Dr Mike Pound is my favorite presenter on computerphile.

An excellent poem there at the start: "Some people watching will have good passwords, Some people will have thought about this before, Some people should have thought about this and haven't, And hopefully will, after we talk about this, a little bit more"

"Make a password with words people don't usually use." *changes password to "Nickelbackisagoodband"*

All this talk about passwords always reminds me of this scene in Harry Potter and the Prisoner of Azkaban (the book at least, not sure if it made it into the movie): In the story, the students have to say a password to get into their dormitory. Because of heightened security, they change the password so often that one of the students with rather poor memory (Neville) ends up writing down the whole list of passwords on a piece of paper. That list ends up getting stolen, defeating the entire purpose of the heightened security.

"Computerphile - Making you uncomfortable towards your life choices since 20XX"

4 years ago, watching this video made me realize I had a bad password system and I switched to using a password manager. Thanks computerphile

It's all fine and dandy until you have to use a website that either: a) forces you to use uppercase, numbers, symbols, runes, smoke signals... or b) limits you password to something like 12-16 characters

now they're gonna use the least likely 10,000 words in the dictionary great going mike

Guys, post your passwords, lets see who's is best!

"Pick a word that other people don't use very often, like your favorite band name." lol

I'd be interested to hear Mike talk about workplace password resets. Lots of places I've worked require employees to reset their passwords every month, and some have onerous requirements for length and symbol usage. I think that rather than improving security, it encourages people to make passwords easy to guess (since they expect to forget), or worse, actually write their passwords down and stick them to the computer.

I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. How am I supposed to have a safe password when you don´t let me damnit.

as a person that speaks 4 languages I changed my password to 4 words in 4 languages

I think this presentation is brilliant. I have one small point to make when it comes to random websites that require you to make an account. If the website is not going to be storing sensitive information, then surely just using a week password to circumvent this annoying requirement of having to create an account is not much of an issue.

To emphasise the point made around 4:17 , just for fun, I tried typing in "correct horse battery staple" into the password strength checker for my Google account. It was considered strong up until I finished typing the last word, at which case it dropped to medium, so he's absolutely right that XKCD's password is not a good choice, just like any other password everyone knows.

2 more of these vids, and we'll socially engineer his master password boys!

1. 4:59 He addressed that: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)" 2. 5:42 The comic assumed the top 2048 words. You can tell based on the bits of entropy in the illustration. One thing I think would be great to mention here is diceware. A nice system for choosing passwords that makes it easy for you to generate memorable passwords with any level of entropy you desire. I use around 100 bits of entropy for my low security master password, and ~120 bits for my high security master password.

Always when I type a password it gets replaced with * or •, and that's so easy to crack! They really need to fix this!

"Maybe delete your account out of shame" *proceeds to face palm* Straight savage

Love these videos. Great presentation Dr. Mike! On the subject of choosing passwords, I've ran across something odd myself. A password is something you use over and over again. I've used it as a psychological tool. My password is a positive affirmation of a couple short sentences. If you are going to type it over and over again, then why not? I feel that I perceive a difference in myself just because I changed the password I type constantly. Also cracking full sentence passwords might be hard :)

My favorite stuff is the "Secret Question" stuff that pops up when I forget my password or when I need to answer a "shield" question. I give wrong, easy to remember answers to the questions about what my first car was, where I went to Elementary school, etc. If I get to make up my own question, then it's REALLY fun.

"Oops! Your password is too long!" "Oops! You need to include a number, a symbol, and an upper and lowercase letter" "Oops, that character is not supported!"

How about using more than one language in the password? For example, horsecaballocapallceffyl is just horse in English, Spanish, Irish and Welsh - unless the hacker tries dictionary attacking you with multiple languages at once (which would surely increase the search space to the point of absurdity), that should be safe, still only requires you to remember four words, and most people know at least some words from a foreign language.

Finally! someone who points out the issues with the XKCD system.

He nailed about putting a random underscore in a word. Pass phrases that use random characters inside words are fairly easy to remember and very hard to crack.

it would be something if your 128 character uber password gets a hash collision with the password "password"

I just use the entire lyrics of bohemian rhapsody as my password. It makes every login attempt a rock concert.

More tips: - Mix different languages - Use phonetic spelling instead of the dictionary version

That video was very good, I learned a lot. Another approach for coming up with safe passwords is generating a bunch of random passwords and modify them so you can find some meaning and remember it easier.

People argue that using a password manager is putting all eggs in one basket, but you can mitigate that by using multiple databases with different keys. The alternatives are always worse, unless your memory is phenomenal and you can remember 100 different complex passwords. Another way is to have some sort of algorithm to generate passwords for different things (which is essentially your own private hashing method), but it can also fail, if some input data changes (e.g. a website URL, name etc). Password manager is easy to use, reasonably secure and has manageable risks. It's the way to go for most people who care about these things.

great effort on spreading password and IT security awareness!

For cases where you cannot use a password manager (ex. the password for the password manager) I have found a sentence mnemonic to be capable of generating easy to remember (even when seldom used) passwords that as far as I know are fairly tough to break. Obviously they need to be long enough, especially considering that the character set is somewhat restricted and certainly biased, but they are much better than what many people use for cases where a manager is just not an option. example: PW = Wyu#THHymc23 Mnemonic = (W)hen (y)ou (u)se Hashtag(#) (T)he (H)oly (H)and-grenade (y)ou (m)ust (c)ount to(2) three(3) The PW is dictionary proof, and while not truly random has high enough entropy that I imagine it is reasonably safe from brute force. Certainly their are weaknesses in such a password. It is not random. However you can easily remember very long passwords that contain mixed case, numbers and symbols without any English words. Thus providing reasonable security when you cannot use a password manager.

If you're multilingual, perhaps use a combination of words from the languages you speak. For instance, to crack a password that's a combination of Norwegian, English and German words (or any subset of the three), you would need to search a pretty big search space in order to find whichever one I might have chosen.

How about this method: you pick a simple password you like of any length, then you open online hashing website and make say md5 hex characters string from it with no spaces, lowercase. Then you simply use that md5 as you register on some website. Then when you need to log in, you just do this again - open any online md5 calculator, enter your simple password and get the hash string, then paste it to a password field in a login page. Simple and no password manager needed. If you want make it more secure - use sha256 or some rare online hasher like say shark or something.. You might simply use CRC64 online calculator, however in this case you have to make sure this is a correct type of CRC. You might also use only first say 10 characters of that md5, or md5 without last say 5 characters, or hash twice md5-md5 or combined md5-sha1 or md5-base64 for example.

I love that people think making a password different is just putting the name of the site on the same password they use everywhere.

Password cracking groups watching this video, furiously scribbling notes about giving low-frequency words a higher precedence

It'd be interesting to hear his opinion on mixing languages. Let's say you have a 3 word password, you seperate them with spcial characters and then the first word is english, the second is japanese for example and the third one swedish. Would that break these rainbow lists of hashes?

I always make my passwords 'incorrect'. So whenever i forget my password it will say 'your password is incorrect'

been using one of these managers, dad got me into it, but this video convinced me to change the master

I love steam, they don't have any restriction other than the character one. Nice video, changed my password everywhere now :)

I got a lot more canny about passwords a few years ago, and have adopted a common scheme for them. I thought this would mean I could remember them all much more easily and still be secure. But the really irritating thing is that whatever rules I choose, there always seems to be one web site that will moan about my choice of characters. Some of them even tell me I can't use a password because it is too LONG. WTF? Are they even hashing it?? Have to wonder. It would be nice if there were an RFC or some kind of standard that all sites followed: then we could all use a scheme and be sure that it would be acceptable in most places.

A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it- For example, “unwritten” Staring- At The Blank Page Before You, Open Up The Dirty Window Reaching- For Something In The Distance So Close You Can Almost Taste It Feel The Rain On Your Skin becomes “satbpbyoutdwrfsitdscycatiftroys” Throw in a few symbols at The pauses in the song for extra security and good luck finding that in a dictionary attack. (You’ll probably want to use a more obscure song, just to be safe)

"Make a password with words people don't usually use." Changes my password to "brain"

The cruel irony of this video is the best passwords are the ones no one knows, and the best method for choosing a password is the one no one has told anyone else.

I never thought I would find a Computerphile video from the Avast website

You could pick at least 6 different words, all words being longer than 6 characters each, preferably uncommonly used words, and use words from 2 to 4 different languages (English, French, German, Spanish) while ensuring that words you use don't show up in multiple languages.(If they are going to use a dictionary attack, better give them more dictionaries to look through) Also if you wish, you could misspell one or more of those words in a memorable way. You would need to throw in at least 1 symbol and a capital letter somewhere to make most websites happy but the rest of the password would stand on its own. I would not pick "rubiks" or "lemmings" as both of these things are well known in geek culture. Nor would I choose to use brand names as a list of common brand names could easily be created. My guess is if you ask 100 people to list 20 different brand names off the top of their head there would be quite a bit of overlap. (I think people from a similar locality would have closer matching lists but country wide there would still be a lot of overlap.)

I used XKCD to make an even stronger policy for myself. 4 words of 4 different languages. Example höstjääpalochampionshipmira höst is Swedish for autumn jääpalo is Finnish for the sport bandy mira is Russian for world. my hook to the password is that in the autumn there is a world cup/championship for club teams in bandy. I don't use this particular password, but I think it would be very very hard to crack if I did (and hadn't used it as an example)!

One more point - is there conclusive research on how useful/counterproductive the "change your password every 6 months" policy is? (Especially if the new password can't resemble any of the old ones.)

So here's how I figured out my password. On old Nokias 3310 there were games like Snake and Space Impact. I used to play alot of Space Impact and tried to challenge my highscore quite lot of times. Once I've scored a highscore I never ever beaten again. In highscore options you had a code for your highscore (can't quite remember why though) and that highscore was combination of 8 character long random letters and numbers. Since this highscore was so important to me you're damn sure I've remembered that highscore's code and it's my password.

"You moving your phone out of your pocket, and Google saying you moved your phone weirdly" I have been laughing to this for 5 minutes.

Worth mentioning that it's very unlikely someone will actually get their password database (through keepass or whatever) compromised unless Dropbox (or similar) drops the ball, or an attacker is on your PC. If an attacker is on your PC they can do a lot of things instead of nicking a keepass file and hoping you have something valuable

What about foreign words? Would people run dictionaries for all ~94 generally used languages?

yeey! I use a manager for a quite some time now. All my passwords are also 25 random characters (with some superior Ansi characters, like Ų#ҹ) and I don't know what they are :D! One day my friend asked me to log into my FB acc on his computer. I just said I couldn't. And I wasn't lying to him!

Choose two random words, convert their letters to numbers using a=1 b=2 c=3 etc... add them together then convert it back into letters. PIG+CAT would end up being 4817 or dhq or dhag. Semi-random letters that wouldn't be hard to remember, and of course you'd choose words that mean something to you and maybe you could throw the numbers back into it, so you could have dhq4817 or 4d81hq7 to make smaller words a little more secure.

I probably shouldn't be saying this, but I want a bunch of computerphiles to dissect my system but here goes: I use a sentence in a book I like that has numbers or words that look like numbers. Take the first letter of each word, capitalize nouns, and replace numerical words. The passwords tend to be long because the sentences are distinct. Let me know if I'm a buffoon or a genius

_Never_ reuse a password? I use the same username/password combo for… well, probably hundreds of sites by now, but only for sites I don't care about. It's actually been leaked already, but idgaf. What you gonna do? Steal my account with 0 posts on a random forum that required registration to display URLs I stumbled upon while Googling something a couple years ago? Knock yourself out! I consider those accounts stolen and I'm completely fine with that. Now emails, online banking, social media… that's a different story.

I'll just hope nobody cares enough about me to even try.

I had to change all my passwords after watching this

If the 4 word method (or something like it) becomes common it would be wise to ignore sentence structuring as that would easily be implemented in a dictionary. I guess even the ordering of subsequent adjectives would matter. Better with greenharrowingbigflute than harrowingbiggreenflute.

6:18 a great way to pick "hard words" is for polyglots by using transliterations from words in other languages. Even better if the language doesn't use the latin or related alphabet system. For e.g. i can say "correctkudhiraibatterystaple" "kudhirai" is possible transliteration of the tamil word for horse, more to the point because tamil uses phonetic writing system there's a few ways you can write that in latin alphabet, in fact googling the word gives me the spelling of "kutirai". This would be nearly impossible to dictionary attack in some cases at least. This then comes down to social attack vectors, "does the person who is guessing your password know that it's yours and know about you enough", but even that's easily defeatable, he hinted at this a bit but you can make up words, or use words in languages you don't use often (e.g. being canadian i know a few french words but not french itself so sticking a random french word in there would be completely unexpected).

learn german and use only ONE word :D some LONG german words: Grundstücksverkehrsgenehmigungszuständigkeitsübertragungsverordnung or maybe Verkehrswegeplanungsbeschleunigungsgesetz, or Unternehmenssteuerfortentwicklungsgesetz. you also could combine this three words xD

Also, use 2-step verification on important accounts like your email.

The real problem is that many sites REQUIRE you to use several symbols, capital letters and numbers. It's annoying, because it means all my passwords are hard to remember. Sure, I can sprinkle one or maybe two special characters in there but more than that and it becomes even harder to remember.

I swapped to password manager the same day after watching this video, to be honest. :D Anyway, another cool idea, following the rules discussed in this video: if english is your second language - mix the words in english and your mother tongue. Now hackers would have to use two times bigger dictionary (english and your mother tongue), stick a random symbol in one of the words and hackers can kiss your password goodbye until quantum computer era comes.

Password Manager + 2FA = best security I can think of. Even they get your master password, they can't do much unless they also have your 2FA device. I personally use LastPass with sesame, and google authenticator as a backup. On top of that I also have 2FA for alot of my specific accounts such as my google account, facebook, amazon, etc. so even if they SOMEHOW get through my LastPass and have all of my other accounts, they still need my phone to get into those accounts.

Yesterday I had to create a new password on a library website. It forced me to pick one with the length 6 or less. I mean really?

Password manager: Literally putting all your eggs in one basket.

“ *Stylistically* speaking, Java is my favourite programming language.” CSS: Am i a joke to you?

I do know that most people favor food is pizza or hamburger. When I worked for sprint people called in all the time wanting to reset their password for their google account. That is always the answer to that security question. I worded with them for 2 years and never seen that one fail. Also, here is what I use for a password. I take my name (first if it is a password word for fun and last if it is a password for business) then I go first letter then last letter then second letter then second to last letter and so on. Then add numbers at the end for how important it is from 1 to 100. I do wish you luck to anyone wanting to crack that one. Oh and random letter generaters that you make yourself Java makes this easy. I used Csy5LkbrAQn3 for a long time. It was my MMO password when I played MMO's

After watching this I immediately went to lastpass and created an account. Thank you very much

My password is pretty damn clever. Sadly I can never share it with anyone. *FeelsBadMan*

How about using words in another language, or every word in a different language?

You can also use conlangs, if you're nerdy enough. Nobody expects the Klingon Inquisition.

I use a complex pw like D1%jdpVq/2pf_6 (not mine ;)) I memorized it and the trick is that 3 letters are abstracted from the website or password use, so every pw is different by 3 letters. I just need to know the standard and fill the 3 gaps with the specific ones. Example: use for letter 5 the 3rd letter from the domain name and for letter 7 the 1st. You get the idea. Cons: - You have to take care one doesn't guess your system (how you get the extra letters) - difficult to type on touchscreens (though I'm quite fast) Pros: - No pw manager needed - Quite save - Sometimes you are not allowed to use some special characters etc. And for pw which are not important (onetime use, forum, untrusted sites, ...) I use a more simple one at several services which I don't mind getting hacked. So I minimize the chances someone gets knowledge of my pw system. What do you think?

As a small side project while i was learning c# i made something in wpf that does the same thing as a password manager, I use three root words and the sites name press enter and it produces a garbled mess of a string i then use as a password, i then paste that in the form/loginbox, besides just having been a fun thing to get working (Z+4=space) i don't have any worries about server or local, or keyloggers since i don't actually ever type the password. If you want to make the "four random words" even more secure, type two of them backwards.

"Never ever reuse your password, ever" Me: I Always everytime reuse my password, everytime.

"unbruteforceable" Brilliant word. Should be in every dictionary.

Pick some book. Write down a sentence. Insert some underscores and miss some spaces. Done.

The biggest problem with password restrictions. Is that many websites and services are fairly lazy. If you set the limit to one trillion characters. With a full character sets. I assure you. You can have secure passwords because most people can not remember trillions of 'random' characters. However, if you use a series of phrases. Not only can your password be long and complicated. It would also be strong enough to remember. Strong enough to resist brute force and dictionary attacks. Passwords are hard for me to do at work because I am restricted to what the passwords can be. Same thing when using some websites or services.

I often use my passwords on accounts at friends' houses or on their phones. Usually if I don't have my phone on me, or like recently when I broke it. This makes a password manager completely impractical.

Can you recommend a great password manager?

except most sites will force you to have 6--12 char long password with symbols and numbers in it - you know... so it's safe....

Is c0/\/\pu73rp4i|e ok to use for youtube?

Ha, that XKCD comic is EXACTLY what I was thinking of when I clicked on the link to this video. Once upon a time, I think I even used "correct horse battery staple" as part (not the whole thing. I'm not that crazy) of a password. I'll be darned if I can actually remember where I used it. Welp, guess I'll be resetting that one if it's not stored in my password manager!

Great video! Would love one on the implications that will arise with the advent of quantum computing, particularly with respect to current encryption models and what will be needed in the future.

You should have mentioned the XKCD about the 5$ wrench.

what if my database is sheet of paper can they hack it ?

I have 4 main passwords. Level 1 (sites i dont care about/my spam email, 1 uppercase and 1 lowercase):********** Level 2 (my pc password and my secondary email password, contains lowercase and 1 special character):************ Level 3 (my steam password, my main email password and social media password, contains upper lower numbers and special characters):************** Level 4 (my bank account password only, contains upper and lowercase with special characters):********************** I dont mind my 3rd level password being linked to those 3 accounts since I cycle it every year. Also Howsecureismypassword.net says my level 4 would take about 42 sextilion years to crack it.

I took a class that gave us randomized passwords, and I just memorized that because the process of creating your own was confusing. It's pretty great, especially sites that require caps, symbols and numbers.

CREATING A PASSWORD -Please enter your new password. “cabbage” -Sorry, the password must have more than 8 characters. “boiled cabbage” -Sorry, the password must contain 1 numerical character. “1 boiled cabbage” -Sorry, the password cannot have blank spaces. “50stupidboiledcabbages” -Sorry, the password cannot use more than one upper case character consecutively. -50StupidBoiledCabbagesShovedUpYourArse, IfYouDon’tGiveMeAccessImmediately” -Sorry, the password cannot contain punctuation. “NowIAmGettingReallyPissedOff50StupidBoiled CabbagesShovedUpYourArseIfYouDontGiveMe AccessImmediately” -Sorry, that password is already in use.

problem with some place where they only allow a small password length :( sad panda

Deliberate misspelled words could help

My bank limits the length of ones password to I think 8 characters and force you to use a "special character" which they limit you to like . , ? and ! for choices. So my imgur password can be much stronger than my bank password essentially.

ages ago, someone told me to take an easy to remember sentence with around 10-14 words, take the first letter of every word the punctuation and fill in 1-3 numbers and those passwords have kept me quiet safe for around 25 years now. the hard part to remember is where you put the numbers. but it still has lower and uppercase,.. numbers and symbols.. with a decent lenght

You can also use different keyboard layouts. For example "rkdnl" doesn't look like a word but in standard Korean keyboard layout, it spells "가위" which means scissors. I can use this and some random English word to make something like "rksuitdnltea" and it is very hard to crack, but easy to remember.

I use last pass, gonna make the master pass stronger now though

Also: mix languages and include typos.

How about making an emoji password? That would be the weirdest thing to crack.

What about developing as system where you use lengthy but easy to remember sentences. Then you take for example the first 2 or 3 letters from every word and combine them which turn into nonsense, then you "leetspeak" some of them for variation using a system that you remember. Now since the letter combination is already a seemingly random collection of letters the numbers are also seem somewhat random. Then just add some special characters all over the password using a system that allows you to calculate the placements and the special characters from the password itself. I'm not convinced by correct-hor_se-battery-staple and what I described above is actually easy to remember if you use rules that make sense to yourself.

When you get hash file from server which is using some common library to compute hash, you do not need to hack passwords. All what your program needs to do is to find input which generates the hash which is probably same also on the other server which use same hash lib.