My password is unbreakable because I'm using my name followed by the digits of pi. All of them.
@justinreyesv5 жыл бұрын
an unending password? youre gonna crash the db~ space limit
@Tipko5 жыл бұрын
clever boy
@Mars-19955 жыл бұрын
Well not hashable. Nice try
@hawsh30665 жыл бұрын
Big brain time
@wrng-i9f5 жыл бұрын
big brain
@_ten5 жыл бұрын
computer took about 1 second to look through about 40,000,000,000 hashes 10:13 human took about 1 second to multiply 26 times 2
@uniqueusername_5 жыл бұрын
Well, that's not a very fair comparison, is it? Computers are, at their core, all made for mathematical functions. Humans, on the other hand, are not. When it comes to "close enough," humans are generally better.
@emmiexss5 жыл бұрын
@@uniqueusername_ Oh really? I thought i could run through a 40bil database that is stored in my head. *Heavy sarcasme.*
@sallybugs16955 жыл бұрын
Remember it was built by human
@rasmusekdahl27725 жыл бұрын
uniqueusername_1024 R/FUCKINGWOOOOOOOOSH
@matte_luna5 жыл бұрын
@@uniqueusername_ r/whoooosh
@kahnfatman3 жыл бұрын
Q: What are you using the graphics card for? A: Well -- terminal apps.
@cheddarfish225 Жыл бұрын
It would be interesting to revisit this topic and see how things have changed in the past 6 years.
@chemicallystimulated476 Жыл бұрын
Can you suggest me any such videos
@mully006 Жыл бұрын
For one thing the 4x Titan X GPU he has are are roughly equivalent to an RTX 4070 which is a ~$700 GPU. The modern equivalent of his system (say 4x 4090) is around 50 time faster than his system.
@kaspervestergaard238311 ай бұрын
Wait really? @@mully006
@QuizzingHobbit5 жыл бұрын
Password dictionary: 1. password 2. user 3. correcthorsebatterystaple
@Nerizwith4 жыл бұрын
@@rabbabansh I am not and I don't get it.
@georgek44164 жыл бұрын
Wow
@Dexaan4 жыл бұрын
hunter2
@nicholasmcmillan53244 жыл бұрын
my password: J1bbbbberb0y418
@NotSoCrazyNinja4 жыл бұрын
You would be surprised at just how crappy the average password is. There is a reason websites force users to use passwords of minimum length with letters numbers and sometimes symbols. Router admin passwords tend to almost always be default. When they're not, it's usually very easy to guess. Luckily? in my area, the local ISP supplies routers/models with random passwords by default, but they are listed on the underside of the router/modem. Gain physical access to the router, you can get the credentials. If you have no physical access, I guess it's secure enough.
@RacingAtHome6 жыл бұрын
"We don't store passwords unencrypted in a database because that's a terrible, terrible idea." You would be surprised.
@mohnishkumar5 жыл бұрын
Facebook XD
@kat56075 жыл бұрын
@@mohnishkumar i was going to reply that too XD
@clappedcheeks35044 жыл бұрын
@Kappa Chino thought so too. Hashing is irreversible.
@bitTorrenter4 жыл бұрын
Password Managers
@mostafahassanismail75244 жыл бұрын
RacingAtHome the more you know
@OmarMohammed-fy2he3 жыл бұрын
""iloveyoukate" 14:46 he's risking his accounts for you kate. I hope you guys didn't split up 😂
@alpha_wolf_803 жыл бұрын
I was going to comment the same thing
@ishansheikh30583 жыл бұрын
that guy was not keeping password for sure. he was feeling emotional while doing whatever he was doing. Emotions = Hacked.
@ryanmcgowan30613 жыл бұрын
Kate doesn't even know he exists.
@tolep3 жыл бұрын
It is Kate herself, advised by some shrink.
@Luiz9974883 жыл бұрын
The "iloveyoukate" virgin vs the Chad "freakpower1"
@mark.. Жыл бұрын
Back in the day, this video (along with your "how to choose a password" video) taught me a huge amount. I think an update could be very valuable for many people. It seems that Lastpass recently lost password vaults for millions of people, which I think will create a lot of interest in this subject.
@RealCaptainAwesome7 жыл бұрын
So you're saying pA55w0rd is not a good choice?
@virtualfroggy7 жыл бұрын
Michael Burke no, try password123
@stan28807 жыл бұрын
123456 takes the longest to crack
@Tradinghonest6 жыл бұрын
99999 or zzzzz depending on the algorythm
@Tekrow6 жыл бұрын
*hacker voice* I'm in
@stefankrautz90486 жыл бұрын
10^6 combinations (?)
@crispynugget36168 жыл бұрын
that awkward moment when you see your password...
@thunderbolt9977 жыл бұрын
shhhh
@zanidd6 жыл бұрын
which one was it?
@Shakzey6 жыл бұрын
Do you love Kate too?
@Nothing-LV6 жыл бұрын
Lemme guess qwerty ? Lol
@louisthompson57816 жыл бұрын
siksreik heh heh. I saw that
@MaxMakerChannel8 жыл бұрын
Love this guy. He should be teaching.
@Computerphile8 жыл бұрын
+Max Musterman he does, at The University of Nottingham ☺️
@ghostlink20278 жыл бұрын
That's it, I'm transferring.
@zinkzxd28918 жыл бұрын
Agreed.
@zzyzxyz54198 жыл бұрын
Paused the video just so I would say the same thing!
@gammelhund8 жыл бұрын
Not to mention right here :)
@anonymus32192 жыл бұрын
I love how the videos have this 'unscripted' feel and they feel like they're real conversations
@ATSGemwolf8 жыл бұрын
I'm surprised that Tobey Maguire knows this much about hacking...
@jonm51956 жыл бұрын
I thought he was Elija Wood
@Svendzeen6 жыл бұрын
Well you see... After he lost the role as Spiderman, he had to get a new job. So he became Hackerman :)
@sirdeakia6 жыл бұрын
He did stay a long time on the web though
@forgottenvy6 жыл бұрын
sirdeakia Underrated comment. Why didn't people get this? It's gold.
@DavidVercettiMovies6 жыл бұрын
I know for sure in that bag with the english flag there's his Spiderman outfit!
@ImAzraa8 жыл бұрын
Just for your information, the "Beast" machine may be fast for a regular home user, but it is incredibly underpowered compared with a server-grade solution for compute workloads. Imagine several racks of servers with 4 cards each. Those are available out there, and regular people can build them too with the right amount of money, or rent time on them for relatively cheap
@atti11208 жыл бұрын
kate i think your boyfriends pass is hacked
@TheMrKeksLp8 жыл бұрын
yeah lol
@gunjeetsingh908 жыл бұрын
Oh no not his boyfriend's.. His secret admirer's
@GaffsNotLaffs8 жыл бұрын
+Attila U Random characters letter and symbols. around 30+ of them.
@Tim-Jaeger8 жыл бұрын
+Attila U well I was in a house were the password was something like this: 9684263675467468447836794598211636063674678 only the length is the same but I think it is hard to crack
@DaBeastDoesMinecraft8 жыл бұрын
Mine is something like this 5927592058295712395736189037483194721948271930183 49 random digits.
@BicheTordue4 жыл бұрын
my password is L1pZ7z3qy so it's pretty secure, nobody gonna find out
@esquilax55634 жыл бұрын
All I see when you enter that is a string of asterisks
@shadowterrarian40734 жыл бұрын
Thanks for the revelation.
@cactus8064 жыл бұрын
👌no one will ever now this passwords
@realszn4 жыл бұрын
if u enter ur credit card number it gets blocked see **** **** **** ****
@BicheTordue4 жыл бұрын
@@realszn here's all the number present on my card 54120
@Zero11_ss6 жыл бұрын
Really good video dude. No silly music or fast cuts and no annotation spam on the screen, subscribed.
@jamesedwards39235 жыл бұрын
I think a lot of video editing courses encourage people to do the music thing. Dude I am hear for the data above else. Not the music. It gets distracting. Even with a lot of gamer videos. I can not stand it. You are trying to focus on the tactics and insights. Like studying with the music blasting. Sometimes it helps, but often it is a distraction.
@firmware10005 жыл бұрын
photographer
@marcusholloway11474 жыл бұрын
Bruh just create a python script that encrypts an input and since only you have this encryption system it's very safe
@Dtr1463 жыл бұрын
That's why a lot of websites require you to have a special character and a capital letter. The most common way of doing it is capitalizing the first letter and putting the special character at the end though
@adriannuske2 жыл бұрын
@@Dtr146 How did you know my passwords!?
@toddbod947 жыл бұрын
when websites ask for passwords and force you to fit narrow criteria like "must be between 8 and 12 characters and must contain at least 1 number (with no repeating adjacent numbers) and must contain at least 1 capital and 1 special character" are just reducing the search space for hackers.
@thunderbolt9977 жыл бұрын
but isnt that putting in more variables for computer to check making it harder?
@chrisspencer65027 жыл бұрын
Not really as like he said it relies on use of common words so if your use zWq0£jL3s, there is no logical combination this would occur in words
@usernamesaregay2227 жыл бұрын
But If I'm cracking these then I know that 1) I can skip all passwords under 8 and over 12 characters 2) I know that all passwords will have a number so I don't need to try any passwords that don't have them 3) same for capitals and special characters
@dot.54237 жыл бұрын
This comment was aimed at thunderbolt my bad.
@tapwater4247 жыл бұрын
There are more combinations of passwords with 8 letters than there are from 1-7 combined. Forcing at least 1 number also increases combinations from 26^8 to 36^8.
@StewartW127 жыл бұрын
A lot of people think "I'm going to go onto some website and test how strong my password is"... Those people are having their password stored away in a database to be added to someone's password dictionary.
@thegambler99946 жыл бұрын
Either that, or some other third party injected Javascript into the page.
@zacharyjohnson99116 жыл бұрын
You can use Fiddler, Wireshark, or your browser's network inspector to see if any web requests are being sent out.
@Josh3505 жыл бұрын
Which is why I don't use those websites for obvious reasons.
@decycle29125 жыл бұрын
there's a password in my head that I never use lol
@georgek44164 жыл бұрын
Yes.
@wafflejam82845 жыл бұрын
11:41 he just dodged that pop up
@briangettingfit47364 жыл бұрын
Dude.
@noclipsize59784 жыл бұрын
Dude.
@brunosteffen81734 жыл бұрын
i dont get it ._.
@Tentin.Quarantino4 жыл бұрын
That's pretty meta!
@pitaya41514 жыл бұрын
@@brunosteffen8173 The card at the top right pops up at the same time as he moves his head away from it
@MrMKFreak8 жыл бұрын
You probably DONT want to test your passwords strength on online services that claim to only tell you how good your password is. While most of those services are probably safe to use, you can never know what service is also making it's own little (or huge?) dictionaries with just the awesome and secure passwords you give them to "test" for you.
@FluorescentGreen57 жыл бұрын
solution: disconnect from the internet before you type your password and close the tab before reconnecting
@fray27487 жыл бұрын
Theoretically still insecure
@muabyt73336 жыл бұрын
Ein Frosch~ howsecureismypassword.net is save. Its fully written in Javascript and you can look for the code yourself
@douwehuysmans59595 жыл бұрын
Best passwords are sentences like "cow curry diagram!2n;"
@jamesedwards39235 жыл бұрын
What you have to realize. Is that the longer and more complicated your password is. The harder it is for a computer to compromise. Given enough time, energy, and technology. All passwords are easy. Each time an encryption standard is compromised. You migrate to something else. It is a never ending race.
@SweetJP.6 жыл бұрын
I just love this! not only because there's no chance my password will be found, but because even the most hardcore IT dudes in my area (including 2 schools I worked at) use horrible passwords, to secure thousands of pupils' social security numbers etc. At my first job, I demanded that the passwords got changed, or I would not work there as i'd be targetted for irresponsible care, in case we got hacked. Sadly they refused to change and I quit my job.
@jamesedwards39233 жыл бұрын
Smart move.
@GuitaristZep4 жыл бұрын
this video made me change my password in all my social media accounts, and bank accounts, online games, buy a new house, move to a completely isolated planet and use encrypted network connection that runs through several illegal VPN networks. I am now living happily here in Mars. Thanks.
@കുട്ടൂസൻ-ദ1ണ3 жыл бұрын
Nice
@names_are_useless3 жыл бұрын
I know this is a joke comment, but using an illegal, an "untrusted", VPN is a TERRIBLE idea. You could be feeding your Computer Information to Cyber Criminals by connecting to an Untrusted VPN. Something worth thinking about for those wanting to go the Cheap/Free route for VPNs.
@fredthomson32533 жыл бұрын
*Thanks_Turnercyber🙏*
@chrism37908 жыл бұрын
I didn't know Peter Parker was a damned hacker.
@usseal9226 жыл бұрын
I have a theory: in this Alternate Spiderverse, Peter Parker (by Tobey Maguire) got fed up with chasing low-budget criminals in NY, quit his cr*ppy job and moved into the UK. There he developed an English accent, got a degree (and later a PhD) in cybersecurity to protect his new identity and since he already had close relations with the Web ;) So, this would be the origin story of Dr. Mike Pound
@StevenAzari6 жыл бұрын
@@usseal922 Ha I only had to scroll 5 comments to get to here. This makes the op fact.
@BillBodkin6 жыл бұрын
i cant unsee that now
@LafferStyle6 жыл бұрын
I thought he did web design
@VinnieZDX5 жыл бұрын
Lol
@zyphicx98688 жыл бұрын
The best hashing algorithm: Google Translate!
@randomcatdude7 жыл бұрын
Make your password a wikipedia page google translated a dozen times.
@Anankin126 жыл бұрын
RandomCatDude wouldn't work, they update the algorithm too often, those cheeky bastards
@ohad2196 жыл бұрын
No man Google translate just translates
@danifalkjensen6 жыл бұрын
@@randomcatdude only 12times do it 100+times a dozen of something is 12 of something
@YouTubeWatcher90006 жыл бұрын
Dani Jensen I think everyone knows what a dozen is
@unixfreak6 жыл бұрын
Amazing how far computer processing has come in the past 20 years. I remember messing about with brute force hashing on an i486, and it took forever.
@gothsiN4 жыл бұрын
Pausing at 16:38 ma man had a freaking HEX Code as a PW and still got cracked. ahahhahahha damn this guy is so funny and smart. mad respect to u mike.
That doesn't seem like it would be very hard to crack. The character set is just 16 characters. If the person thought he was being clever, there's could be 10 million people who had the same idea and the cracking software has seen it all before. It's probably not much harder to crack than 12345678. I just assume I'm never going to come up with some clever password trick that at least 1 million human beings haven't already thought of.
@buslir2000 Жыл бұрын
@@gchcom6902 My guess would be kindé (using utf-8)
@CBusschaert8 жыл бұрын
Now I kind of want a video about Lastpass or Dashlane and how these password manager are secure (or not). Seems like the logical follow up.
@treahblade8 жыл бұрын
I watched a video from DefCON about this sorta thing and actually they are a 2 edged sword. They are bad because then all the attacker has to do is get your database file or hack your password into the password manager, and good because they prevent keyloggers from getting passwords.
@CBusschaert8 жыл бұрын
treahblade I guess so
@Prometheus7208 жыл бұрын
If you use Keepass then you don't have to worry about external security. Only your own files on your own computer. And you need 1 password to be secure. That's it.
@callummunro73808 жыл бұрын
I've never used a password manager, it seems illogical to have all your passwords behind one password. And where do you store the master password without needing _another_ password?
@yellowdockooo59078 жыл бұрын
Yep
@GummieI5 жыл бұрын
15:35 "Now luckily, these leaks happen all the time" Interesting... choice of words ;)
@WofWca5 жыл бұрын
He's telling how to crack passwords, what do you expect?
@pranavdeshpande45384 жыл бұрын
Also that smirk on his face when he said dive That might be his hacker name
@AgglomeratiProduzioni5 жыл бұрын
14:42 "I love you Kate" aww
@georgek44164 жыл бұрын
@@Big_Tex xD
@B88-h6n4 жыл бұрын
cute
@angus68584 жыл бұрын
@@Big_Tex and now it's: KateTookEverythingFromMe
@notthatriplguy72764 жыл бұрын
Unterarzt update: its how kateijustwantthekidsbackplz
@archonjk11964 жыл бұрын
14:18 "I love you Ivan"
@nbrugman19803 жыл бұрын
Mike: "So if your password is 6 characters long, its being cracked right now, and its being cracked quickly" Me:
@rogerio0670723 жыл бұрын
🤣🤣🤣
@TheSystemaSystem3 жыл бұрын
What's your password?
@maybona3 жыл бұрын
thanks just bought some pizza pans from amazon
@Anklejbiter3 жыл бұрын
My password with 6 characters: *sweating profusely* My password with 31 characters: *hah, mere mortals.*
@Johnof1000Suns3 жыл бұрын
My password is 7 characters long, so take that hackers.
@tompov2278 жыл бұрын
This guy is my fav Computerphile guy
@questionable-cf1tt4 жыл бұрын
14:47 'ganjagoblin' best password ever, even if it shows up on the cracked list 😂
@JigawattMusic4 жыл бұрын
420
@Gamer-uf1kl3 жыл бұрын
Ganja means bald in hindi, so might be the reason
@calanm78803 жыл бұрын
I cracked up when camera focused on that on screen - glad you highlighted it 😀
@arpitpatel53123 жыл бұрын
@@Gamer-uf1kl it also means weed or heroin, not sure which one.
@Gamer-uf1kl3 жыл бұрын
@@arpitpatel5312 cannabis/marijuana
@Locut0s8 жыл бұрын
Can you believe that the bank I use has a MAXIMUM of 6 character length on the passwords used for online banking!? I have complained to them before. But to no avail. And this is not a small bank!
@moute_38 жыл бұрын
You should change banks then, they are just begging to have their database leaked.
@jarmo_kiiski8 жыл бұрын
Yep, You'd need to compute 2.8147498*10^14 hashes assuming that the passwords use extended ascii characters and also assuming that you know the hashing algorithm used. (Which can be achieved in a few seconds)
@Thorpe8 жыл бұрын
+moute3 Yes but the banks have other forms of authentication, including inputting specific characters of a secret answer and generating codes using your phone or hardware key.
@Correctrix8 жыл бұрын
Locut0s That doesn't make sense. That would be a reason for _not mandating_ long passwords. It can't be a reason for _forbidding_ long passwords. The only explanation for the latter is idiocy.
@janh.8 жыл бұрын
Locut0s I have to agree with Correctrix that if what you said is the case, then I can see why they accept weak passwords. But it does not explain why they would prevent experienced users from setting a strong password by having a maximum of 8 characters.
@BenjaminMills4 жыл бұрын
I've learned (or at least read) about a ton of this stuff, and still, I thought it was Interesting to hear you step through a password attack in addition to hearing how modern tech and modern hacking techniques approach cracking passwords. Thank you sir.
@jampig18846 жыл бұрын
This is why Peter wasn't allowed around computers.
@edwardqueen57915 жыл бұрын
"Forgot my password" "You're receiving this e-mail because you've clicked on 'forgot my password' on our website. Here it is in plain text for anyone to see. Your password is: JustCheckingIfThisWebsiteStoresPasswordsProperly"
@surrealdynamics40774 жыл бұрын
That's pretty clever right there. Now I have to try doing that. Thanks
@GodKingOfThePlanet8 жыл бұрын
ANyone else burst out laughing when they saw someone had used ganjagoblin as their pass?
@s.p91898 жыл бұрын
Your icon almost got me there damn.
@RussellTeapot8 жыл бұрын
it always get me. the worse is the fly one, I don't know if you never saw that, but *DAMN* each time I try to swipe the screen like a fool
@Blitzcreeper2398 жыл бұрын
+Russell Teapot The spider is facing 45° left, I don't get how it can startle anyone ever since scrolling means it moves upwards diagonally. Won't judge though :/
@s.p91898 жыл бұрын
Well I wasnt scrolling when I was reading the comment but yeah once I scrolled I realized it wasnt real :/
@nathanvanthof8668 жыл бұрын
did you see "iloveyoukate" at 14:49?
@nellgwyn27234 жыл бұрын
Really amazing video and quite informative even for curious dummies like me! Honestly it's just fun to watch the guys talk about their passion and learn a little even if i don't get all the details, but it's worth the effort to understand a little more about the technology we all live with.
@ErikOosterwal3 жыл бұрын
You can think of "hashing" algorithms, like MD5 or SHA512, as being a secret decoder ring, like the ones you used to get in a box of Alpha Bits, only a bit more sophisticated.
@Bred.wards1 Жыл бұрын
I watched this video when it came out years ago. Recently, my dad passed away and we couldn’t remember his iCloud password to access the photos on his phone and other stuff like that. But I remembered this video, and I went and found password cracking tools for iCloud and was able to use educates guesses and the tools to find the correct password. So thank you for making this video ❤️
@k1ngjulien_8 жыл бұрын
I am wondering how many of the viewers just saw their password in the video ^^
@mikes3338 жыл бұрын
Totally got mine. 14:46 ILOVEYOUKATE
@thoughtyness8 жыл бұрын
+Mike S I used to have that one only without "you" in it.
@callummunro73808 жыл бұрын
Everyone loves Kate, that's the problem
@samvid19928 жыл бұрын
18:51 ashishiscool is my friend's password and his name is ashish.
@x1legoman1x8 жыл бұрын
+Филип Брчић genius XDDDDD
@firen7778 жыл бұрын
5:18 "MD-5 should not be used by anyone ever, EVER again." Meanwhile, in the Yahoo's headquarter...
@jamesedwards39235 жыл бұрын
Amusing.
@benishmael94515 жыл бұрын
I'm dying 😁
@roninryu69925 жыл бұрын
Could you help me understand? Was he just checking to see if he could guess the LinkedIn pass words that were stolen? Im trying to understand how this would work for an actual site, because after you try the wrong password several times, you get booted, or blocked, and the user gets notified. How would this actually work? Are they taking these passwords and entering them against a live site? If that is the case wouldnt the hacker get blocked after a few seconds? Plus with 2FA, is this even relevant?
@nilen5 жыл бұрын
Ronin Ryu are you serious? 😂😂😂
@tradeflow51535 жыл бұрын
Nils Svanstedt yes I’m serious asshole
@marcuslola7 жыл бұрын
14:48 "ganjagoblin" lmao
@williameriksson87675 жыл бұрын
marcuslola Thats my password
@rock3tcatU2335 жыл бұрын
420 blaze it.
@CryptoData5 жыл бұрын
hahahahahahahaha
@Inoculum5 жыл бұрын
I am now changing my password to "ganjagoblin"... consequences be damned!
@darkhorsedre4 жыл бұрын
bro I caught that too - had to left arrow to confirm lol
@MaZe7414 жыл бұрын
Fun fact: The odds of you picking the same password as another guy are HIGHER than picking a username that already exists.
@Jay-S043 жыл бұрын
not if my passwords look like siUn$2$8’clwo!&/ienzla!!:&*’eisnJbdKbs&29,£~*£\’Idk&/9
@jangtheconqueror3 жыл бұрын
@@Jay-S04 That's been added to the dictionary now
@PranshuTheGamer3 жыл бұрын
@@Jay-S04 i use keepass, do mine look like that
@verchiel_82953 жыл бұрын
Not a fact, but closer to a hypothesis
@xisumavoid8 жыл бұрын
Fantastic video! Loved it :-) Good to know i am doing my passwords right, different one for every site too!
@Zxios7 жыл бұрын
omg its a wild xisuma comment from 8 months ago!
@Morten_S_Olesen7 жыл бұрын
LOL i love scrolling through random videos comments and just finding a Xisuma comment with only 5 likes (make it 6) Nice to know that Xisuma watches the same videos as me xD
@nemplayer17767 жыл бұрын
Wow, I keep seeing you on a lot of videos... lol
@nemplayer17767 жыл бұрын
Morten lol same
@josephlbj6 жыл бұрын
You keep following me around everywhere I go!
@professorl42085 жыл бұрын
An update for those of you who are watching this now - I don't know if this wasn't the case back then, but nowadays you use a hash algorithm that is slow by design, like Bcrypt, so that attackers are limited by the speed of the algorithm rather than exclusively by the grade of their hardware.
@_aullik8 жыл бұрын
you forgot to link in the description
@Computerphile8 жыл бұрын
Thanks, now sorted >Sean
@OsamaRana8 жыл бұрын
+Computerphile what is the disadvantage of designing your own hash for your own service? Wouldnt not knowing the hash procedure effectively eliminate the ability to crack passwords by using this method? Thanks.
@rondowar8 жыл бұрын
+Osama Rana also, often enough if they can get to your database, you should assume your code also isn't safe
@OsamaRana8 жыл бұрын
Thank you everyone for the insightful comments. Ps, I like the phrase "security through obscurity". That was exactly what I was thinking
@liesdamnlies33728 жыл бұрын
'I like the phrase "security through obscurity".' You got that this is a bad thing, right? Like, really bad? Just checking.
@BlueMountain19924 жыл бұрын
The video that made me change to a password manager. 4 years later and never looked back. Thanks Mike!
@7timus4 жыл бұрын
The moment when Mike reads your password loud and shows it to 2 mil other people just on second random pause... If I could only be as lucky in some other lottery. :(
@Mike-Smith8 жыл бұрын
I like all Computerphile (and Numberphile) videos, but just wanted to say how great this particular one is. More please from Dr Mike Pound. (And prof Brailsford of course!)
@onee7 жыл бұрын
Obviously 123456 is the best password out there. And in case that doesn't work anymore. You just change it to 654321. *Genius!*
@bin47096 жыл бұрын
brilliant
@Zooiest6 жыл бұрын
No, 12345
@buckiethecat6 жыл бұрын
@@Zooiest No, 1
@Zooiest6 жыл бұрын
BuckieTheCat Your password has to be 5-32 characters long.
@kasimshahid67865 жыл бұрын
Thanks what's your email? Lol
@MaZe7414 жыл бұрын
Kind of a disappointment that he never mentioned "salting" passwords before hashing them, which makes this attack completely useless if you dont know what salt was used
@Chlorate2993 жыл бұрын
And even if you *do* know what salt was used, computing rainbow tables *per user* would take a substantial amount of time for a large dictionary.
@_piulin_3 жыл бұрын
you mean pepper. salt is saved with the hash, so it just slows you down (a bit).
@kalebbruwer3 жыл бұрын
@@_piulin_ A salt wouldn't slow you down if you're attacking a specific user, but it would make the attack difficult to generalize since every user has a different salt and the passwords you test must have the salt at the end.
@_piulin_3 жыл бұрын
@@kalebbruwer I know, that's what I meant. If you hacked a server and got the hash file, then it's way slower when it's salted to interpret all the hashes, so you can sell them.
@budjy18 жыл бұрын
14:47 "ganjagoblin" XD
@zanidd6 жыл бұрын
apparently a common password
@mikymuky11716 жыл бұрын
14:45 iloveyoukate Me too. Me too....
@locke1036 жыл бұрын
i smiled at linkgundam, amusingly enough.
@thomashuang50536 жыл бұрын
Gaijin
@thedangerousjitu6945 жыл бұрын
lol, ganja
@mctooch7 жыл бұрын
I love these videos. This guy is such a great teacher. Thank you!
@bhavik.knight5 жыл бұрын
"We don't save password unencrypted." Facebook left the chat 😂🤣
@jamesedwards39235 жыл бұрын
Hence why you change your password at least once a year.
@anatolfigeac46455 жыл бұрын
Lol
@jamesedwards39235 жыл бұрын
You would be surprised how long some passwords can be if the service allows it.
@BlackVogel14 жыл бұрын
Talk-Power removed
@anel34234 жыл бұрын
They encrypts the passwd ( I guess)
@cuttlefishn.w.27054 жыл бұрын
Anybody else come back to this video, not to learn anything, but because this guy's voice is just so soothing?
@fdk70148 жыл бұрын
No mention of password salting?
@black_platypus8 жыл бұрын
Are you talking about permutating your actual passwords, or salting the hashes before storing them in a database?
@IceMetalPunk8 жыл бұрын
That's in the Tom Scott video about storing passwords.
@koori0498 жыл бұрын
they weren't talking about securing servers they were talking about how to crack the passwords. adding salt doesnt protect at all against the attack he used, it just makes him repeat the attack for the group of paswords with a particular salt. That would be a great followup though.
@KhalilEstell8 жыл бұрын
Or peppering.
@Diggnuts8 жыл бұрын
koori049 "it just makes him repeat the attack for the group of paswords with a particular salt" Well, yes, if you know the salting method you could have a guess, but the most basic of static salts can make the most awful password extremely hard to brute-force, at least as long as the salt it unknown.
@17Haxor178 жыл бұрын
I like these kind of practical videos better than the theoretical ones.
@omegagamingalpha32537 жыл бұрын
CEO :some of our employees might want to play doom on the server. Engineer: *installs 4 Titan Xs*
@mikeg36603 жыл бұрын
Scary… never thought about the hashes being stolen and put into a single file for this type of repetitive attack… defeats the thought of locking an account after a few failed attempts. Learned something again from this channel…. Thank you!
@thebritishindian13 жыл бұрын
I could also never understand how passwords were brute force hacked when most services lock you out after 3 attempts. It never occurred to me that most of these databases are hacked off-line! This was a great video.
@AJ-kj1go8 жыл бұрын
Did computerphile stop asking tom scott to do videos for some reason?
@ericsbuds8 жыл бұрын
he does have his own channel and probably takes up a lot of his time! check him out its pretty cool stuff.
@Chris-jo1zr8 жыл бұрын
I believe he said he'd not do too many more as he didn't know as much as some people on subjects.
@AJ-kj1go8 жыл бұрын
Chris Gough ty
@mistermuffin7108 жыл бұрын
Ikr! I love his videos on Computerphile!
@FaelCacilhas8 жыл бұрын
I actually stopped watching Computerphile so much and started watching his channel...
@exm32667 жыл бұрын
7:54 Top row: "xiaojiji" At first I was going to say, *wow, they've got it all in this system* , but then realized that that was probably one of the first things that got put in the database.
@Packerr6 жыл бұрын
14:47 Shoutout to ganjagoblin
@dishant81264 жыл бұрын
Ganja means Bald in Hindi so it reads as baldgoblin
@sellem34 жыл бұрын
@@dishant8126 yea i bet thats what he had in mind
@princewilllucas32334 жыл бұрын
There is nothing like impossible to hack in this digital world. For any hack related issue Contact @cybersquad047 on Instaqram, Cybersquad047@gmail.comthanks to them I found out the truth about my spouse
@codinghub37594 жыл бұрын
@@dishant8126 I knew that... That was what I was thinking
@dylandowdy36874 жыл бұрын
"I've been running it about ... 18:15 checks wrist ... "10 seconds now" not wearing a watch and looked completely serious XD XD XD
@gtc41894 жыл бұрын
XD XD XD almost as if it could potentially just be habit and he clearly realized instantly he didn't have a wrist watch on at the moment XD XD XD
@kelpkelp52524 жыл бұрын
@@gtc4189 XD XD XD
@Sackguy4 жыл бұрын
Plot twist: he didnt havr a wirst at all
@kelpkelp52524 жыл бұрын
Wurst.
@jessicahsmith48153 жыл бұрын
I recover my instagram account back through *hackerlouis05* on instagram he’s legit and reliable 🏻 🏻 🏻 Contact @hackerlouis05 on Instagram for your hacking services he’s legit and reliable
@-._.--._.--._.--._.--._.--._.-8 жыл бұрын
"Change your hashes to something like SHA512 really quickly" Rather recommend bcrypt or something of the like.
@talideon8 жыл бұрын
You need many, many more upvotes.
@fdagpigj8 жыл бұрын
Or just use Secure Remote Password and not have to worry about your database getting leaked?
@fdagpigj8 жыл бұрын
Cíat Ó Gáibhtheacháin I feel like I'm missing something obvious, but why do you need to store users' passwords?
@jurek-zz3un8 жыл бұрын
rsa 4096
@talideon8 жыл бұрын
***** You don't store the passwords: you store something for checking if a password is valid.
@theomc14885 жыл бұрын
Imagine being at university and using password "tictac98".
@georgek44164 жыл бұрын
ok
@user-gl5qp4wf5q4 жыл бұрын
I used BigPeen6969 as my password
@Xtoff4 жыл бұрын
CanIEatYourCat? Was one my younger self used for everything. No login ever gave me an answer
@AugustusBohn03 жыл бұрын
most people, even supposed smart people, see the whole concept of setting a password as a nuisance rather than a necessity to prevent misuse of their account.
@cuttlefishn.w.27054 жыл бұрын
"If it's stored in plaintext, then all bets are off" I have all my passwords encrypted with Caesar's cypher! Beat that!
@surrealdynamics40774 жыл бұрын
Now that's clever!
@arrowb.84384 жыл бұрын
Pah! I store my passwords using an enigma machine, weak!
@asdfhklljfztvvw36864 жыл бұрын
@@arrowb.8438 dasoberkommandoderwehrmacht...
@yuvneesh4 жыл бұрын
Arrow B. Enigma is broken. I use SIGABA
@remasteredretropcgames33124 жыл бұрын
Laughs in quantum computing.
@kevinwestrom47754 жыл бұрын
This video needs to be updated, to be shown at current levels of computer technology with the most modern CPUs & GPUs widely available to everyone.
@pauljmorton8 жыл бұрын
How would a website change from using a hash algorithm to using another algorithm? Since they can't be directly unhashed. Update each password per user as soon as they log in?
@GLRaema8 жыл бұрын
probably ask the user to create a new password when they log in
@AndrewMeyer8 жыл бұрын
Hash the existing password hashes a second time with the new algorithm, then update to use _just_ the new algorithm next time they log in.
@DKRCecer8 жыл бұрын
That's a fairly common method, yeah. And if there are any concerns that the data has been compromised then most sites will force you to change your password when you next login and store that.
@mikstratok8 жыл бұрын
hash the hash
@mursie1008 жыл бұрын
This is actually scary, I have a LinkedIn account and I use the same password fo many other sites. I will change all my passwords after writing this comment, and you should do too.
@gblargg8 жыл бұрын
Just don't change all your passwords to a single new one hah.
@icedragon7698 жыл бұрын
Use a password manager. It can change them all for you automatically, and all to different passwords, and all to extremely secure passwords.
@dkmg8 жыл бұрын
Friends. Use KeePass, it's free, open source and multiplatform. Change all your passwords. Use unique password per site. Let me know if you have any questions.
@DavidWillanski8 жыл бұрын
The only password I know is the one that unlocks my Keepass database.
@dkmg8 жыл бұрын
I have KeePass on my computer and KeePass2Android on my phone. Install Dropbox to both pc and phone. Save your database or database copy there so it can be access in your pc and mobile.
@kenbobcorn8 жыл бұрын
That awkward moment when your own password shows up on screen.
@darkdaegurth6 жыл бұрын
Did you used mycubana too?
@michaelbodine61426 жыл бұрын
Gee I wonder if MR. Putin knows him ; SIR???
@Zooiest6 жыл бұрын
12345?
@TransSappho4 жыл бұрын
This is the exact video which convinced me to use much better passwords that are immune to just about every attack
@noxim_8 жыл бұрын
Ill crack numberphile account now. Hold my beer
@CircularEntertain8 жыл бұрын
Currently, for attacks on youtubers, the trend seems to be abusing a weakness with two factor auth. through social engineering. See H3h3.
@zirize8 жыл бұрын
The Other Other Yeah, they are using poor customer service of youtuber's mobile company. Issuing new sim cards then obtain youtuber's accounts.
@skate2late8 жыл бұрын
"Hello my name is Tom Scott and I need a new SIM card"
@Betacak38 жыл бұрын
Is there any reason why some sites enforce a maximum password length? Hashes are usually fixed-size, so long passwords won't take up more space in the database.
@Diggnuts8 жыл бұрын
Because shorter is easier to guess.. In 2016 nobody is worried if your passwords takes up 8 bytes of 8000 bytes really.
@Ccb7808 жыл бұрын
To increase entropy, which is the amount of possible activity of difference between different nodes (in this case possible characters in your password); if a password doesn't have too many possible guesses from the start, it will limit the amount of entropy at the end of the hashing process. Around 6:30 he talks about how it's easier to brute force lower case only passwords, that's because there isn't much entropy. That's why the websites want a varying amount of characters, like capital which effectively doubles the entropy at just the first step (without hashing, or plain text). But the thing is complexity can only go so far, because there is a limited amount of characters you can choose from on your keyboard, so the entropy increase is sort of logarithmic (starts off steep increase, but dies off quickly). But there is another way to increase entropy: length, which in fact increases entropy exponentially (another letter pushes it to a whole other level of entropy because that's one more exact letter that needs to be accounted for, which may take the machine a couple thousand or quadrillion runs around the track of checking your password). It's all about entropy and increasing it, because that makes it harder for anything to guess your password.
@Betacak38 жыл бұрын
Chris Bernard I'm sorry you spent so much time writing that comment, but I was talking about a maximum, not a minimum length.
@Diggnuts8 жыл бұрын
***** Ha misread that as well! I don't know? aesthetics perhaps? Now that you mention it, why not copy paste a unique binary file as a password!. Crack that!
@Betacak38 жыл бұрын
Diggnuts Exactly.
@typicalhog4 жыл бұрын
Imagine seeing your password getting cracked in this video...
@shakeelforester44303 жыл бұрын
Since about 2015 i've had 12 character passwords with numbers, uppercase, lowercase and symbols. So glad I did that
@SchubertDipDab5 жыл бұрын
Really love this presentation style. More in-depth stuff please especially with exploits!
@Dracolith18 жыл бұрын
MD5/SHA1/SHA256/SHA512 are Not designed for hiding passwords, never were; they're fast hashes, you need a key-stretching algorithm. MD5-Crypt (The Poul-Henning Kamp algorithm) used by Linux and BSD were more suitable for password storage and still much harder than MD5. Suitable modern algorithms are PBKDF2 or BCRYPT with proper number rounds and work factor.
@3dsboy088 жыл бұрын
You should be using the new winner of the Password Hashing Completion, Argon2.
@DrunkenUFOPilot4 жыл бұрын
[jaw drops] you mean... my password, "cat", is weak??! Darn.
@Wyld1one Жыл бұрын
it's been six years. so what hardware is used now? like to see the diffrence
@2rotten4you6 ай бұрын
a year late but usually i believe some hackers will buy 4090s with ill gotten gains really depends on how much money the attacker has
@Rider0fBuffalo5 жыл бұрын
"We don't store passwords unencrypted... That is a terrible, terrible thing to do"... Facebook.
@edwinadeya61974 жыл бұрын
My password one was cracked with out any software, Me: let's make it harder Him: is it password two Me: how did you do that
@alfonsokenjiprayogo56134 жыл бұрын
Why does the british lecturer always look like a Counter-Stirik Hostage.
@jessicahsmith48153 жыл бұрын
I recover my instagram account back through *hackerlouis05* on instagram he’s legit and reliable 🏻 🏻 🏻 Contact @hackerlouis05 on Instagram for your hacking services he’s legit and reliable
@alfonsokenjiprayogo56133 жыл бұрын
@@jessicahsmith4815 thanks, Jessica Smith, Very cool.
@topsunnn3 жыл бұрын
Omega lul
@JuanPablodelaTorre4 жыл бұрын
Developers, please, whatever hash function you are using, please salt your passwords properly. It's really important.
@JuanPablodelaTorre3 жыл бұрын
@@RiDankulous The password is not the important part. No matter how long or random your password is, if someone finds the hash and the developers didn't salt it, that person could use a rainbow table to find a password that matches the hash and access your account. Hashes are bound to have collisions at some point.
@Nowise108 жыл бұрын
So who's passwords are being shown/figured out using Hashcat?
@americanswan8 жыл бұрын
How about you do a computerphile on SQRL? ^^
@americanswan8 жыл бұрын
Computerphile explaining Steve Gibson's SQRL
@koori0498 жыл бұрын
The more exposure it gets the sooner we get to use it for our google login!
@maciej-368 жыл бұрын
Well, first he has to release it...
@JoesApartment8 жыл бұрын
Yeah, computerphile does SQRL would be awesome.
@koori0498 жыл бұрын
***** Someday
@timekiller114 жыл бұрын
Yep, 3 years ago... I heard they fixed that and now password1 is back to be a legitimate password.
@BobbyBike3 жыл бұрын
Thanks for the update. I can finally get rid of the capital letter in mine.
@Bacon4204 жыл бұрын
150gb password file + hashcat using your video card GPU = any password in minutes. I use the process in the last step to getting all my neighbors wifi passwords, though the possibilities are unlimited. I can do it from anywhere with a $13 wifi card on Amazon.. I felt so gangster when it worked so well right away. Oh wow, I was typing this up before you really got into it. hahah you just explained some hashcat! Nice. To compare, the same process took 3-10 days in 1998. Now it's about 3-10 min for a great password. I was a wireless network engineer.
@user-tf7jy7xg7s5 жыл бұрын
The second I see an email saying “your password was changed” ima make all my passwords unique 1000 character length
@waves_under_stars5 жыл бұрын
just use a password manager
@BreadMan4345 жыл бұрын
@@waves_under_stars Even a simple 8 digit password generated using all possible ASCII characters (81) All possible combinations would be 81^8 is 1,853,020,200,000,000 possible combinations. When it's completely random with no possible way to use a Dictionary attack, and it must be guessed from the ground up. It would take literally centuries for a standard home computer to crack. And even months for a super computer like Computer Philes "Beast" with its 400 billion guesses
@BreadMan4345 жыл бұрын
@@waves_under_stars Set it above 15 digits long, completely random, and it is practically uncrackable unless they were to use some Gigantic botnet utilizing all their GPU's
@waves_under_stars5 жыл бұрын
@@BreadMan434 but then the problem is remembering dozen 15 digit completely random passwords. And the answer is writing them all in a txt file, encrypting it with a strong master password and remembering only the master password. Or just use a password manager. It's essentially the same but better
@jamesedwards39235 жыл бұрын
@@waves_under_stars I have learned between offline and online life. That most people are lazy.
@wbfaulk3 жыл бұрын
"Let's show you an example dictionary." cd: No such file or directory (11:55)
@DrunkenUFOPilot4 жыл бұрын
Then there's the "Forgot your password?" feature on most sites that I'm sure can be used by identity thieves without needing a dozen RTX2080s.
@bananya60204 жыл бұрын
@@Abanmy well people often use the same password for their email as every other site...
@thedarkplay34143 жыл бұрын
It's real we use almost the same password for all social media
@albertnewton82964 жыл бұрын
Computerphile: "Everyone's passwords are terrible" Me: *laughs in memorised password with more than 175 characters*
18:51 gezamacska :D :D any Hungarian watching this? (Géza is a male name, macska is cat, so obviously the name of his pet, probably thinking it's secure because it's foreign words, who could internationally crack it. Well...)
@runakovacs47596 жыл бұрын
megszentségtelenitettlenségeskedéseitekért!
@minecraftgameplayshungaria73076 жыл бұрын
lol
@ameliepoulet15665 жыл бұрын
And monamireda means my friend Reda (a fairly common arab/Moroccan name) in french. And so ashishiscool... Did he just tell us his dealer's name? 😏
@DrRChandra8 жыл бұрын
Are rainbow tables still a useful thing?
@notmyname54498 жыл бұрын
Wondering aswell
@Seegalgalguntijak8 жыл бұрын
And if you have a list of hashes without knowing the salt, the method described in this video doesn't work either.
@ShaunHusain8 жыл бұрын
ah I should have scrolled down same question
@DrRChandra8 жыл бұрын
Shaun Husain , I don't blame you one bit. The YT commenting system is a cesspool of JavaScript which obscures a lot in the name of "well, people only want to see the latest" (and other such dimwittedness). There is no search function (of which I'm aware anyway), so to search through any more than about 10 comments is a very time consuming exercise, with all the "view all X comments" and "read more"s. So it's nearly futile to use a browser's search function to see if something has been covered already. I have no doubt left comments that were redundant, because finding one that I can simply plus-one/thumbs up is, unfortunately, exceedingly tedious.
@jonathankennedy83928 жыл бұрын
I think one of the points here is that MD5 hashing is so fast on modern CPU/GPUs, you don't even need rainbow tables for a effective attack. If we are talking about harder/slower hashing algorithms, like those recommended; rainbow tables would still be an effective attack against non-salted passwords.
@eddievhfan19847 жыл бұрын
Always gotta season with that salt, though. An important part of the recipe when making a hash.
@jamesedwards39235 жыл бұрын
Correct.
@emperorcyber5095 жыл бұрын
salt and pepper makes a well seasoned secure hash
@georgek44164 жыл бұрын
ok, what is that salt?
@georgek44164 жыл бұрын
@ Thanks for explaining.
@Jack-Lack4 жыл бұрын
16:30 As it displays passwords from the rockyou database, I'm seeing a password that starts with "qwerty" quite a lot. In fact, at one point at 16:34, there was a run of 3 of them within 5 results.
@Huwarf8 жыл бұрын
Why are people referring to hashing as encryption? I've learned from studying security that's wrong. Hashing is only one-way and encryption is 2 way.
@informant098 жыл бұрын
Thats right. But hashing is sometimes used in encryption, to check if the content was modified or not for example.
@TheMan835548 жыл бұрын
I think the term "Encryption" has been generalized, hashing is a one way subtype of encryption.
@michaelpound98918 жыл бұрын
It's worth thinking of them as different things, but technically hashing is considered a cryptographic primitive along with asymmetric and symmetric encryption. Of course, all three have varied uses, but you can also convert these primitives to others. A feistel cipher, for instance, can turn one way hashing functions into two way symmetric encryption.
@Betacak38 жыл бұрын
I usually say "encryption" when I'm talking to someone who maybe doesn't know what "hashing" means. It may not be accurate, but it gets the point across.
@porteal89868 жыл бұрын
yes, but hashing is cryptography, and people tend to get cryptography and encryption confused
@tommyjenga59763 жыл бұрын
If I've learned anything from this video, it's that you shouldn't store your passwords in plain text-- hash them using MD5.
@jjlred96533 жыл бұрын
other than him specifically stating NOT to use MD5 lol
@Monstexitus8 жыл бұрын
"iloveyoukate" - what a romantic password.
@koori0498 жыл бұрын
its so romantic to have your bank account hacked because you used a weak password. DX5Yc7Uu]&vM%;P+sI`1Fxsw)[g>Mcf=p["F^I~i.:ohuK{S?`EzSZ0e0
@robo30078 жыл бұрын
Maybe Kate's password was the "iloveyouivan" you see at 14:18. How sweet!
@wickedwolf84383 жыл бұрын
i love the vibe this guy has about this stuff
@jessicahsmith48153 жыл бұрын
I recover my instagram account back through *hackerlouis05* on instagram he’s legit and reliable 🏻 🏻 🏻 Contact @hackerlouis05 on Instagram for your hacking services he’s legit and reliable
@wickedwolf84383 жыл бұрын
@@jessicahsmith4815 imagine actually making a fake account to self promote to the people who doesn't care :D...(especially to those who can "recover instagram account" themselves ; ))