How Strong Should Your Passwords Be

Подписаться 647 тыс.

Просмотров 199 тыс.

50% 1

In this video I explain how to create a strong password, and why you should use password managers to create random passwords for your online accounts.
zxcvbn
github.com/dropbox/zxcvbn
dumb password rules
github.com/duffn/dumb-passwor...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RU-vid channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.

Наука

Опубликовано:

26 ноя 2021

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 862

@Sniblet 2 года назад

All of my passwords were generated using unique highly complex algorithms with quantum behaviors as random seeds all of which I created while I was blackout drunk in a classified location. I then deleted these algorithms and smashed the sole device that ever held them with a sledgehammer, twice. I then got blackout drunk again and buried the device’s remains somewhere that I do not know. Every time I recover the device, I hide it again using the same method. Logging into things is a difficult and often harrowing procedure for me, but at least my 12 Robux are safe until someone breaches the servers.

@Justacheese 2 года назад

Thanks for the laugh. I went and pictured someone actually doing the method you listed. Holy shit man. Getting blackout drunk to protect your own passwords. Now that is on another level.

@HelvecioGomes 2 года назад

Lmao 😂

@solar2655 2 года назад

r/thatHappened

@Sniblet 2 года назад

@@solar2655 You got me!

@sophiacristina 2 года назад

You made all this, but when you were drunk, you forgot that your password was set to "1234321", you really thought you were smart with the last '321'...

@RusherDevelopment 2 года назад

everybody knows that you should always use "password" as your password

@MentalOutlaw 2 года назад

Only if you spell it with leet speak sideways.

@swordfgithmaster8677 2 года назад

y e s

@NPrinceling 2 года назад

Make it longer. Have you considered passwordpassword?

@381delirius 2 года назад

yeah it literally already tells you how to type it

@egg5474 2 года назад

I hope you use a good salt like 1 or maybe even 2 if you’re paranoid stick the sticky note on the back of the monitor instead of the front for maximum security hardening also don’t forget to get your nordVPN subscription

@GhostfaceRuga 2 года назад

One time for a client we were doing pen testing for the network at the hospital. They always knew we were coming, but didn’t know when, and we never introduced ourselves until we were done so we could find weak points without the staff being on guard. I walked in with my laptop and set down at the medical records desk, no one asked me a thing. After a few minutes I approached the lady at the desk and said “hey IT sent me over and said you guys were having some server issues, I just need your log in information so I can check your account on the server.” No shit this girl wrote her information down and just handed it over without asking a single question. We had access to the network in under an hour.

@gokikuburi8653 2 года назад

Cool story bro

@thegreatoutagesign9204 2 года назад

this is unfortunately super common. and I honestly couldn't tell you what talks or programs you need to implement into the workplace to get people to watch out for this shit, since all it takes is a single person to fall for a social engineering attack to compromise everything in your company.

@icipher6730 2 года назад

Sounds too fake to be true...but I know it's true, because reality can be more stupid and fucked up than fiction or the dumbest conspiracy theories.

@thewolfsamurai1 2 года назад

I had this client who used an ancient email service that was not encrypted.

@joule400 2 года назад

@@icipher6730 considering people fall for almost identical scams in personal life too all the time no surprise companies fail in it too

@RATsnak3 2 года назад

My passwords are so secure that even I don't know half of them.

@Radi0he4d1 2 года назад

Unironically the right way of doing it

@krystiandzik9886 2 года назад

So how do you log in to websites? Or do you stay allways logged?

@bioemiliano 2 года назад

You shouldn't know any of them honestly.

@Zaptosis 2 года назад

Haha I only know about 5% of my passwords

@magythemage 2 года назад

@@krystiandzik9886 password managers probably

@JFrameMan 2 года назад

I actually hate forcing the user to choose a secure password. Telling them feedback how secure it is is fine, but it should be up to the user how important the account is. Sitting there figuring out a secure password you'll never remember just to download some basic thing or set up a subscription encourages people to re-use more secure passwords they use on other sites and then that's where their secure passwords get leaked from.

@slimyspiral4428 2 года назад

Any kind of password limitations will just help hackers in the long run

@ZVLIAN 2 года назад

Dont allow word list passwords would be good tho

@bbman10pwns Год назад

Not to mention the password can be the most secure password in the universe with an entropy value that approaches infinity, but when the company inevitably gets hacked it won't have mattered even in the slightest. I think part of it is just gaslighting users who wouldn't know better, which isn't great ethically.

@xwtek3505 9 месяцев назад

Also different user has a different conception on what password is ideal (well entropy is one of the objective condition, but the rest of the condition is subjective) I would hate to include symbols and capital letters on my password and I already know my password is secure because I have calculated the entropy, and I have generated it using a password manager. My password does not need to be strengthened by capitals

@vincentnthomas1 8 месяцев назад

Yet its you responsible for your users not to get hacked

@Pakanahymni 2 года назад

Dictionary attacks become much more difficult once you start using words from multiple languages. "correct horse battery staple" is suddenly a pretty good password if the words are in Navajo, Polish, Japanese and Hungarian.

@bina7513 2 года назад

Then throw in some acronyms and character substitutes along with random characters sprinkled throughout to be extra _salty_ just in case. Pun intended.

@janekk8833 2 года назад

And then after I write word in Polish site says "you can't write special characters" where I use letter ń

@bina7513 2 года назад

@@janekk8833 I wish more sites would permit special characters in passwords. They need to seriously get with the times.

@2BTO 2 года назад

@@bina7513 word i wanna put emojis in my passwords

@bush2239 2 года назад

I invented a few words in my own language, and put two in my passwords each.

@skywz 2 года назад

Also, always have a comma in there so that when a site leaks your password, it screws up the csv your password gets dumped into.

@RyuuRider 2 года назад

Big if true.

@99temporal 2 года назад

damn, big brain

@99temporal 2 года назад

preferably, type a to mess it even more

@juanpls3856 2 года назад

Can you explain

@skywz 2 года назад

@@juanpls3856 if it works, the csv (file where all the passwords are hopefully stored for use) would interpret it as an indicator to move on to the next username/password combination. This would mean that if it works, either a) your password will only be registered as a part of your actual password b) it misaligns the way the program scans through the file, protecting everyone's password that comes later in the file or c) best case scenario, it somehow screws up the csv so bad that it is completely unreadable. The problem, of course, is that actual websites might not be able to handle it.

@geroffmilan3328 2 года назад

I love to see "%" symbols being declined for passwords; it means the chances of SQL injection are very high. That character is a wildcard in SQL query strings, and banning it suggests your password gets passed to SQL in an unsafe manner.

@rubixtheslime 2 года назад

At that point they're just begging for it.

@rainbowskeppy5292 Год назад

hash the password client side and theres no issue using very long passwords and you can use all unicode characters

@TheTundraTerror 2 года назад

Honestly, as long as you're not reusing passwords and avoid the top 500 most common, you should generally be fine. I think more responsibility should be heeped onto servers for failing to properly store user data.

@vaisakhkm783 2 года назад

We can blame servers.... But at the same time we also have a responsibility of protecting ourselves...

@martmine4618 2 года назад

We wouldn't have to even protect ourselves if there werent so many logins.

@davigamesp53 2 года назад

Øķ ¡ñþəřéß þįñğ

@tissuepaper9962 2 года назад

@@vaisakhkm783 did you not really read the comment, that's exactly what he said. Don't reuse and don't use common passwords, blame the server owners for their shitty datasec when it's a problem.

@2BTO 2 года назад

@@vaisakhkm783 wtf do u want us to do, unbreach the servers?

@TheWheatless 2 года назад

13:35 “And you’ll be able to sleep easy at night” I wish. Now I worry about the catastrophic consequences of someone getting access to my master password. Granted 2FA eases that fear slightly, instead making me fear what can happen if my 2FA device is stolen or just breaks. It never ends.

@uglycoal 2 года назад

Don't forget to update your passwords after this video ;)

@KiraIsGod 2 года назад

no ty

@akeem2983 2 года назад

Before this video: 12-16 random characters is enough! After this video: 10^128 characters, spaces, special characters and Ancient Egyptian hieroglyphs is too weak!

@daphenomenalz4100 2 года назад

@@akeem2983 haha

@SidewaysCytlan 2 года назад

Password requirement sins: 1. Composition rules. 2. Regular password resets (security breach is the only acceptable reason for a forced password reset). 3. Maximum password length (if less than 64 characters). The bigger the company, the more likely they are to commit one of these sins that is actively recommended against by NIST.

@robertjenkins6132 2 года назад

"2. Regular password resets" I HATE it when they make me change my password every couple of months. I already went through the trouble of memorizing a good password that I don't use anywhere else, so why do I need to change it? I usually just try to change one character. Can't be bothered. Life too short.

@GummieI 2 года назад

The regular password reset is one of those things that are good in theory, as any password someone got unauthorized access to would only last for so long. But yeah the problem is that have the tendency to make ppl make weak passwords, and then just slightly alter it. If people adhered to what this video said every time it would actually be ideal, but we don't live in an ideal world, so is generally a bad requirement yes

@GummieI 2 года назад

@@robertjenkins6132 "memorizing a good password" That there is an oxymoron. A good password is one you can't memorise, but have been auto-generated in your password manager. The ONLY exception to this is the password for your password manager, as this very video said, since... well it doesn't help much to store your password managers password in itself :P And if you do it like that it is just the click of a button in your manager to get a new one to change it to. (Though as I said in my other reply in this thread, due to this very behavior you show here I do believe it to be a bad requirement, but if everyone did passwords right, it is a very good requirement actually)

@alnoso 2 года назад

the regular password resets are absolutely retarded. they lead to people writing down their passwords insecurely after a few resets, which i've seen done so many times at my job, and they turn corporate cybersecurity, something that could lead to billions of dollars of damages if something went very wrong, into a nuisance that people just want to get out of the way as fast as possible. also passwords prohibiting dictionary words is an awful idea too. your average joe isn't going to want to remember 328g90aH2daf23 just to log into their work computer, and since they can't type in something relatively secure and easy to remember with maybe 3 words and some numbers, they'll end up just going for something absolutely retarded like their initials and date of birth.

@PhilLesh69 2 года назад

That's not true. I wrote a script to generate passwords using randomly rotating charactersets, some of which the characters are whole words from different eff wordlists used in dice password generators. For Wi-Fi passphrases I usually have the full 63 character password memorized by the time I'm done updating all the devices on my home Wi-Fi network. But it would still take centuries to crack.

@dreammfyre 2 года назад

Isn’t the biggest obstacle for password cracking that you can’t just spam a site or login service with millions of passwords without getting shut out? So brute forcing works if you get something offline to work with, but not really on online user accounts. The biggest threat there is someone hacking the site and leaking stuff.

@ZoReeXHD 2 года назад

bypass'able due to most websites block the IP u are making the request from not the machine itself

@binarycat1237 2 года назад

@@ZoReeXHD even if they never ban you, each request takes a significant amount of time

@z-wire2609 2 года назад

@George Soros So they just measure response time instead of waiting for a response from the server?

@Dudeguy217 2 года назад

lmfao you guys don't know shit. cracking happens after a leak, bruteforcing through a sites login page is completely not feasible

@baconhair1565 2 года назад

@George Soros If the server security is crappy enough; why don't you just use something better than attempting to brute-force someone's password.

@etopowertwon 2 года назад

Cool story about password max length: I used a bank once which was later acquired by another bank. During account migration, maximum length was reduced significantly, so my 32 symbols password no longer worked and I couldn't figure why for a long time.

@Dudeguy217 2 года назад

Wow that is a cool story!

@RyuuRider 2 года назад

It's evolving! Just backwards-

@99temporal 2 года назад

so this probably means they're storing your password in plaintext

@etopowertwon 2 года назад

@@99temporal Not really. Most likely they just truncate the password before hashing.

@jamesedwards3923 2 года назад

I think I know which bank you are referring to.

@NumeroPerdido 2 года назад

My passwords are just random excerpts from the uncle Ted's manifesto or Hoppe's books with random numbers and with symbols sprinkled throughout

@GummieI 2 года назад

If this is actually true, you just gave any hacker wanting to target you a LOT of information cutting down the actual options a LOT (and sprinkling in random numbers and symbols, is not really gonna do much, as any hacker with just a bit of experience will be checking for such very things in a relative short amount of time, and since you already told the source of the meat of your passwords, and the lower the list of possible "meat" for the password, the less options there is to sprinkle in those random bits, you narrowed it down a LOT for them)

@NumeroPerdido 2 года назад

@@GummieI Please go back to reddit.

@FijianSouljah1312 2 года назад

@@NumeroPerdido shut up

@Camelotsmoon 2 года назад

I use catcher in the rye.

@purpleey 2 года назад

@@GummieI bruh the stuff in your parenthesis are longer than the actual sentence itself

@sebotrp 2 года назад

My passwords consist of 2 parts: 1st part is a random string of letters, numbers and symbols that is always the same, and part 2 is again entirely random, but also different for each service i use. I have memorized part one since each of my passwords use it but when it comes to part 2 i have them written on a paper but because my passwords consist of two parts even if by some miracle my sheet with passwords got somehow stolen these codes would be useless without part 1 which is only in my memory and nowhere else.

@dwightmanne 2 года назад

I just use a random password generator and save it in a text message I send to my dumb phone. All of my passwords I think were randomly generated. Because

@acloud7604 2 года назад

Imagine getting early onset Alzheimers and now you're fucked

@arsenal4444 2 года назад

okay that's actually a really good one, I might start using this method many thanks

@arsenal4444 2 года назад

@Mialisus lmao sounds like a Bateman meme, nice

@daphenomenalz4100 2 года назад

Thnx so much, you're a genius. I will start using this method.

@xard64 2 года назад

I don't know how zxcvbn copes with emoji but at least when tested with a relatively short password adding one or more emoji caused the estimated brute force times to shoot through the roof. I don't know if using emoji is practical at the moment but at least it would be interesting option for password manager managed logins which allow it.

@ReimuHakurei-itch.io- 2 года назад

Anti Brute force and dictionary Password : 変態のHackers Haha, password cracking only applies to English. Mga bobo pa nga ang mga hackers eh!

@anirudhkumar9139 2 года назад

IDK how many sites even allow you to go outside standard ASCII for the passwords, nevermind using emojis instead

@iusegentoobtw 2 года назад

@Sufuurin If by 'literally adds' you mean 'doesn't literally add' then you're correct. Emojis are utf-8 which is used globally for international or symbolic characters. You're not adding code, you're adding an additional utf character. For example: 'dumbpost' or 'спешка б', is interpreted as the same length as '😀😃😄😁😆😅😂🍆'

@iusegentoobtw 2 года назад

@Sufuurin that definitely is not what you meant.

@99temporal 2 года назад

@@iusegentoobtw aren't emojis utf-16? not the html ones, but things like different races emojis, different sex emojis and things like that

@braiinworms 2 года назад

all my friend [REDACTED]'s passwords are just his username spelled backwards... king shit

@MentalOutlaw 2 года назад

what's your friend's name?

@randgrithr7387 2 года назад

I took a King Shit

@ictogon 2 года назад

@Tungsten Dioxide the reversed brackets confuse and anger me

@R1gBoN3Gaming 2 года назад

The best password is when your password is less than the character minimum requirement since you never updated it 😂

@Howtoeatrocks 2 года назад

One of my emails (spam riddled thanks to my goal to sign up for every website I come across when I was 12) is all lowercase and less than the min required. Never had a breach

@retrogameplus3838 2 года назад

2^32 would be 4.2 billion, 2^33 would be double that, etc. so 2^53 is much more than billions even with the birthday paradox

@rj7250a 2 года назад

Consider that a high end graphics card can search more than 30 billions of passwords per second and a PC can have 4 graphics card. At least 64 bits should be used.

@egtegs 2 года назад

@@rj7250a Plus you don't know what the g low bois have, a PC with 4 GPUs is really at the low end. Plus technology advances in an exponential manner which makes passwords significantly weaker over time. There's room for more entropy in my opinion.

@dlys6800 2 года назад

wtf does that even mean lmao there are no birthdays

@kmcat 2 года назад

8:12 One point to make here. This length checked will be done on the server before the password is hashed. The server could take a 100 chrs password but only hash the first 20chrs

@Ultrajamz 2 года назад

So essentially the chars after 20 dont matter except to the unknowing user and hacker? Though a hacker could test it by making the longest acceptable password and then changing the last character… the probably would never use a “hash only the middle or last X characters” type of thing since a normal user will notice and assume the site is messed up and complain.

@barrdack 2 года назад

There is another meme from xkcd where they have to choose from cracking the super complicated password or use a 5$ wrench.

@danielsjohnson 2 года назад

@Nobody You don't get it. You hit the password owner with the wrench until they tell you. Or get them drunk and ask them the password. Or both.

@etopowertwon 2 года назад

In Russia this method called "Thermorectal cryptanalysis"

@r.b.ratieta6111 2 года назад

The best password is "incorrect." That way if you type it wrong, most apps and sites will tell you, "The password you entered is incorrect."

@smiley_1000 2 года назад

Put a space at the end of your password so that the Hacker will get frustrated trying to enter it

@tissuepaper9962 2 года назад

@@smiley_1000 many, many websites totally ban special characters at the beginning and end of passwords. Methinks they're afraid they aren't sterilizing everything correctly.

@randomdude12370 2 года назад

Big brain over here

@flyingstonemon3564 Год назад

Problem: Other languages being used by the attackers or apps

@r.b.ratieta6111 Год назад

@@flyingstonemon3564 New password: "Incorrecto"

@meinfuhrer5041 2 года назад

I was just watching your old videos on passwords glad you released a new one.

@Juan_Duran 2 года назад

4:41 one of the many reasons i love your work. God bless you bro

@CcReap3r 2 года назад

Damn the algorithm is loving you lately, keep seeing a bunch of your videos in my recommended

@PrincessColumbidae 2 года назад

Thanks for linking the bad password rules. Made my day.

@johtfloridaman6227 2 года назад

You are taking off! congrats!

@jaroddavidson7482 2 года назад

You know it’s strong when you can’t even remember the password

@jaroddavidson7482 2 года назад

@Nobody lmao

@sharishth 2 года назад

@SoulStacker that's the point he can't remember himself.

@pumbbb 2 года назад

i know this isnt a linux related video, but thx to ur content you have convinced to switch to linux mint, and now i am a proud linux user

@dadecountyboos 2 года назад

never disappointed by the b roll for this channel

@FGj-xj7rd 2 года назад

6:15 Is that because of some SQL injections? Why wouldn't they allow you to use the "%" signs?

@binarycat1237 2 года назад

printf, url-encoding (Both should not be near passwords)

@GummieI 2 года назад

It is most likely due to that sort of things, which in and off itself is a BIG red flag though, as it means they are not sterilizing the input well enough, if they are afraid of that kind of things. Before the password gets handles any basic code should basically be told that what is coming here is in no way, shape or form something that is code related, it is purely a possible password input to be checked with/stored in the database

@GummieI 2 года назад

@@weakspirit_ Yeah, it is kinda a funny one, since at first glance it doesn't seem that bad: "it is just a single excluded character, sure the more possible characters the better, but surely one character can't be that bad". It is when you know the reason behind the requirement you see exactly why it is indeed VERY bad

@tissuepaper9962 2 года назад

@@weakspirit_ my stomach literally dropped when I read this comment, lmao! The ways I've seen excel abused...

@teh_supar_hackr 2 года назад

The most secure password is one made up of just obscure Greek characters, combined with characters from other languages like Hindi, and is the length of the Bee movie script.

@VoidplayLP 2 года назад

just run the bee movie script through a digital replica of the enigma machine

@iliketobewithpeople9821 2 года назад

I change my passwords every week and ensure they are all very strong. Mostly because I forget all of them

@binarycat1237 2 года назад

This is no longer recommended.

@arsenal4444 2 года назад

@@binarycat1237 Y

@pelic9608 2 года назад

You're allowed to laugh, guys!

@charlubermensch2395 2 года назад

@@binarycat1237 Can you develop? Personally I don't change my passwords (except bad ones or Epik one lol) but I thought it'd be more secure.

@flyingstonemon3564 Год назад

@@binarycat1237 What happened?

@GladiusTR 2 года назад

I use the Correct Horse Battery Staple method, but I don't reuse them. I have a little book full of my passwords. The book itself is written in code because I was a big fan of spy fiction when I was in elementary school

@sleep3417 2 года назад

Extremely cool

@fordprefect859 2 года назад

Oh yeah? I got bored one day and not only encoded my passwords, I also did basic encryption on them. (Not very strong encryption, but I did the math by hand, so cut me some slack here.)

@go_better Год назад

Thanks! Very educational.

@Nimta 2 года назад

nice reference to the classic xkcd brother. real legend

@NumbersCanBeFun 2 года назад

Thanks for bringing up the point about the password manager. I use a cloud based one now and I plan to switch away from it soon. I also got a proton mail since I was getting an all new setup and I wanted a strong password for it.

@jamesedwards3923 Год назад

KeePass or Bitwarden.

@MrHack4never 2 года назад

It would also be nice to have a copy of the password rules on the login page, so I can remember which rules I used when I created the password

@r34r81 2 года назад

When I try to find out the password rules of a page I just try to make a new account and in the password field I just write "a". It will give a list of things your password is missing.

@reychop 2 года назад

Agreed on password managers. Using a password manager is becoming more important now more than ever. After I started using bitwarden, I started using 16 characters or more for my password (autogenerated). And my master password is a long nonsensical sentence with a mix of words from multiple language since I’m a trilingual and numbers mixed in.

@justarandomonlineperson8094 2 года назад

I still remembered this one guy at internet cafe, his facebook password was "asd" and the rest was just him slamming his hand on the keyboard while swiping his hand on it, left to right.

@Ryan-os9pb Год назад

fr stay on the grind

@UtherV 2 года назад

Nice write-up! Would love to hear your thoughts / knowledge on how this fares vs approaches such as SSO or password-less Auth.

@jazzochannel 2 года назад

Good summary. You should mention other providers tho to keep it "balanced".

@381delirius 2 года назад

i wanna flex my perfect password so badly

@kiril-jiwoo 2 года назад

you're doing godly work, just make sure to always show sites on dark mode. thank you

@randomchannel-px6ho 2 года назад

Pro tip: I like to come up with a memorable word or phrase and then encode it to base 64. Easy strong password. Either that or just auto generate something.

@Pokewoofer 2 года назад

Thank you for sharing.

@Chronophylos 2 года назад

I get why you want to use a offline password manager. But the problem is, most people have more than one device where they need their passwords. Synchronizing your passwords between your devices quickly becomes a hassle. I have not found any good solutions other than an online password manager.

@MrWasian 2 года назад

Limits for passwords ironically serve as a table to help break passwords. General rule of thumb is 15 characters minimum and some type of variation that isn't a pattern. At the end of the day at 15 characters it's still going to take someone a long fucking time to break it unless they know specifically how you created your password. If a nation state actor targets you, you're fucked anyway so it doesn't matter the length or complexity. The biggest limit to breaking someone's password is the amount of computing power you have at your disposal. It's why certain three letter agencies couldn't give a fuck about complexity as to them it's just a matter of time. For regular people 15+ is fine as most people that try to break into accounts use dictionary attacks with tables, so unless you're stupid enough to make your password something common you're fine.

@thetruegoldenknight 2 года назад

I absolutely know of those "three letter agencies". And let's just say I'm beneath their notice, so I'm not worried.

@MrWasian 2 года назад

@@thetruegoldenknight it's an automated system, you only are prioritized when you meet a certain threshold. For security specialists the entire point of constantly pushing the boundaries for complexity and randomization is to be ahead of ANY entity that actively tried to decrypt or reverse security methods.

@l0lLorenzol0l 2 года назад

I have some pretty long passwords but I should change them again as I have been using the same ones for a while, thanks for the reminder

@TheLazyJAK 2 года назад

This video exceeded my expectations.

@AbdulHannanAbdulMatheen 2 года назад

👏🙂 Very interesting

@user-xw6fg5pi8q 2 года назад

Glad i'm actually using it

@dakedres 2 года назад

What do you feel about self-hosted hosting? Like connecting to a raspberry pi you keep at home and syncing the password database once a day or something.

@genken7880 2 года назад

By the way, using Cyrillic symbols in your password is very strong as they take two bytes each

@kiwi_2_official 2 года назад

just use a random string generator and generate 1,000-16,000 characters of random unicode characters from a set that contains every single unicode character. i got 94,000 bits of entropy on a 15k char password with a set of only 272 chars

@the_egg_ 2 года назад

@@kiwi_2_official i like your funny words magic man

@kiwi_2_official 2 года назад

@@the_egg_ ok

@24hhhhours Год назад

@@kiwi_2_official sometimes that creates issues because and will make the password shorter because the characters take more bits in sql

@kiwi_2_official Год назад

@@24hhhhours ye

@xasmaniusvolk8416 2 года назад

6:58 if an emoji is one character or more characters depends on how the server is set up (most of the time if unsupported longer than a character)

@GummieI 2 года назад

Wait wait? an actual true cideo on this topic? I totally went into this expecting to correct the video, as 99.99% of these types or videos are totally wrong (even if the intent are good most times). But yeah if you can remember your password, it is not strong enough yeah (and then use the effort needed to make that one strong password as the only one you can remember for your password manager, which is exactly what this video said. So Kudos to you for making an actual true video on this subject for once :)

@idontwantachannelimjustcom7745 2 года назад

For xmas, a family member asked me for a chromebook. They said a financial guru suggested a chromebook, that was solely used for bank and brokerage accounts, was the best way to protect access to these accounts against hackers. How do you feel about a chromebook that after initial setup, only visits a bank and brokerage website? If you were to strip down a Linux os for the pi to serve this purpose, where would you start?

@99temporal 2 года назад

well, to be hones, having any device whose sole use is to access critical sensitive accounts is a great idea(as long as you use a totally different password from any other account)

@inparis5724 2 года назад

do keywords help the algorithm? good video. very helpful. thank you it was enjoyable.

@BradenBest 2 года назад

An easy way to tell if a site does not hash their passwords is to click the forgot password link and see if they email you your password. I had a site do this to me and sent them a scathing email criticizing their security, explaining in detail how the database could get leaked and expose everyone's passwords, explaining what hashing is and how it fits into the auth pipeline, etc. They responded and actually fixed their password system over the next week.

@CorrosiveCitrus 2 года назад

The fundamental problem with that computerphile video, is that they misunderstand the xkcd comic. The entropy they calculate is already assuming an attacker has full knowledge on how the password was created. There is 44 bits of entropy. This only goes up the less the attacker knows about how you created the password. It is very important that you make this assumption when making a password. Only caluclate the entropy based on full knowledge. Then you are preparing for the worst case scenario and not relying on security through obscurity.

@gabrielcalderon9572 2 года назад

I love having a long base password and just appending the website domain name at the end so that I have unique passwords for all websites

@leonhma 2 года назад

basic 8 character passwords should be fine with the help of hashing, salts and peppers, but it's 2021 and yet here we are

@TheBoxyBear 2 года назад

Also by having these arbitrary requiements, it makes every password less secure since you know any given password you're trying to crack meets these requirements, so the pool of all possible passwords is much smaller.

@drewconley6444 2 года назад

You should do a video on syncing your offline password manager to other devices (cell/desktop), or why you shouldn't.

@Optropicraft 2 года назад

Is there a reason not to?

@em_the_bee 2 года назад

@@Optropicraft well, technically, you'd be sharing a strongly encrypted database. It's just that it could be a pain in the ass to set up, even if you have something like a personal VPS

@mothematic 2 года назад

@UCOloOH-xvaDMXS-wLEX8BLA keep ass

@mothematic 2 года назад

@@em_the_bee YOU CHANGED IT GAHAHAHAHAH

@Tenosyn 2 года назад

My issues with password managers is "What do you do if you lose everything?". House fire, your power supply explodes, phone gets stolen. I still use them, but I'd never use their hash generation for this reason. If my key file gets lost, so do all the accounts.

@eonshade6297 2 года назад

Awesome gen 3 sprites

@blackjackdealer204 2 года назад

The only password manager is a yellow sticky note with your password written on it,, stuck to the bottom of your keyboard ..

@MikeWheelmakersson 2 года назад

@Mental I have been watching your videos on passwords and decided to go old school. So I have made a file where I entered all my accounts and passwords (16 char, randomly generated). Then I archive it and l password protected it with a 32 char password that I can remember. Is that a safe enough approach or have I missed something? For sharing, I just use google drive and sync the archive on the devices I use. So essentially, I made my own specific password manager, but I use software that is readily available on any os or platform.

@theelodgeovkeku 2 года назад

google drive? niqqa just use a crib

@97Giorgos97 2 года назад

KeepassXC gang

@billfarley9015 2 года назад

I trust that dolphin. Dolphins are trustworthy and have been known to help shipwrecked sailors.

@iwnl_vale 2 года назад

Wow! Something actually relevant ¡¡

@pessimisticnihilist3691 2 года назад

I will freely admit that I do not know much on computers and programming in general, but if you set up a program that perpetually monitors a word document called something like 'important passwords' or 'bank credentials' to see if anything opens it and shuts down anything that attempts to access it and alerts you to the program doing so, would that work as a potential measure against some types of viruses?

@CMak3r 2 года назад

Remember those stories about e-commerce services that stored all customers passwords as plain text on dropbox?

@jayl3840 2 года назад

I like to make my own passwords that are 24 to 36 long.. a tip I would recommend is when making up phrase based passwords purposely misspell words and I don't mean the known way like instead of using golden you put g0ld3n .. instead, do it like this golden= x~ld`n .... make a key so each vowel equals a certain symbol or value and then instead of using the normal "leet speak" just put random letters in place of other letters.. and always use a password manager and always use 2fa when available as outlaw said.

@informitas0117 2 года назад

Also, if you are bilingual it should come natural to mix languages, even if not learn a few words of a random language and plug that in the way you said.

@PvblivsAelivs 2 года назад

I keep seeing the "use two-factor authentication" thing. And I am not impressed. Anything that is not a password can be stolen or spoofed. To take a common example of sending a one-time code to your phone: An attacker uses social engineering to transfer your number to his device. Now you can't get into your accounts. I have asked various people who say to use two-factor authentication why this is a good thing. And I am always met with dead silence. It's like they hope my question will go away.

@AverageAlien 2 года назад

why so paranoid? As if anyone would even care enough to try to crack your password

@felix-gena6595 2 года назад

@@AverageAlien lmao

@Shanoyu19271 2 года назад

@@AverageAlien glow

@brickstar56 2 года назад

Immediately recognized the thumbnail passwords from an XKCD comic!

@coolelectronics7343 2 года назад

same

@Nowhere0 2 года назад

What do you think about using foreign language in the password? I don't know what dictionary hacker use for brute force but definitely not some random languages from far east

@HerrBlauzahn 2 года назад

Getting real fancy with keyframes now

@Fang. 2 года назад

The fun sites are the ones that don't tell you the max length, AND when your password goes over it, will just use the characters up to the max as your password meaning you gotta either guess how long it was or reset it lmao.

@The_Laser_Wizard 2 года назад

Virgin Media in the UK restricts (or at least, used to restrict) password lengths to 10 characters, without allowing special characters. Then they asked me to read my password over the phone when setting up internet in a new house.

@ARCISX 2 года назад

16 random phrases with 6 digits 😳

@egg5474 2 года назад

_Stronk lekker Boullion_

@zebicc 2 года назад

Captions are hilarious!

@DUDA-__- 2 года назад

My bank told me my online pin had to be atleast 6 numbers, just numbers. I obviously used a longer pin, but later found out, that the pin gets cut at 6 characters. So my pin is literally 6 digits. I do not approve.

@vgaggia 2 года назад

Most banks won’t even let you have more than a 4 digit pin, but that’s okay because to be able to use a cards pin you need to physically have the card, or the phone linked to it, also most banks will lock the account after +-3 attempts

@MattCamp 2 года назад

looks like 37 bots down voted the video.... thanks again for the heads up on the dislike browser extension!

@quantisticnumbers2633 2 года назад

good video

@zachb1706 2 года назад

“But what about a hacker who has their skillcape” That’s brilliant

@123Dargor 2 года назад

I have some accounts so old they have 6-7 digits and only in numbers. Considering now websites forces you to have more "secure" passwords, those legacy passwords actually seem more secure since hackers take on account those limitations.

@cly_ 2 года назад

I think having a ridiculously difficult password is great! If you have near perfect memory, and only need it for one site. And aren't worried about data leaks

@alec7987 2 года назад

I wish that more password generators had a feature where they generate a dictionary password and a random char password and then weave them together so that a dictionary attack will always fail since you don't know where the random chars are.

@abuk95 2 года назад

What to do when I move to another device of mine, but I don't have a password manager there and I need to log in to some account? Doesn't password manager bind me to one specific device?

@snowcloudshinobi 2 года назад

nice video

@llortaton2834 2 года назад

A lot of website will accept long password but will reduce them, meaning they cut a certain amount of characters, reducing entropy, without telling you. Make sure your passwords are strong from beginning to end.

@llortaton2834 2 года назад

In addition to that, some website will outright put password as *blank* if you happen to use non-unicode character (like ASCII), that would be because they are built on legacy systems

@lobster838 2 года назад

Any specific password managers you would recommend?

@Bobis32 2 года назад

my "plain" text password(one that can be remembered easily but still follows some of the general rules for passwords) has 85 bit entropy, i use that plus a 2FA to get to my password manager which i try to use around 20 char passwords from

@mygamesm 2 года назад

Im installing linux right now, and watching this while i wait

@brad0822 2 года назад

What do you think of storing your password database on something like Google Drive so I can access it from both my phone and desktop?

@AkaiKnight 2 года назад

Ok but if it’s offline how am I supposed to log into accounts on my phone and other devices? Also don’t most websites start denying service and locking accounts after repeated attempts to login these days? How can these dictionary attacks still work if the website is denying them access to log into the account after only 3-5 tries? And what if I have 2 factor auth on my online account? Doesn’t it become a moot point if my phone number is then required or some randomly generated code that only I have access to via an Authenticator?

@NightSkyBlade 2 года назад

I use the built in password manager of Firefox. How secure is it? Is it possible for a malicious program on your machine to extract passwords from Firefox?