connected via cables to a single computer. 0:13:36.600 --> 0:13:40.920 Everyone is sharing the exact same computer. Well, way back 0:13:40.920 --> 0:13:43.320 in the day, that's how a lot of computer systems 0:13:43.480 --> 0:13:47.920 were made. They didn't have personal devices at every station. 0:13:48.440 --> 0:13:51.640 The stations were just dummy terminals that connected to a 0:13:51.679 --> 0:13:55.240 core system. Also, in those days, time sharing meant that 0:13:55.280 --> 0:13:59.120 the computer actually would divvy up when it was specifically 0:13:59.160 --> 0:14:03.280 available to do your calculations. So let's say you're typing 0:14:03.280 --> 0:14:06.600 in something, you're programming some code, and you send it 0:14:06.640 --> 0:14:11.760 to the computer. It would be responding to each station 0:14:11.920 --> 0:14:14.200 in turn, and it's doing it so fast that it 0:14:14.240 --> 0:14:18.240 feels almost instantaneous, or close enough to it, But in 0:14:18.320 --> 0:14:22.560 fact it would be responding uh. In sequence, as people 0:14:22.640 --> 0:14:28.040 had logged into the various terminals, now obviously using the 0:14:28.160 --> 0:14:32.080 same computer for all these dummy terminals create some challenges. 0:14:32.640 --> 0:14:36.280 How can each individual user maintain control over his or 0:14:36.320 --> 0:14:39.880 her data? How do they maintain their own private files? 0:14:40.280 --> 0:14:43.480 Because every user had a set of private files that 0:14:43.960 --> 0:14:47.520 other users should not be able to access without authorization. 0:14:47.600 --> 0:14:50.680 I mean, one person might be working on a project, 0:14:50.760 --> 0:14:52.880 someone else is working on a totally different project. You 0:14:52.920 --> 0:14:56.200 don't want those files to intermingle. You had the partition 0:14:56.280 --> 0:15:00.480 that stuff, so without a password, you really couldn't do that. 0:15:00.680 --> 0:15:03.240 So if everyone's using a core machine as the processor 0:15:03.240 --> 0:15:05.760 and storage unit, you had to create some means of 0:15:05.840 --> 0:15:10.800 differentiating one user from another. The solution was the password. 0:15:11.600 --> 0:15:14.160 So every user would get a unique password to enter 0:15:14.240 --> 0:15:17.240 into the system, which would then allow that user to 0:15:17.320 --> 0:15:20.920 create an access private files. And it also helped control 0:15:21.480 --> 0:15:25.640 the amount of time any individual user had with the machine. 0:15:25.680 --> 0:15:29.040 Because these machines they were rare. There are only a 0:15:29.040 --> 0:15:32.760 few of them in nineteen sixty one, so the time 0:15:33.360 --> 0:15:38.000 on those machines was very valuable. You you know, people 0:15:38.000 --> 0:15:40.240 were hoarding time. They were trying to do their best, 0:15:40.280 --> 0:15:42.120 you know, you might only get a few hours a week, 0:15:42.720 --> 0:15:46.720 so they would end up partitioning that out through passwords. 0:15:46.760 --> 0:15:49.520 It was kind of like a controlled ticket system, so 0:15:49.600 --> 0:15:53.160 that a ride doesn't get overwhelmed with a ton of people. 0:15:53.440 --> 0:15:55.680 You have you release a certain number of tickets per hour, 0:15:56.240 --> 0:15:58.960 and you keep the traffic flowing steadily. Same sort of thing, 0:15:59.000 --> 0:16:01.120 except in this case it was with a computer access, 0:16:01.920 --> 0:16:04.400 so it's a way to control the point of entry 0:16:04.480 --> 0:16:08.200 into the system. Now, at that time, the passwords were 0:16:08.280 --> 0:16:11.400 pretty simple, and they were not really secure at all. 0:16:12.240 --> 0:16:16.160 It was more for the matter of convenience than security really. 0:16:16.720 --> 0:16:19.840 After all, this predated the Internet, so external access to 0:16:19.920 --> 0:16:22.240 the system wasn't really a factor. If you wanted to 0:16:22.280 --> 0:16:25.800 get your hands on those sweet sweet private files, you 0:16:25.840 --> 0:16:28.960 actually needed to have physical access to the system itself. 0:16:28.960 --> 0:16:32.000 You couldn't just hack in from across the country. So 0:16:32.040 --> 0:16:34.720 in a way, that's a one factor of authentication all 0:16:34.760 --> 0:16:38.160 by itself. Ownership in this case, the ownership doesn't really 0:16:38.200 --> 0:16:41.200 refer to something that you personally own, but rather your 0:16:41.200 --> 0:16:46.800 physical access to the system. But these passwords weren't encrypted 0:16:47.200 --> 0:16:49.360 or stored in a particularly safe way. They were in 0:16:49.400 --> 0:16:53.720 plain text. So just a year after they debuted this 0:16:53.840 --> 0:16:59.160 password strategy, a graduate student named Alan Share accessed the 0:16:59.400 --> 0:17:03.240 entire list of unencrypted passwords stored on the system and 0:17:03.280 --> 0:17:06.280 printed them out. Now, the reason Shared did this was 0:17:06.359 --> 0:17:10.040 not to access private files created by other people. It 0:17:10.080 --> 0:17:12.639 was so that Shared could get more time on the 0:17:12.680 --> 0:17:16.240 system because every student was allotted just four hours of 0:17:16.280 --> 0:17:20.560 access per week, and he needed more access, and he figured, well, 0:17:20.560 --> 0:17:22.880 there's all these other hours of access that are going 0:17:22.960 --> 0:17:26.960 unused from other students. That's not fair. I'll just take 0:17:27.080 --> 0:17:30.359 their their hours and use them myself. The way he 0:17:30.400 --> 0:17:33.600 did this was he actually created a punch card that 0:17:33.800 --> 0:17:37.800 contained the file name and location for the password list, 0:17:38.400 --> 0:17:41.160 and it also contained a set of instructions that said 0:17:41.960 --> 0:17:45.520 take this file and send it to a printer. So 0:17:45.640 --> 0:17:48.520 he didn't even have to physically look at this file 0:17:48.560 --> 0:17:50.359 at all. He just had to figure out what was 0:17:50.400 --> 0:17:53.120 the file name, where was it located on the system, 0:17:53.200 --> 0:17:57.280 and then include the instructions sent to printer. By the way, 0:17:57.320 --> 0:17:59.240 if you want to know more about how punch cards 0:17:59.280 --> 0:18:02.520 work and the way that they were an integral part 0:18:02.560 --> 0:18:05.919 of early computing, you can actually listen to a classic 0:18:06.119 --> 0:18:10.320 two thousand nine Text Stuff episode titled computers from the past, 0:18:11.000 --> 0:18:13.200 and Chris Pallette and I talked a lot about them 0:18:13.200 --> 0:18:17.720 in that episode. So it's easy in hindsight to criticize 0:18:17.760 --> 0:18:19.840 the M I T strategy. But keep in mind this 0:18:19.920 --> 0:18:22.679 was at a time when unauthorized access to computers was 0:18:22.720 --> 0:18:27.320 exceedingly rare, because well, the computers were exceedingly rare. As 0:18:27.320 --> 0:18:31.520 computers began to proliferate throughout all areas of life, the 0:18:31.600 --> 0:18:36.880 need for more secure access strategies grew. According to Roger Needham, 0:18:36.960 --> 0:18:40.520 who was a professor of computing at Cambridge University, the 0:18:40.600 --> 0:18:44.080 Cambridge Lab came up with a concept to make passwords 0:18:44.080 --> 0:18:47.560 more secure, and that's the concept of hashing. Now, that's 0:18:47.560 --> 0:18:51.320 when you convert passwords of variable lengths into a fixed 0:18:51.440 --> 0:18:55.639 length string of characters using an algorithm for the transformation. 0:18:56.000 --> 0:18:58.560 It's a fancy way of saying, no matter how long 0:18:58.680 --> 0:19:01.320 or short of password is, you put it through a 0:19:01.400 --> 0:19:05.840 series of mathematical processes. Will you convert the password into 0:19:05.960 --> 0:19:11.320 numerals first? Then you do this series of mathematic processes, uh, 0:19:11.440 --> 0:19:14.400 the end result of which is you get a much 0:19:14.600 --> 0:19:19.440 longer string of characters and that represents the password. And 0:19:19.480 --> 0:19:21.399 it doesn't matter how long or short the past the 0:19:21.400 --> 0:19:25.119 original password was. All of the hashed versions of the 0:19:25.160 --> 0:19:29.040 password are the same length. So let's say the hash 0:19:29.119 --> 0:19:31.200 is e D characters long. That means if your base 0:19:31.240 --> 0:19:37.679 password is pass or it's anti disestablishmentarianism or anything else, 0:19:38.080 --> 0:19:40.480 it will end up converted into a string of e 0:19:40.560 --> 0:19:43.960 D characters. So if someone gets hold of the hashed passwords, 0:19:44.400 --> 0:19:46.000 those are the only ones that are being stored on 0:19:46.040 --> 0:19:48.280 the system, they would still have to figure out what 0:19:48.320 --> 0:19:51.320 was the mechanism used to generate the hashes in order 0:19:51.359 --> 0:19:54.680 to guess what the root password was, because otherwise they're 0:19:54.720 --> 0:19:57.240 all going to look like they're eight characters long. You 0:19:57.280 --> 0:20:01.959 won't know which ones were short passwords or long password words. Uh. 0:20:02.000 --> 0:20:04.480 In order to do that, obviously, you have to decide 0:20:04.520 --> 0:20:08.320 upon what the specific sequence of mathematical operations are going 0:20:08.359 --> 0:20:14.080 to be and what seed you're using for those operations. Uh. 0:20:14.119 --> 0:20:16.320 And once you do that, then you're able to make 0:20:16.400 --> 0:20:21.240 these kind of changes. So Needham said that the system 0:20:21.280 --> 0:20:24.680 was created and implemented in the mid to late nineteen sixties, 0:20:25.119 --> 0:20:27.720 so it wasn't very long after the m I T 0:20:28.560 --> 0:20:34.160 H rollout of passwords. Now later, still, computer scientists began 0:20:34.200 --> 0:20:38.760 to develop more secure hashing strategies. This includes salting passwords, 0:20:38.760 --> 0:20:42.320 which means adding characters to a password before you hash it. 0:20:42.960 --> 0:20:45.600 So a simple example of this is using a computer's 0:20:45.640 --> 0:20:49.560 clock to insert digits into the password and then hashing 0:20:49.680 --> 0:20:52.280 the new password, which makes it even harder for a 0:20:52.280 --> 0:20:55.000 hacker to figure out the route password from the hash 0:20:55.160 --> 0:20:58.400 because they need to know at what time that operation 0:20:58.480 --> 0:21:02.119 was performed on the original path pas word um, otherwise 0:21:02.240 --> 0:21:06.240 they wouldn't be able to replicate the original password. Now 0:21:06.280 --> 0:21:09.240 this is easier to understand if I give you an example. 0:21:09.320 --> 0:21:13.680 So let's say your password has been set to let's 0:21:13.680 --> 0:21:16.720 say tech stuff. You chose tech stuff as your password. 0:21:17.080 --> 0:21:19.520 First of all, that was dumb. Don't do that. Don't 0:21:19.560 --> 0:21:21.640 pick a word that's easy to guess, even if it's 0:21:21.640 --> 0:21:25.240 a name like tech stuff, which is granted an awesome show. 0:21:25.880 --> 0:21:29.280 But you've chosen tech stuff for this example. You access 0:21:29.400 --> 0:21:32.880 the system at two thirty five in the afternoon. Let's 0:21:32.880 --> 0:21:35.600 say that the computer converts that into military time, so 0:21:35.800 --> 0:21:38.800 that gives you fourteen thirty five, and then it salts 0:21:38.840 --> 0:21:42.000 your password with those numbers. So instead of it just 0:21:42.000 --> 0:21:46.160 saying text stuff, now it says T one e four 0:21:46.480 --> 0:21:52.640 C three H five stuff. That password then gets hashed 0:21:52.720 --> 0:21:56.520 into that eight character long version stored on the computers. 0:21:56.920 --> 0:21:59.520 By the way, that eighty characters is just an arbitrary example. 0:21:59.720 --> 0:22:02.320 I'm that doesn't really mean anything. I just need a 0:22:02.440 --> 0:22:05.639 number for the example. Now, let's say you access the 0:22:05.680 --> 0:22:08.320 same system the following day, but this time it's one 0:22:08.440 --> 0:22:10.760 twenty three in the afternoon. Remember it was two thirty 0:22:10.760 --> 0:22:12.760 five the day before, but now it's one twenty three 0:22:12.800 --> 0:22:15.960 the next day. The salted password is going to be 0:22:16.000 --> 0:22:19.520 different because it's going to convert one tree to military time, 0:22:19.920 --> 0:22:22.840 and then it's going to salt the password that way, 0:22:22.880 --> 0:22:25.840 so it would be T one E three C two 0:22:26.040 --> 0:22:30.560 H three stuff. The hashed value will end up being 0:22:30.600 --> 0:22:34.679 different as well, because it's inserted those new numbers. So 0:22:34.760 --> 0:22:37.239 that means that if the hacker gets two versions of 0:22:37.280 --> 0:22:40.320 your hashed password, they're still going to be different from 0:22:40.359 --> 0:22:42.719 each other. It's all going to be dependent upon the 0:22:42.760 --> 0:22:46.080 time you try to access the system. Now, the system 0:22:46.119 --> 0:22:49.480 itself it knows when you were accessing it, so it's 0:22:49.520 --> 0:22:53.600 able to do all of this decoding easily like that. 0:22:53.760 --> 0:22:56.199 There's no problem for the system, but it makes it 0:22:56.200 --> 0:22:59.680 difficult for a hacker to figure out what your password 0:22:59.800 --> 0:23:04.359 was based upon the hashed value that appears inside the system. Now, 0:23:04.400 --> 0:23:07.280 of course, hackers can bypass all that and try to 0:23:07.320 --> 0:23:10.800 hack a password using brute force. That's when someone and 0:23:11.200 --> 0:23:13.639 usually it's a computer program not a person these days, 0:23:14.480 --> 0:23:18.920 submits endless guesses into a password protected account in order 0:23:18.960 --> 0:23:22.280 to gain access. There's no need to work backward from 0:23:22.400 --> 0:23:25.840 hashed values. Using this approach, you're just guessing the root 0:23:25.920 --> 0:23:29.520 password from the get go. But it takes a lot 0:23:29.560 --> 0:23:33.119 of time, particularly if the user has created a strong password. 0:23:33.400 --> 0:23:37.080 So the longer and more complex a password, the less 0:23:37.080 --> 0:23:40.440 likely and traditional computer can hack it in a reasonable 0:23:40.480 --> 0:23:44.200 amount of time. Given enough time and enough computing power, 0:23:44.920 --> 0:23:49.520 any password can ultimately be cracked by brute force. But 0:23:50.200 --> 0:23:52.600 the more complex it is and the longer it is, 0:23:53.560 --> 0:23:56.080 the more time it requires to a point where it 0:23:56.119 --> 0:23:59.800 can approach time that last centuries, which means no one's 0:23:59.800 --> 0:24:01.800 going to bother to do it because they're not going 0:24:01.880 --> 0:24:05.440 to be around to actually see it work. Assuming you've 0:24:05.440 --> 0:24:08.520 picked a good strong password. That's why you should never 0:24:08.600 --> 0:24:11.240 use real words or even names as a password. They're 0:24:11.240 --> 0:24:13.440 too easy for a computer to guess using what's called 0:24:13.440 --> 0:24:17.399 a dictionary attack. So make sure you create those really 0:24:17.440 --> 0:24:20.639