Some people watching will have good
passwords, some people will have thought about this before, some people should have thought about
this and haven't, and hopefully will after we talked about this a little bit
more. Um, in the previous video I showed you cracking a password using pretty basic
techniques, right? There are people who know more about this than me who run other
custom dictionaries and rule-sets and things, right? It's not really important
for getting the message across of just how quick this is. Picking a good password
was actually a lot easier than people make it. XKCD alluded to this and we'll talk about that
in a minute. It didn't necessarily answer every question but it did get a good
message across and then as other aspects should you reuse passwords and, and so
on. Umm... so let's address these. Password
crackers and and people who research password security talk about something
called password entropy, which is the amount of information held in a password, the idea being that if you're not
holding much information in a password, it's going to be cracked very quickly because
it's not a much search space to go through. Now in some
ways I think that's a bit of an overcomplication I think practically you need to look at
two things. You say, first of all, can it be brute-forced, right? In which case if the answer is is your
password shorter or equal to 8 characters, the answer is yes, right? If your password's nine
characters and you're using symbols, you're probably ok, right? Fairly
straightforward, ok? As GPUs get faster, these barriers go down, and then you've got to
ask, "Is your password dictionary crackable?", right? Those people in the last
video didn't think so, and then there I was cracking their
passwords and they had quite good ones, some of them. So you've got to do two
things: you've got to make sure your password is long enough and uses
interesting characters so it can't be brute forced, but beyond that you've got to make
sure that you can't be dictionary attacked. Let's get this out the way first; if your
password is "password", you probably want to close out your browser right now and
change it and, you know, hang your head a little bit. If there's any variation on
the word "password" or has any of the numbers "1 2 3 4" in order in it, you need
to delete those passwords, maybe delete your account out of shame, right?
Because, oh dear. Ok, so I'm not addressing those, I'm
dressing... addressing, I guess, what what a better password will be. Now
password systems in general are not a very useful way to authenticate, right? A lot of
people think this, ok? Because they're hard to remember,
unless you pick an easy one to remember, in which case it's easy and not secure,
alright? So, in some sense we've tried to find a way of authenticating ourselves
which is hard for a human to remember, easy for a computer to guess, and people
do it badly, right? There's lots of reasons why passwords are terrible. Google
thinks passwords are going the way of the Dodo, because they're bringing in this new
authentication system where, you know, it tracks your movement in your pocket and
things like this. Fine, maybe that will work, but in the
back you're always going to have some kind of password, because you don't want
to be pulling your phone out of your pocket and Google saying, "you moved your
phone weirdly, so can you type in your PIN code", right? You're gonna have to have
something backing it up at all times. For now, we're going to have passwords for a
while longer. And so we have to think about what they
should be. So, obvious rules: 8 characters, 7 characters, not long enough, right? If you have an 8 character
password and you assume, just for a minute, that the website you're hosting
it on is storing them in MD5, then I'm going to be trying passwords at forty billion hashes per second. How long's it gonna take me to get
through eight? Not that long, right? If I'm smart about my character sets, less than
a day, a few hours probably. So, let's talk about the better approach
or the nearly perfect approach of XKCD and how can we improve even on that. So XKCD suggested the situation where you
had a decent password, because it was hard to remember, because it was some
word that you've got. Is it "troubadour"? And you change a few letters around for
numbers, and you capitalize things and you stick in a symbol somewhere and
things, and his argument is that this isn't a good password because there's
not much entropy, because you're doing standard things that people do in
passwords, right? Now that's absolutely true in the sense that if you replace an
'e' for a '3', everyone does that, that's number... rule one on the list, ok? Don't think that's
clever because it's not. lf you replace a 'z' for a '3', actually that's
still not very good. Let's pick a better one. If you... an 'o', if
you replace an 'o' for a '3', that's slightly better, but someone's still probably going
to have written that rule, because why wouldn't they when it's so fast to try them out? Ok, so
you've got one option which is up which is a kind of hard word to remember
with a bunch of weird to remember symbol exchanges, and then you've got another
one, which is just four words appended together: correct horse battery staple. Ok I think that's the order, right? Now
everyone knows that password which kinda means that password is not very good,
but the point remains: if you pick, his argument is that if you pick four words and just
stick them together, you have... It's inherently un-brute-forceable, if that's a
verb, right? Because it's too long, even with
all lowercase even without symbols and things, and it's
not really gonna come up in a dictionary much because those are weird
combinations of words that aren't very often used, and it's four of them. Ok, so how breakable are these two
passwords? Well, first of all, troubadour with all those exchanges probably
slightly harder than he suggests, because its entropy is not bad. I think it's 11 characters and you know
there's some exchanges there. Not all of them are immediately obvious. So it's not absolutely terrible and
perhaps slightly better than many things but he's absolutely right but it's quite
hard to remember and a bit of a pain, certainly a pain to type in. "correct
horse battery staple", much easier to remember, no funny characters to press, you get to
type that quite quickly but the issue is that we don't brute force passwords
of that length, we dictionary attack them, right? So the question really comes down to, "is
'correct horse battery staple' going to come up in a dictionary attack?", and the answer
is, "probably not", but once we start thinking people are just appending four
words together, maybe yes, ok? So instead of our password
cracking being a brute force of the number of characters to the power of the
length of our password, it becomes the number of words we might
use to the power of the number of words we are using, okay? So in this case, let's say the top
ten thousand words to the power of 4, okay? Which happens to be a very big number,
so we're kind of safe. But what if you only pick obvious words?
"Staple", I've checked, right? I've checked a list of about the top
20,000 english words; "staple" is somewhere around 12,000, right? Which means that we
don't tend to use it very often, that makes sense. "Horse" is much further up
the list so were "correct" and "batteries" further up the list as well. I mean, we all have phones, we talk about
battery all the time. So, if you hypothetically picked four words that were
in the top five hundred, then suddenly the search base is 500 to the power 4 which
is much smaller and your bad password is crackable. So, my advice to anyone
attempting a password system like this is to assume that the person attacking
you knows you're doing a password system like this and pick hard words, right? A
brand name or a word that isn't going to come up in a list of obvious
words that people use, ok? "staple" is not a bad word, the other
three are not great. So, you know, change it for something else, ok? Off the top of my head, uh... "lemming" is
probably not a very common word we use, ok? Don't use it now, because I said it. I've got
a Rubik's Cube, here "rubik" is probably not, or "Rubik's" is probably not in the top
ten thousand english words, right? Which makes a search space much harder to use, ok? We're changing the problem around to be
a question of can they guess the word you'll used not the structure of your password, ok? So
a really good password will be three english words, i would say, right? With one
word that's a bit out there Ok a bit odd; maybe it's a made-up word
or something, right? Because then you can't be brute forced because of the length,
you can't be brute force because of a combination of easy dictionary words,
right? And you don't need to put symbols in, because it's just too hard anyway. Ok, that would be really strong. If you
want to be even stronger than that then just stick an underscore right in
the middle of one of the words, just to really annoy everyone, right? Because if
you stick it between words it's going to fit into a standard rule set of the sort
of things people do with passwords, but if you put like an ampersand in the
middle of a word that shouldn't have an ampersand in it, like "horse", "ho&rse" in the middle of
"correct ho&rse battery staple", it's just that much harder to crack. And
then, for you to be able crack that password, a lot of things have to go
right for the attacker. They have to know the four words you're
going to use, in the right order, and they have to have tried that with the exact
right rule set that put an ampersand in at that exact position. And pick a word that
other people don't use very often, like your favorite band name or something
like that, ok? Because that way... maybe not your
favorite band name if you blog about them because then they can social engineer
the password, that's a different question. This is what you do if you have to pick
a password, right? But what you should really be doing now is using a password
manager. So, in some sense a password manager
swaps you remembering a bunch of passwords for you hopefully remembering
one really good password, ok? So this is the kind of password policy
that you go even further with and make that your master password. So what a password manager does if it's
well programmed is encrypt a database of your passwords for all your different websites
and and and you know accounts and then you secure that with a master password
of some description, right? And your master password has to be good and i
don't mean, you know, "password password password" because no one's going to guess
it's three times long, right? It needs to be of the level we were just
talking about. And you also need to look into what
encryption the password manager uses, where's the decription done, it's not
done on the server, we need to make absolutely sure it's all local and things
like this. So look into it and see how they do their security. I've looked into a lot of password managers.
They're all pretty good, you know, of the major players, right? They all use broadly similar schemes, they use very difficult to break hashes with lots of
iterations, which means that even if your passwords are released on the internet
they're in encrypted form and they can't be obtained. So all my passwords are 16 characters of
totally random and I don't know what they are, right? So if my... if my database
gets deleted i'm somewhat in a problem right? But, my master password is similar, I won't give away too many too much
information on what exactly it is it, right? But my master password is in a similar vein
to what we were discussing just now and I believe is essentially uncrackable at,
you know, currently. But i can type it in quite fast, because I've done it a lot. It's long enough and i can remember it, which is good, and i only have to
remember one which makes it that much easier. So now, when you log on to a website
and it says, "register for this website" again, and I'm only going to use it for five minutes, what am I going to do? I'll just
make it my standard password that I use every time. Instead of doing that, you
then go to your password manager and generate random 16 characters and it's
win-win because then, if you never use the website again, it doesn't matter anyway, because
you've got... you've got a random password. And if someone, if that website is a bit
dubious and they release your password later in a hack, it doesn't matter
because it's random, right? And that brings us on to last point:
never ever reuse passwords, ever. I fallen to this before, someone tried
to log into my Facebook once with a password that got leaked, someone tried to log into my Skype with a
password that got leaked, and that was my fault in a sense, because I used to use
the same password a number of times before I knew what I was doing,
right? This is a few years ago. Now, I know you have to have different passwords.
That way, if a password gets leaked down to the internet and hopefully it's random
anyway, from your password manager then we're in business, right? You change that
password, and you're secure again. If your master password for your... for your
database is weak, then they are going to hack it, and then if they get in they get
all your passwords. So, obviously that has to be really really strong. Last Password's been hacked a couple of times, but
this encryption is so strong that if your if your master password is strong it's
fine. Which is a bit Cavalier thing to say, but
it's actually true because of how many iterations they use.
Original comic - http://xkcd.com/936/
Another thing I would like to add to the password manager is to use two-factor authentication. I know it's annoying, but it's much less annoying than having all your passwords hacked because someone was able to guess your master password.
I do it for both my password manager and my email account, just to be on the safe side.