WEBVTT - TechStuff Looks at Password Security 0:00:00.280 --> 0:00:02.960 Brought to you by the reinvented two thousand twelve Camray. 0:00:03.160 --> 0:00:08.760 It's ready. Are you get in touch with technology? With 0:00:08.880 --> 0:00:17.480 tech Stuff from how stuff works dot com. Hello again, everyone, 0:00:17.560 --> 0:00:19.680 Welcome to tech stuff. My name is Chris Poulett, and 0:00:19.680 --> 0:00:21.720 I'm an editor at house stuff works dot com. Sitting 0:00:21.760 --> 0:00:25.120 across to me, as is a typically the case, senior 0:00:25.120 --> 0:00:28.600 writer Jonathan Strickland. Hey there, you know, so I was 0:00:28.640 --> 0:00:30.960 thinking maybe after this we could I don't know, play 0:00:31.000 --> 0:00:34.400 game risk. What do you think I think we already are? 0:00:35.720 --> 0:00:39.080 That's funny. Uh. Yeah. Security has been in the news 0:00:39.159 --> 0:00:41.040 a lot lately as of the time we're recording this 0:00:41.080 --> 0:00:44.800 in late August two thousand and twelve, UM. And part 0:00:44.800 --> 0:00:47.319 of that is because, as we have touched on in 0:00:47.360 --> 0:00:50.680 a handful of times since, some of the big, more 0:00:50.720 --> 0:00:55.720 widely publicized cases have been making the news. That you know, 0:00:55.880 --> 0:00:59.960 hackers have been breaking into different accounts at major corporate 0:01:00.080 --> 0:01:04.840 rations online, stealing people's information. It's unclear whether people's credit 0:01:04.840 --> 0:01:07.120 card numbers were stolen, or if we have your home 0:01:07.160 --> 0:01:09.440 address or we know the name of your dog. There 0:01:09.520 --> 0:01:12.280 was the whole story of Matt Honan getting his entire 0:01:12.360 --> 0:01:17.200 digital life hacked because of a vulnerability between the systems 0:01:17.200 --> 0:01:21.640 of Amazon and Apple YEP, which clearly taken a loan, 0:01:22.560 --> 0:01:27.720 clearly were not obvious as problems, but when put together, 0:01:27.840 --> 0:01:30.800 post problems because they were the people who were doing 0:01:30.800 --> 0:01:33.600 the hacking game to the system and put them against 0:01:33.680 --> 0:01:36.280 one another to create a bigger picture that allowed them 0:01:36.319 --> 0:01:39.280 to get the information. Well, uh, you know, people have 0:01:39.319 --> 0:01:42.360 been saying that you need secure password please, and there 0:01:42.360 --> 0:01:45.240 are news reports about this too. People are still using 0:01:45.800 --> 0:01:51.480 password as their password or obvious terms one, two, three, four. 0:01:51.560 --> 0:01:55.800 That's the kind of thing an idiot puts on his luggage. Hey, so, 0:01:56.000 --> 0:01:59.200 uh yeah, I mean those kinds of things are still 0:01:59.240 --> 0:02:03.160 in practice, and of course you need to use more 0:02:03.280 --> 0:02:07.760 secure passwords, but it's it's it goes deeper than that. 0:02:07.800 --> 0:02:12.280 There's more information out there now about how even using 0:02:13.000 --> 0:02:19.040 stronger passwords alone isn't necessarily going to keep hackers from 0:02:19.080 --> 0:02:22.160 being able to get into your account. You know, think 0:02:22.200 --> 0:02:25.240 about what you're doing. There's there's several several things that 0:02:25.280 --> 0:02:29.040 you have to consider. One of those is the idea 0:02:29.120 --> 0:02:32.919 of linking accounts together, because that means that should one 0:02:32.960 --> 0:02:37.160 account become vulnerable, then those other linked accounts could also 0:02:37.200 --> 0:02:40.280 be vulnerable. That was the case with Matt Honan, right. 0:02:40.400 --> 0:02:43.800 So one of the many problems of his yes UM 0:02:44.040 --> 0:02:47.400 because more identifiable problems because once they got access to 0:02:47.440 --> 0:02:50.240 his Google account, then they were able to reset stuff 0:02:50.280 --> 0:02:52.240 all over the place, and then it turned out that 0:02:52.280 --> 0:02:54.720 all they really wanted was to access his Twitter account, 0:02:54.720 --> 0:02:58.359 which is I guess in a way he's fortunate, but 0:02:58.440 --> 0:03:00.920 it's still pretty crazy every that they managed to do 0:03:01.000 --> 0:03:02.640 in order to do that, and they caused quite a 0:03:02.639 --> 0:03:06.000 bit of damage along the way to matahone in anyway, 0:03:06.480 --> 0:03:10.040 not to mention to the the the public perception of 0:03:10.080 --> 0:03:14.399 security UM on the back end. So that's one thing 0:03:14.480 --> 0:03:18.600 is linking lots of accounts together holds a very specific danger. 0:03:18.639 --> 0:03:21.800 I mean, for one, thing like Facebook Connect or really 0:03:21.840 --> 0:03:25.360 any open i D approach, right, if that system is 0:03:25.400 --> 0:03:28.680 not secure, you have a single point that you can 0:03:28.720 --> 0:03:31.919 target that will give you access to lots of stuff. 0:03:32.680 --> 0:03:37.520 Now that's so sad because for us the consumer, that's 0:03:37.600 --> 0:03:40.480 so helpful having one account that you can log into 0:03:40.600 --> 0:03:44.280 and from there you can authenticate with multiple other services. 0:03:44.640 --> 0:03:48.720 You don't have to build out form after form after form. Uh, 0:03:48.960 --> 0:03:52.400 you know, it's nice. It is a very valu service now. 0:03:52.480 --> 0:03:55.600 And I'm not saying that that Facebook Connect or Open 0:03:55.640 --> 0:03:58.120 Idea or any of that is that they are not secure. 0:03:58.200 --> 0:04:01.080 They're putting they're putting lots of protections in place to 0:04:01.080 --> 0:04:04.520 try and keep user information as safe as possible. It's 0:04:04.520 --> 0:04:07.920 not it's not so much that it's inherently wrongs that 0:04:08.360 --> 0:04:12.720 if something does happen, it can cause serious problem. Right. 0:04:12.760 --> 0:04:16.240 So that's one issue. Another issue is the way that 0:04:16.320 --> 0:04:20.320 we create passwords as users. For those of us who 0:04:20.520 --> 0:04:26.159 are using either very common words or even names. Um, 0:04:26.200 --> 0:04:28.120 even if we think we're being clever by adding a 0:04:28.160 --> 0:04:31.480 few numbers to it, that's not really that secure. And 0:04:31.920 --> 0:04:36.960 if it becomes even more insecure if we're using those 0:04:38.080 --> 0:04:45.200 passwords at multiple accounts. So I think, uh, we we were. 0:04:45.279 --> 0:04:48.560 We both read an article from Ours Technica by Dan 0:04:48.600 --> 0:04:52.360 Gooden called why passwords have never been weaker and crackers 0:04:52.360 --> 0:04:55.080 have never been stronger. It's actually it's a fascinating read, 0:04:55.120 --> 0:04:56.919 and I do recommend you check it out if you 0:04:57.040 --> 0:04:59.560 find this episode interesting, or even if you don't, it's 0:04:59.560 --> 0:05:02.760 a good thing to know. And uh, it's it's typically 0:05:03.160 --> 0:05:06.520 our technically typically get into a more technical detail than 0:05:06.640 --> 0:05:08.960 than articles on how stuff works dot com. But if 0:05:08.960 --> 0:05:11.000 you're if you're really serious about it, there there's a 0:05:11.000 --> 0:05:13.600 lot of important information in there, and we can give 0:05:13.640 --> 0:05:16.479 you kind of the the layman approach to what is 0:05:16.480 --> 0:05:18.440 going on here. But part of that is that I 0:05:18.520 --> 0:05:20.680 remember reading, and it may not have been in this article, 0:05:20.760 --> 0:05:23.440 I do remember reading a statistic that the average user 0:05:23.480 --> 0:05:27.040 has something like six and a half passwords in the Okay, 0:05:27.160 --> 0:05:29.120 so they used six and a half pass And you know, 0:05:29.120 --> 0:05:30.800 of course this is an average. We're not saying someone 0:05:30.800 --> 0:05:32.960 out there's just putting, oh, you know what, I was 0:05:33.000 --> 0:05:35.640 gonna type in my whole password, which is typically password, 0:05:35.680 --> 0:05:38.000 and I'm just gonna type in pass for this one. No, 0:05:38.160 --> 0:05:41.080 that's not what it means sword, it's the average. So 0:05:41.279 --> 0:05:43.520 but that means that, you know, you think the average 0:05:43.560 --> 0:05:47.120 person has around twenty five accounts across the web, but 0:05:47.200 --> 0:05:50.000 they're using on average, six and a half passwords, So 0:05:50.400 --> 0:05:53.279 each password is being used around three times on average. 0:05:53.360 --> 0:05:55.159 I mean, that's again an average. You might have just 0:05:55.240 --> 0:05:57.560 one password that used twenty times and the other three 0:05:57.680 --> 0:06:00.400 used the other five. But I don't to use the 0:06:00.480 --> 0:06:04.680 same password on Google and yeah, who's so I'll use 0:06:04.800 --> 0:06:06.400 one for one and the other one for the other, 0:06:06.480 --> 0:06:11.240 and then I'll use the Google one again for interest, yeah, whatever, 0:06:11.800 --> 0:06:14.720 for Facebook, because they are those are disconnected enough where 0:06:14.760 --> 0:06:17.320 it's not gonna know. That's still a problem unless you 0:06:17.320 --> 0:06:19.720 think that I am a super genius, because I can 0:06:19.760 --> 0:06:22.520 say this, No, I I reused passwords from time to 0:06:22.600 --> 0:06:25.040 time too. I'm guilty of it, just as much as 0:06:26.160 --> 0:06:29.920 the planet. I was awful for a long time. Passwords 0:06:30.000 --> 0:06:32.880 among that that was pretty much mine too. I had 0:06:32.920 --> 0:06:35.440 about three passwords that I used for almost everything. That 0:06:35.520 --> 0:06:38.760 is no longer the case. People, I don't do that anymore. Well, 0:06:38.760 --> 0:06:40.480 I told you I didn't mean you erase all those 0:06:40.480 --> 0:06:45.159 accounts anyway. So that's that's another user behavior, and we'll 0:06:45.160 --> 0:06:48.080 get more into that in a minute. But then the 0:06:48.240 --> 0:06:54.000 third piece is how safe are those passwords within the 0:06:54.080 --> 0:06:59.640 databases of the companies that hold those passwords. So if 0:06:59.680 --> 0:07:02.080 you are a cracker, you know a hacker who is 0:07:02.120 --> 0:07:06.000 specifically trying to crack into security systems, and you have 0:07:06.400 --> 0:07:10.360 identified a potential target to try and get at their 0:07:10.440 --> 0:07:15.600 password database, then uh, if it's if it's one where 0:07:15.840 --> 0:07:20.560 the user base of that service or company also typically 0:07:20.680 --> 0:07:25.000 has accounts at other places you've managed to not just 0:07:25.040 --> 0:07:27.840 get the passwords for that one account, but knowing that 0:07:27.880 --> 0:07:31.040 people tend to reuse their passwords, you might actually have 0:07:31.120 --> 0:07:36.960 access to multiple services. Now, there are ways that companies 0:07:36.960 --> 0:07:39.680 can protect against this, not just by building a good 0:07:39.720 --> 0:07:44.080 security system that's hard to crack, but also by uh 0:07:44.440 --> 0:07:48.400 encrypting those passwords in the database, so that if you 0:07:48.480 --> 0:07:51.200 get that database, yes you've got a whole bunch of data, 0:07:51.280 --> 0:07:54.960 but it does not translate directly to the passwords because 0:07:54.960 --> 0:07:58.640 it's been put through a hashing algorithm. Yeah, and there's 0:07:58.680 --> 0:08:03.160 there are several sort of standard hashing algorithms, so basically 0:08:03.160 --> 0:08:06.360 it's a it's a little like uh email encryption too. 0:08:07.040 --> 0:08:10.120 So you have, let's just pick pass the four letter 0:08:10.160 --> 0:08:13.400 word pass um, you put it through the hashing algorithm, 0:08:13.600 --> 0:08:16.120 and on the other side of it, the letters and 0:08:16.200 --> 0:08:20.480 numbers that make up the encrypted information look nothing like that. 0:08:20.640 --> 0:08:23.760 And it might be that your four letter password has 0:08:23.760 --> 0:08:27.800 just become a thirty two letter encrypted string of characters. Yeah. 0:08:27.840 --> 0:08:30.320 So somebody seeing that written down, say on a piece 0:08:30.360 --> 0:08:33.360 of paper, is not going to have any idea what 0:08:33.400 --> 0:08:35.040 that is, and they're not really going to have any 0:08:35.040 --> 0:08:40.040 way to decipher it. And theoretically it's pretty well, uh, 0:08:40.120 --> 0:08:43.840 pretty well protected right theoretically. But here's the problem is 0:08:43.880 --> 0:08:48.239 that not first of all, not every company has historically 0:08:48.400 --> 0:08:52.120 encrypted all those passwords. And there have been cases where 0:08:52.440 --> 0:08:55.640 crackers have gotten access to a password database that was 0:08:55.679 --> 0:08:58.880 stored in plain text. That means that the password that 0:08:58.960 --> 0:09:03.319 you type in appears in that database as you typed it, 0:09:03.640 --> 0:09:07.200 so there's no hidden you know, code or anything. You've 0:09:07.200 --> 0:09:10.400 got those passwords, Well, that's very valuable to a cracker 0:09:10.520 --> 0:09:12.400 for more than just the fact that they now have 0:09:12.480 --> 0:09:15.439 access to your account. What's also valuable is that they 0:09:15.440 --> 0:09:22.959 now have a list of words that people use as passwords. So, uh, 0:09:23.000 --> 0:09:25.439 there's a there's a type of attack we should talk about, 0:09:25.520 --> 0:09:29.360 the brute force attack. A brute force attack is when 0:09:29.880 --> 0:09:33.480 a cracker tries to get access to a system by 0:09:33.559 --> 0:09:37.600 filling out the essentially filling out the password field multiple 0:09:37.640 --> 0:09:42.840 times until they get a positive result. And um, one 0:09:42.880 --> 0:09:45.440 way of doing a brute force attack, A very common 0:09:45.440 --> 0:09:48.080 way is to do what's called a dictionary attack, where 0:09:48.120 --> 0:09:52.600 you take you create a virtual dictionary of words that 0:09:52.720 --> 0:09:55.720 you use as the basis for passwords, knowing that a 0:09:55.760 --> 0:09:59.240 lot of people will pick a common dictionary word as 0:09:59.360 --> 0:10:03.040 the basis of their password hard wark antelope ant eater. 0:10:03.200 --> 0:10:05.920 You know, it just goes all the way through animals 0:10:05.960 --> 0:10:08.840 for some reason. But something else that they'll do as 0:10:08.880 --> 0:10:13.520 part of this dictionary attack what they'll start adding changing symbols. 0:10:13.679 --> 0:10:16.840 So let's say your your password is ard vark, but 0:10:17.040 --> 0:10:22.080 you're being clever and changing the a's symbols to add symbols. 0:10:22.160 --> 0:10:24.439 And uh, you know, let's say you pick a word 0:10:24.679 --> 0:10:27.439 with with ease in it and you change them to threes. 0:10:27.840 --> 0:10:31.679 They try those two, yeah, because those are very common approaches. 0:10:31.720 --> 0:10:33.920 And yes, you know, keeping in mind that most of 0:10:34.040 --> 0:10:36.720 us are using passwords that are easy for us to remember, 0:10:37.200 --> 0:10:42.680 and the more random ish or seemingly random these passwords get, 0:10:42.720 --> 0:10:45.200 the harder it is for us to recall them. So, 0:10:45.520 --> 0:10:48.679 knowing that's a weakness, the cracker can say, all right, well, 0:10:48.760 --> 0:10:51.160 let's go with all these words, and let's go with 0:10:51.240 --> 0:10:54.560 the various variations we would expect people to use with 0:10:54.640 --> 0:10:57.000 these words. And even if you've done stuff like just 0:10:57.040 --> 0:10:59.520 added a couple of numbers at the end, that's not 0:10:59.600 --> 0:11:01.760 always a tough thing either. They can start going through 0:11:01.800 --> 0:11:05.920 all of these different variations, adding various numbers at the end, 0:11:05.960 --> 0:11:08.720 if they know how many characters your password is, that 0:11:08.840 --> 0:11:12.520 already has given them a huge advantage. And the reason 0:11:12.559 --> 0:11:15.640 why this is possible is because we've got processors out 0:11:15.679 --> 0:11:19.280 there that can do these these calculations in parallel. You know, 0:11:19.320 --> 0:11:21.720 if you were to do them all one after the other, 0:11:22.200 --> 0:11:26.160 it may take you centuries to get through all the 0:11:26.200 --> 0:11:30.520 possibilities of a particular password, depending on how many characters 0:11:30.520 --> 0:11:34.360 there are within that password. In Hollywood, Hollywood computers can 0:11:34.520 --> 0:11:37.640 do a executive brute force attacking about twelve seconds. Yeah, 0:11:37.880 --> 0:11:40.480 well sometimes that can happen here too, but that's generally 0:11:40.480 --> 0:11:42.080 not the way it works. Well, that's that's one of 0:11:42.080 --> 0:11:44.559 the interesting things about this article is you learn from 0:11:44.559 --> 0:11:48.480 reading that UH an attack like this doesn't take very 0:11:48.520 --> 0:11:55.679 long at all at most, assuming that you're not following 0:11:55.920 --> 0:12:00.559 really really strong password particles. Um. Yeah, it turns out 0:12:00.600 --> 0:12:03.360 that it's like, because of this parallel processing, you've got 0:12:03.400 --> 0:12:08.480 a processor that's working on multiple UH approaches to this 0:12:08.559 --> 0:12:11.640 logan attempt. So we can go through all these different variations. 0:12:11.720 --> 0:12:15.920 Even when there are billions and billions, as Karl Sagan 0:12:15.960 --> 0:12:19.920 would say, of variations of passwords, the processor can go 0:12:20.000 --> 0:12:23.160 through so many so quickly. You know, each each thread 0:12:23.200 --> 0:12:26.240 in that parallel processing is moving at an incredible rate, 0:12:26.679 --> 0:12:30.079 and you've got multiple threads all going Uh. There are 0:12:30.080 --> 0:12:33.160 crackers who use graphics processing units g p used to 0:12:33.240 --> 0:12:35.960 do this. They because they GPUs are designed to be 0:12:36.000 --> 0:12:39.920 parallel processors. Yeah. Even even though they're designed primarily to 0:12:40.200 --> 0:12:44.760 handle graphics instructions and display them on your your monitor, 0:12:45.240 --> 0:12:50.280 GPUs can be uh pressed into service, let's say, by 0:12:50.920 --> 0:12:55.400 a program by a software that that can specifically UM 0:12:55.559 --> 0:12:58.920 send instructions to it. So what people do, UM, there 0:12:58.960 --> 0:13:02.040 are open source program ms that you can use to 0:13:02.480 --> 0:13:08.520 uh assign password cracking to your GPU. UM sad to say, 0:13:08.600 --> 0:13:11.160 and and one of the uh the interesting stories that 0:13:11.240 --> 0:13:12.959 are one of the the interesting bits that I read from 0:13:13.000 --> 0:13:18.520 this article too was UH that people have grown increasingly 0:13:18.679 --> 0:13:23.199 intelligent about the way they save cracked passwords. So they're 0:13:23.200 --> 0:13:29.160 saving up dictionary attack type information. And so if you 0:13:29.280 --> 0:13:34.439 use you know, password one is your password on one site, UM, 0:13:34.520 --> 0:13:36.880 and they want to hack in to your account at 0:13:36.920 --> 0:13:41.720 the House of Online Grapefruit, they might try they and 0:13:41.720 --> 0:13:44.120 they've got your information. They could try it there too, 0:13:44.120 --> 0:13:45.920 to see if you've used your password on more than 0:13:45.960 --> 0:13:49.440 one site. So that makes it increasingly dangerous for you 0:13:49.520 --> 0:13:53.480 to use the same password in multiple locations because there 0:13:53.559 --> 0:13:57.400 is a growing database of password information that that people 0:13:57.440 --> 0:14:00.480 are saving, not just throwing away once an attack is 0:14:00.480 --> 0:14:03.160 completely That database also means that they can look at 0:14:03.200 --> 0:14:06.439 things like frequencies, like how frequently are people using this 0:14:06.600 --> 0:14:09.640 specific word or variations of this word as a password. 0:14:09.880 --> 0:14:12.320 And the more people who use it, the more you're like, 0:14:12.360 --> 0:14:14.280 all right, well let's bump this up the list. It's 0:14:14.320 --> 0:14:17.240 more of a likely candidate for a password. So, you know, 0:14:17.480 --> 0:14:19.760 we like to think that the passwords we choose are unique, 0:14:20.440 --> 0:14:23.720 but that's if we're basing it off a name or 0:14:23.760 --> 0:14:26.880 a word. That's not the case. There are lots of 0:14:26.880 --> 0:14:29.600 people out there using lots of passwords, and there's a 0:14:29.600 --> 0:14:31.560 good chance that someone out there is using the same 0:14:31.640 --> 0:14:35.480 quote unquote unique password. You are. Just remember your unique 0:14:35.600 --> 0:14:39.440 just like everybody else. You know, when everybody is special, 0:14:39.920 --> 0:14:46.320 no one is. It's incredible. Um. The so yeah, the 0:14:46.320 --> 0:14:50.200 the the database can tell the cracker all right, Well, 0:14:50.760 --> 0:14:52.680 not only am I using a dictionary attack, but I'm 0:14:52.760 --> 0:14:57.240 using a curated dictionary attack in a way, because these 0:14:57.240 --> 0:14:59.920 are the known passwords that are floating out there and 0:15:00.000 --> 0:15:01.600 the world, and these are the ones that are really 0:15:01.640 --> 0:15:04.760 popular that lots of people use. So we'll go through 0:15:04.800 --> 0:15:07.280 all the variations of these first, and you just you 0:15:07.320 --> 0:15:10.520 tweak your cracking program to do that so that you 0:15:10.680 --> 0:15:14.000 can get the the largest number of results in the 0:15:14.080 --> 0:15:16.200 least amount of time. And another thing you can do 0:15:16.320 --> 0:15:19.520 is once you've figured out these passwords that are very popular, 0:15:20.400 --> 0:15:23.040 that helps you determine other things, Like there are only 0:15:23.160 --> 0:15:27.200 so many hashing algorithms that are really popular out there 0:15:27.200 --> 0:15:30.600 in the world of computer security, right, so if you 0:15:30.680 --> 0:15:35.280 know which hashing algorithm there the particular company is using, 0:15:36.000 --> 0:15:38.240 and you are able to get let's say you get 0:15:38.320 --> 0:15:41.680 access to their encrypted password database. So now you've got 0:15:41.720 --> 0:15:44.720 a list of passwords that are encrypted, so you cannot 0:15:44.800 --> 0:15:47.080 just look at them and know what the passwords are. 0:15:47.560 --> 0:15:50.160 If you are able to determine which security protocol they're 0:15:50.240 --> 0:15:55.520 using and you have this massive database of um of 0:15:55.200 --> 0:15:58.200 of of passwords that are really popular, you can run 0:15:58.240 --> 0:16:02.160 those passwords through the same encryption algorithm to look at 0:16:02.160 --> 0:16:04.760 the hashes that come out and then start matching them 0:16:04.840 --> 0:16:07.200 up with the stuff that was in the database. So 0:16:07.240 --> 0:16:09.600 you're still cracking the passwords. You're just going about in 0:16:09.600 --> 0:16:12.360 a different way as far as this brute force attack 0:16:12.440 --> 0:16:15.360 is concerned. It's still a brute force attack. It's just 0:16:15.520 --> 0:16:19.360 doing it in a kind of an odd roundabout way. 0:16:19.400 --> 0:16:21.760 Because you've got the you've got the hash of the password, 0:16:22.520 --> 0:16:25.480 you've got the security protocol that's being used. Now you're 0:16:25.480 --> 0:16:29.800 trying to guess the original word that created that hashed password. 0:16:30.360 --> 0:16:32.760 Once you're able to do that, that account is no 0:16:32.800 --> 0:16:35.680 longer secure. And if that again, if you're using that 0:16:35.720 --> 0:16:39.800 same password elsewhere, those accounts aren't secure. UM. So you 0:16:39.880 --> 0:16:42.880 might be asking yourself, hey, if there are crackers out 0:16:42.880 --> 0:16:46.840 there who have these really advanced tools that can either 0:16:47.520 --> 0:16:51.200 figure out a password or uh, you know, kind of 0:16:51.440 --> 0:16:54.640 work down a list so that the the passwords I 0:16:54.760 --> 0:16:58.640 use are vulnerable, how do I how do I protect myself? 0:16:59.200 --> 0:17:00.680 And there are a few things you can do. One 0:17:00.880 --> 0:17:05.119 is use a unique password for every service that you 0:17:05.240 --> 0:17:09.199 log into, which is incredibly difficult if you're doing it 0:17:09.240 --> 0:17:11.800 on your own, which is why I would suggest getting 0:17:11.800 --> 0:17:15.159 a password manager program. And there are a lot of 0:17:15.200 --> 0:17:18.280 them out there. There are some that are free, there's 0:17:18.280 --> 0:17:21.080 some that you pay for. Um, there's some that are 0:17:21.119 --> 0:17:24.320 in the cloud. There are some that are based on 0:17:24.359 --> 0:17:28.840 your system. Yeah. Uh, you use a password manager, right, 0:17:29.119 --> 0:17:32.359 I do as well, um, and I'll go ahead and 0:17:32.400 --> 0:17:34.920 say which one I use. I use dash Lane, which 0:17:35.200 --> 0:17:37.920 uh I tried out for the first time this year 0:17:38.040 --> 0:17:42.640 and I like it well enough. Um. It saves passwords 0:17:42.640 --> 0:17:45.600 and if you want, it will generate a password for you, 0:17:45.720 --> 0:17:48.080 so you don't have to just come up with a 0:17:48.119 --> 0:17:50.320 string of things. It'll it'll do it for you and 0:17:50.400 --> 0:17:53.800 save it to your account. You create a master password 0:17:54.440 --> 0:17:58.240 that is a strong password, meaning that there are upper 0:17:58.240 --> 0:18:01.960 and lower case letters. There's a numbers in there. Uh, 0:18:02.000 --> 0:18:03.680 and all you have to do is remember that one. 0:18:04.240 --> 0:18:07.000 Which that sounds tricky, but I'll give you a hint 0:18:07.080 --> 0:18:09.440 on how to do something like that if you want 0:18:09.480 --> 0:18:13.080 to try it yourself. You create a master password. Uh. 0:18:13.119 --> 0:18:17.000 Then when you log into your dash ling account in 0:18:17.040 --> 0:18:19.720 my case, you then have access to all the other 0:18:19.720 --> 0:18:22.639 passwords that are that that dash Lane generates. So I 0:18:22.640 --> 0:18:26.440 actually went in to all my accounts and used the 0:18:26.520 --> 0:18:30.160 dash Lane password generator program and it creates a ten 0:18:30.359 --> 0:18:35.919 character long strong password that's unique. So none of my 0:18:35.960 --> 0:18:39.800 accounts used the same ones anymore. They're all ten characters long, 0:18:40.359 --> 0:18:45.640 they are a mix of various characters and uh. When 0:18:45.680 --> 0:18:49.560 you get to about nine characters, and if it's a 0:18:49.600 --> 0:18:53.159 truly you know, or at least a seemingly random series 0:18:53.160 --> 0:18:57.240 of characters and numbers, uh, the difficulty of cracking that 0:18:57.320 --> 0:19:01.639 password escalates dramatically. So it might go from a matter 0:19:01.760 --> 0:19:04.639 of days, two weeks or months. And the harder you 0:19:04.680 --> 0:19:08.520 make it to crack, the more likely your information will 0:19:08.840 --> 0:19:12.680 be safe so or that it will just be difficult 0:19:12.720 --> 0:19:16.239 for anyone to guess. Um. So that's the purpose of 0:19:16.280 --> 0:19:19.640 creating these strong passwords and the purpose for the password managers, 0:19:19.720 --> 0:19:24.399 because strong passwords are hard to remember. Um, so all 0:19:24.440 --> 0:19:27.080 I have to do is remember my one master password. 0:19:27.119 --> 0:19:28.760 Here's the hint I was gonna make. So if you 0:19:28.800 --> 0:19:35.000 want to make a strong password, like a master strong password, uh, 0:19:35.040 --> 0:19:38.240 it's best that you come up with a phrase that 0:19:38.320 --> 0:19:42.399 you will not forget and it it's great if the 0:19:42.440 --> 0:19:47.359 phrase also has a proper noun somewhere after the first word, 0:19:47.680 --> 0:19:49.639 so that you have some capitals in there as well. 0:19:50.040 --> 0:19:52.600 And you need a number, like a four digit number 0:19:52.640 --> 0:19:57.520 is best. So for example, you might say Dad's first 0:19:57.720 --> 0:20:03.760 car was a eighteen fifty six Volkswagen bug. M all right, 0:20:04.200 --> 0:20:06.840 So then your password. You take the first letter off 0:20:06.880 --> 0:20:09.400 of each of those words and the number and you 0:20:09.520 --> 0:20:13.199 put them together and that becomes your password. So the 0:20:13.240 --> 0:20:16.040 first letter would be upper case D for Dad's and 0:20:16.040 --> 0:20:19.280 then first car, so it's upper case D, lower case F, 0:20:19.920 --> 0:20:24.160 lower case C, lower case W, lower case A. Then 0:20:24.200 --> 0:20:29.440 you have the one and then uppercase V upper case 0:20:29.480 --> 0:20:33.080 B for Volkswagen bug. That could be your master password. 0:20:33.400 --> 0:20:36.399 And when you look at it as just a string 0:20:36.440 --> 0:20:40.120 of letters and numbers, it looks meaningless. You know, there's 0:20:40.160 --> 0:20:44.280 no there's no phrase that's evident right there immediately unless 0:20:44.359 --> 0:20:47.000 you happen to have already known it. So don't tell 0:20:47.080 --> 0:20:51.480 people you're, oh, I gotta change my password. Yeah, but no, 0:20:51.680 --> 0:20:54.679 don't tell people what your phrases. But make it a 0:20:54.680 --> 0:20:59.679 phrase that is easy to remember and uh, and that 0:20:59.720 --> 0:21:03.879 could your master password, and don't use it again. Just 0:21:04.080 --> 0:21:06.720 use it for your master password, and then use the 0:21:06.800 --> 0:21:10.640 password generator or a password generator if you don't want 0:21:10.640 --> 0:21:13.920 to trust one thing with it. But it's it's easier 0:21:13.920 --> 0:21:17.399 to use a password managers onboard password generator because they 0:21:17.400 --> 0:21:20.680 can save it directly to your account. Otherwise you're gonna 0:21:20.680 --> 0:21:24.840 have to transfer that that password to whatever your manager 0:21:24.920 --> 0:21:30.359 is UM and then that way you've got a vault 0:21:30.359 --> 0:21:36.080 of passwords that are encrypted, that are ten characters, hopefully 0:21:36.119 --> 0:21:38.639 at least ten characters nine or ten characters at the 0:21:38.760 --> 0:21:44.840 very least, and are strong. It's funny. It's it's rather 0:21:44.880 --> 0:21:47.960 than coming up with a mnemonic device to remember your password, 0:21:47.960 --> 0:21:51.800 you start with them mnemonic device and from it from it. Yeah, 0:21:51.840 --> 0:21:54.320 I think that that's way easier, because that is I've 0:21:54.400 --> 0:21:59.320 used a password generator before that creates a random string 0:21:59.359 --> 0:22:02.679 of characters and then tells you it's easy to remember this. 0:22:03.119 --> 0:22:07.920 Just remember echo Bravos seven Delta delta bro. You know, 0:22:07.960 --> 0:22:10.800 I'm like, this is that? Where are you from? Where 0:22:10.840 --> 0:22:14.800 that is easy? How is how is remembering a random 0:22:14.840 --> 0:22:19.080 selection of echoes and Bravos and et cetera numbers easier 0:22:19.119 --> 0:22:22.600 than say, just remembering e e blah blah. You know, like, 0:22:23.160 --> 0:22:25.880 that's not easier to me. But this other method where 0:22:25.880 --> 0:22:29.840 you create a mnemonic device first and then convert that 0:22:29.880 --> 0:22:33.639 into a strong password, makes way more sense to me. 0:22:34.840 --> 0:22:39.880 And uh again, because you know, the output of it 0:22:40.000 --> 0:22:44.399 is a seemingly random string of letters and numbers. Uh, 0:22:44.440 --> 0:22:49.040 it's not something that's easy for a computer to guess. Yeah, well, um, 0:22:49.080 --> 0:22:52.800 I use one password by agile bits um, which is 0:22:52.880 --> 0:22:56.159 a you can get as a desktop application for Windows 0:22:56.240 --> 0:23:00.400 or Mac. UM also works on iOS and Android UM 0:23:00.440 --> 0:23:02.639 and uh you know it has a browser plug in 0:23:02.960 --> 0:23:06.600 too on the desktop so that you uh, say, you 0:23:06.720 --> 0:23:10.600 visit a site where you have a um an account, 0:23:10.960 --> 0:23:13.080 maybe a shopping site, maybe a banking site or something 0:23:13.119 --> 0:23:15.159 like that for example, So you have your log in 0:23:15.200 --> 0:23:17.280 and password, you have to log in and has a 0:23:17.320 --> 0:23:19.239 little button and you press the button in it you know, 0:23:19.440 --> 0:23:21.840 says what is your overall passwords? He is your master 0:23:21.880 --> 0:23:24.920 password in there, and then as soon as you uh 0:23:25.040 --> 0:23:28.240 log in, you'll be given an opportunity to log into 0:23:28.240 --> 0:23:31.200 the site and it submits the information for you. Yeah, 0:23:31.200 --> 0:23:34.639 this is important if you're using a someone else's computer 0:23:34.840 --> 0:23:37.760 and you are using a browser to navigate to something. 0:23:38.280 --> 0:23:41.639 And you know, again, if you've created these these strong passwords, 0:23:42.200 --> 0:23:44.840 remembering each one is going to be really hard. And 0:23:44.880 --> 0:23:46.439