How to Choose a Password - Computerphile 

An excellent poem there at the start: "Some people watching will have good passwords, Some people will have thought about this before, Some people should have thought about this and haven't, And hopefully will, after we talk about this, a little bit more"

"Make a password with words people don't usually use." *changes password to "Nickelbackisagoodband"*

All this talk about passwords always reminds me of this scene in Harry Potter and the Prisoner of Azkaban (the book at least, not sure if it made it into the movie): In the story, the students have to say a password to get into their dormitory. Because of heightened security, they change the password so often that one of the students with rather poor memory (Neville) ends up writing down the whole list of passwords on a piece of paper. That list ends up getting stolen, defeating the entire purpose of the heightened security.

"Computerphile - Making you uncomfortable towards your life choices since 20XX"

Dr Mike Pound is my favorite presenter on computerphile.

It's all fine and dandy until you have to use a website that either: a) forces you to use uppercase, numbers, symbols, runes, smoke signals... or b) limits you password to something like 12-16 characters

Guys, post your passwords, lets see who's is best!

"Pick a word that other people don't use very often, like your favorite band name." lol

I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. How am I supposed to have a safe password when you don´t let me damnit.

2 more of these vids, and we'll socially engineer his master password boys!

"Maybe delete your account out of shame" *proceeds to face palm* Straight savage

as a person that speaks 4 languages I changed my password to 4 words in 4 languages

now they're gonna use the least likely 10,000 words in the dictionary great going mike

I'd be interested to hear Mike talk about workplace password resets. Lots of places I've worked require employees to reset their passwords every month, and some have onerous requirements for length and symbol usage. I think that rather than improving security, it encourages people to make passwords easy to guess (since they expect to forget), or worse, actually write their passwords down and stick them to the computer.

"Oops! Your password is too long!" "Oops! You need to include a number, a symbol, and an upper and lowercase letter" "Oops, that character is not supported!"

4 years ago, watching this video made me realize I had a bad password system and I switched to using a password manager. Thanks computerphile

it would be something if your 128 character uber password gets a hash collision with the password "password"

How about using more than one language in the password? For example, horsecaballocapallceffyl is just horse in English, Spanish, Irish and Welsh - unless the hacker tries dictionary attacking you with multiple languages at once (which would surely increase the search space to the point of absurdity), that should be safe, still only requires you to remember four words, and most people know at least some words from a foreign language.

More tips: - Mix different languages - Use phonetic spelling instead of the dictionary version

I always make my passwords 'incorrect'. So whenever i forget my password it will say 'your password is incorrect'

Always when I type a password it gets replaced with * or •, and that's so easy to crack! They really need to fix this!

I just use the entire lyrics of bohemian rhapsody as my password. It makes every login attempt a rock concert.

A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it- For example, “unwritten” Staring- At The Blank Page Before You, Open Up The Dirty Window Reaching- For Something In The Distance So Close You Can Almost Taste It Feel The Rain On Your Skin becomes “satbpbyoutdwrfsitdscycatiftroys” Throw in a few symbols at The pauses in the song for extra security and good luck finding that in a dictionary attack. (You’ll probably want to use a more obscure song, just to be safe)

I got a lot more canny about passwords a few years ago, and have adopted a common scheme for them. I thought this would mean I could remember them all much more easily and still be secure. But the really irritating thing is that whatever rules I choose, there always seems to be one web site that will moan about my choice of characters. Some of them even tell me I can't use a password because it is too LONG. WTF? Are they even hashing it?? Have to wonder. It would be nice if there were an RFC or some kind of standard that all sites followed: then we could all use a scheme and be sure that it would be acceptable in most places.

this guy's videos are the dopest. particularly the image/video based ones...I hope there are more of those to come in the future.

learn german and use only ONE word :D some LONG german words: Grundstücksverkehrsgenehmigungszuständigkeitsübertragungsverordnung or maybe Verkehrswegeplanungsbeschleunigungsgesetz, or Unternehmenssteuerfortentwicklungsgesetz. you also could combine this three words xD

Love these videos. Great presentation Dr. Mike! On the subject of choosing passwords, I've ran across something odd myself. A password is something you use over and over again. I've used it as a psychological tool. My password is a positive affirmation of a couple short sentences. If you are going to type it over and over again, then why not? I feel that I perceive a difference in myself just because I changed the password I type constantly. Also cracking full sentence passwords might be hard :)

That video was very good, I learned a lot. Another approach for coming up with safe passwords is generating a bunch of random passwords and modify them so you can find some meaning and remember it easier.

great effort on spreading password and IT security awareness!

I'll just hope nobody cares enough about me to even try.

I think this presentation is brilliant. I have one small point to make when it comes to random websites that require you to make an account. If the website is not going to be storing sensitive information, then surely just using a week password to circumvent this annoying requirement of having to create an account is not much of an issue.

Finally! someone who points out the issues with the XKCD system.

What about foreign words? Would people run dictionaries for all ~94 generally used languages?

My favorite stuff is the "Secret Question" stuff that pops up when I forget my password or when I need to answer a "shield" question. I give wrong, easy to remember answers to the questions about what my first car was, where I went to Elementary school, etc. If I get to make up my own question, then it's REALLY fun.

1. 4:59 He addressed that: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)" 2. 5:42 The comic assumed the top 2048 words. You can tell based on the bits of entropy in the illustration. One thing I think would be great to mention here is diceware. A nice system for choosing passwords that makes it easy for you to generate memorable passwords with any level of entropy you desire. I use around 100 bits of entropy for my low security master password, and ~120 bits for my high security master password.

To emphasise the point made around 4:17 , just for fun, I tried typing in "correct horse battery staple" into the password strength checker for my Google account. It was considered strong up until I finished typing the last word, at which case it dropped to medium, so he's absolutely right that XKCD's password is not a good choice, just like any other password everyone knows.

One more point - is there conclusive research on how useful/counterproductive the "change your password every 6 months" policy is? (Especially if the new password can't resemble any of the old ones.)

If you're multilingual, perhaps use a combination of words from the languages you speak. For instance, to crack a password that's a combination of Norwegian, English and German words (or any subset of the three), you would need to search a pretty big search space in order to find whichever one I might have chosen.

He nailed about putting a random underscore in a word. Pass phrases that use random characters inside words are fairly easy to remember and very hard to crack.

Thank you so much for enlightening us about that, Sir! These two videos were highly informative. :)

Password cracking groups watching this video, furiously scribbling notes about giving low-frequency words a higher precedence

For cases where you cannot use a password manager (ex. the password for the password manager) I have found a sentence mnemonic to be capable of generating easy to remember (even when seldom used) passwords that as far as I know are fairly tough to break. Obviously they need to be long enough, especially considering that the character set is somewhat restricted and certainly biased, but they are much better than what many people use for cases where a manager is just not an option. example: PW = Wyu#THHymc23 Mnemonic = (W)hen (y)ou (u)se Hashtag(#) (T)he (H)oly (H)and-grenade (y)ou (m)ust (c)ount to(2) three(3) The PW is dictionary proof, and while not truly random has high enough entropy that I imagine it is reasonably safe from brute force. Certainly their are weaknesses in such a password. It is not random. However you can easily remember very long passwords that contain mixed case, numbers and symbols without any English words. Thus providing reasonable security when you cannot use a password manager.

Great video! Would love one on the implications that will arise with the advent of quantum computing, particularly with respect to current encryption models and what will be needed in the future.

awesome instructor ,you simplify things so nicely.

The real problem is that many sites REQUIRE you to use several symbols, capital letters and numbers. It's annoying, because it means all my passwords are hard to remember. Sure, I can sprinkle one or maybe two special characters in there but more than that and it becomes even harder to remember.

Also, use 2-step verification on important accounts like your email.

been using one of these managers, dad got me into it, but this video convinced me to change the master

I never thought I would find a Computerphile video from the Avast website

yeey! I use a manager for a quite some time now. All my passwords are also 25 random characters (with some superior Ansi characters, like Ų#ҹ) and I don't know what they are :D! One day my friend asked me to log into my FB acc on his computer. I just said I couldn't. And I wasn't lying to him!

It'd be interesting to hear his opinion on mixing languages. Let's say you have a 3 word password, you seperate them with spcial characters and then the first word is english, the second is japanese for example and the third one swedish. Would that break these rainbow lists of hashes?

This guy is great. Very easy to listen to.

I love steam, they don't have any restriction other than the character one. Nice video, changed my password everywhere now :)

_Never_ reuse a password? I use the same username/password combo for… well, probably hundreds of sites by now, but only for sites I don't care about. It's actually been leaked already, but idgaf. What you gonna do? Steal my account with 0 posts on a random forum that required registration to display URLs I stumbled upon while Googling something a couple years ago? Knock yourself out! I consider those accounts stolen and I'm completely fine with that. Now emails, online banking, social media… that's a different story.

You could pick at least 6 different words, all words being longer than 6 characters each, preferably uncommonly used words, and use words from 2 to 4 different languages (English, French, German, Spanish) while ensuring that words you use don't show up in multiple languages.(If they are going to use a dictionary attack, better give them more dictionaries to look through) Also if you wish, you could misspell one or more of those words in a memorable way. You would need to throw in at least 1 symbol and a capital letter somewhere to make most websites happy but the rest of the password would stand on its own. I would not pick "rubiks" or "lemmings" as both of these things are well known in geek culture. Nor would I choose to use brand names as a list of common brand names could easily be created. My guess is if you ask 100 people to list 20 different brand names off the top of their head there would be quite a bit of overlap. (I think people from a similar locality would have closer matching lists but country wide there would still be a lot of overlap.)

People argue that using a password manager is putting all eggs in one basket, but you can mitigate that by using multiple databases with different keys. The alternatives are always worse, unless your memory is phenomenal and you can remember 100 different complex passwords. Another way is to have some sort of algorithm to generate passwords for different things (which is essentially your own private hashing method), but it can also fail, if some input data changes (e.g. a website URL, name etc). Password manager is easy to use, reasonably secure and has manageable risks. It's the way to go for most people who care about these things.

As a small side project while i was learning c# i made something in wpf that does the same thing as a password manager, I use three root words and the sites name press enter and it produces a garbled mess of a string i then use as a password, i then paste that in the form/loginbox, besides just having been a fun thing to get working (Z+4=space) i don't have any worries about server or local, or keyloggers since i don't actually ever type the password. If you want to make the "four random words" even more secure, type two of them backwards.

Why did I get a Futjitsu Palm Security ad before the video I watched after this? :D 1:57 facepalm "because, oh dear" :D

My bank limits the length of ones password to I think 8 characters and force you to use a "special character" which they limit you to like . , ? and ! for choices. So my imgur password can be much stronger than my bank password essentially.

So here's how I figured out my password. On old Nokias 3310 there were games like Snake and Space Impact. I used to play alot of Space Impact and tried to challenge my highscore quite lot of times. Once I've scored a highscore I never ever beaten again. In highscore options you had a code for your highscore (can't quite remember why though) and that highscore was combination of 8 character long random letters and numbers. Since this highscore was so important to me you're damn sure I've remembered that highscore's code and it's my password.

Ha, that XKCD comic is EXACTLY what I was thinking of when I clicked on the link to this video. Once upon a time, I think I even used "correct horse battery staple" as part (not the whole thing. I'm not that crazy) of a password. I'll be darned if I can actually remember where I used it. Welp, guess I'll be resetting that one if it's not stored in my password manager!

You should have mentioned the XKCD about the 5$ wrench.

My password is pretty damn clever. Sadly I can never share it with anyone. *FeelsBadMan*

This was excellent, learned a lot.

this guy is awesome at explaining things of this nature lets just say

I used XKCD to make an even stronger policy for myself. 4 words of 4 different languages. Example höstjääpalochampionshipmira höst is Swedish for autumn jääpalo is Finnish for the sport bandy mira is Russian for world. my hook to the password is that in the autumn there is a world cup/championship for club teams in bandy. I don't use this particular password, but I think it would be very very hard to crack if I did (and hadn't used it as an example)!

what if my database is sheet of paper can they hack it ?

The biggest problem with password restrictions. Is that many websites and services are fairly lazy. If you set the limit to one trillion characters. With a full character sets. I assure you. You can have secure passwords because most people can not remember trillions of 'random' characters. However, if you use a series of phrases. Not only can your password be long and complicated. It would also be strong enough to remember. Strong enough to resist brute force and dictionary attacks. Passwords are hard for me to do at work because I am restricted to what the passwords can be. Same thing when using some websites or services.

I have used several different passwords over the years, and they get more and more complex. I tend to remember which password to use with a site by when I created my account there. Currently I have two I commonly use, both are 16 random characters.

"Make a password with words people don't usually use." Changes my password to "brain"

I had to change all my passwords after watching this

You can also use different keyboard layouts. For example "rkdnl" doesn't look like a word but in standard Korean keyboard layout, it spells "가위" which means scissors. I can use this and some random English word to make something like "rksuitdnltea" and it is very hard to crack, but easy to remember.

"You moving your phone out of your pocket, and Google saying you moved your phone weirdly" I have been laughing to this for 5 minutes.

Is c0/\/\pu73rp4i|e ok to use for youtube?

Pick some book. Write down a sentence. Insert some underscores and miss some spaces. Done.

I probably shouldn't be saying this, but I want a bunch of computerphiles to dissect my system but here goes: I use a sentence in a book I like that has numbers or words that look like numbers. Take the first letter of each word, capitalize nouns, and replace numerical words. The passwords tend to be long because the sentences are distinct. Let me know if I'm a buffoon or a genius

I often use my passwords on accounts at friends' houses or on their phones. Usually if I don't have my phone on me, or like recently when I broke it. This makes a password manager completely impractical.

"Never ever reuse your password, ever" Me: I Always everytime reuse my password, everytime.

Yesterday I had to create a new password on a library website. It forced me to pick one with the length 6 or less. I mean really?

Password Manager + 2FA = best security I can think of. Even they get your master password, they can't do much unless they also have your 2FA device. I personally use LastPass with sesame, and google authenticator as a backup. On top of that I also have 2FA for alot of my specific accounts such as my google account, facebook, amazon, etc. so even if they SOMEHOW get through my LastPass and have all of my other accounts, they still need my phone to get into those accounts.

My hard drive encryption key is the chorus of a song, with one character representing each word (not necessarily the first letter, but fairly easy to remember, like using - instead of "less" for example). It's a song that no one would necessarily believe that I've even heard of. It's hard to resist to urge to whistle the tune while typing my password :)

My password is *********.

You can also use conlangs, if you're nerdy enough. Nobody expects the Klingon Inquisition.

This video literally made me change up most of my passwords! xD Hope I'm safe now!

Another good one! Thanks! Would also be interested to know more about bcrypt. Is it still a best practice?

problem with some place where they only allow a small password length :( sad panda

except most sites will force you to have 6--12 char long password with symbols and numbers in it - you know... so it's safe....

Choose two random words, convert their letters to numbers using a=1 b=2 c=3 etc... add them together then convert it back into letters. PIG+CAT would end up being 4817 or dhq or dhag. Semi-random letters that wouldn't be hard to remember, and of course you'd choose words that mean something to you and maybe you could throw the numbers back into it, so you could have dhq4817 or 4d81hq7 to make smaller words a little more secure.

ages ago, someone told me to take an easy to remember sentence with around 10-14 words, take the first letter of every word the punctuation and fill in 1-3 numbers and those passwords have kept me quiet safe for around 25 years now. the hard part to remember is where you put the numbers. but it still has lower and uppercase,.. numbers and symbols.. with a decent lenght

I use last pass, gonna make the master pass stronger now though

What if you use a very long phrase and make it into an acronym? "The quick brown fox jumped over the lazy dog" becomes tqbfjotld, which isn't a real word in any language, and then you add numbers, symbols, etc

My preferred password strategy is to think of the lyrics to the last song I listened on repeat more than a few dozen times and use the first letter of each word in the chorus, then uppercase and number substitute the first two letters that work to meet most website's restrictions. D5mnihsagtihabdsmniywhagtjgmac is pretty easy to remember if you know the words to "Don't Stop Me Now." For mobile, typing passwords like that can be a pain so for passwords primarily used on my phone a visual pattern is the best approach.

Also: mix languages and include typos.

So, how about keeping my passwords in a notebook in a drawer which is always locked?

Alternatively, make your password a full, sizable-yet-memorable sentence, much like this one.

This is great. I was only slightly put off by the Tesco carrier bag.

2 Canadian banks have maximum of 6 and 8 characters. *facepalm*

Deliberate misspelled words could help

I love that people think making a password different is just putting the name of the site on the same password they use everywhere.

Nice! Now I know how long all of your passwords are!

"unbruteforceable" Brilliant word. Should be in every dictionary.