Another great video from Dr. Mike Pwned

I feel like Dr. Pound was not at all surprised by the people who used correcthorsebatterystaple, yet somehow is still disappointed by them.

Sweet that the hash for "iloveyoukate" starts with BA8E 😍

"Pwned? If I'm wrong then I'm a noob" - Mike knows what's up.

1-2-3-4-5? That's amazing I've got the same combination on my luggage!

Hilariously, the other password from that same XKCD comic strip "Tr0ub4dor&3" which was used as an anti password cannot be found in that password API.

I checked, the password "computerphile" occurs one time in the pwned password list! Why? Who? What!

So if I need to sell stolen password data do I go to the Pwn Shop?? I'll see myself out E- auto @Cadde correct

Now that's an interesting way to check passwords without actually sending them. I like it.

*unhackable* shows up 602 times.

The first thing I did once I find out about this website was to inspect all js to figure out what heck it was doing with the passwords. Got really impressed! Kudos

The out-take is great xD

I love this guy. Please do more neural network videos with him.

There's a problem using the command line as shown in this video: it will appear in your shell history and for a split second also in your list of current processes. The best way is to have to type your password interactively.

8:53 - not all are publicly available, some are from private breaches which have been given to Troy

His explanations are truly great. Such a good teacher.

Alright fine, guess I'll change my password to iLoveYouMike

That git repository is a treat. The same program implemented in multiple languages: python, go, haskell, julia (I don't even know what that is), bash and perl, the last being my comfort zone. So now I have all these examples with which to compare and contrast. Very nice. I'll skip the java and powershell if that's OK. Happily, all the passwords I tried passed. My trick is I use my social security number as my password for everything. That way, when one of those sites gets hacked, they'll have everything all in one go.

correct horse battery staple.... instant facepalm hahahaha.

regarding bad practices people do with well intended info from these videos, I know its just a demonstration but I'd still like to point this out. if you were to use some small commandline utility you threw together yourself to check your passwords, like in the video. they'll end up in your shell history(every command you ran goes there for a while) which is just a plaintext file. Effectively undoing the whole point of an encrypted password database. cheers

"password" has been leaked 3,645,804 times.

I've been pwned endless times lol This is also a good way of finding out where other people have been signing up 😉

Great video. Not nearly as dense and dull as lectures, still informative, and actually entertaining and easy to watch.

Yes. I was pwned the moment I purchased my hardware, with all of its built in backdoors and in designed vulnerabilities. Cell phones have 200 builtin backdoors for “network monitoring” in order to prevent violations of “insert country regulatory body here” frequency regulations. Anyone who buys any technology is owned at the time of purchase.

Found this API about two months ago and immediately implement a script that goes through every password in my password manager and checks it. Super handy tool, gotta give it to them. (All my passwords turned out not to be in there, but you never know. Though, if a password does get compromised, it's not a big deal for me, anyway, since I don't reuse passwords)

If you are very paranoid you can always just download the pwned passwords list and write some code to do it all locally. On the plus side, you'll learn how to search through a 22+ GB file quickly!

A ressource of the code used in various videos would be nice :)

So much value in less than 11 minutes, and 100% accessible to anyone who knows python isn't just for snakes.

I like how he laughs for like a fraction of a second then starts talking seriously. It’s very funny lol

Now, if only we could convince websites to refuse new passwords / password change requests that appear on these lists. Then, after that, we might be able to convince websites to use bcrypt, and increase their maximum password length such that correcthorsebatterystaple could actually be used if it wasn't already disclosed and prevented by step one.

Troy Hunt's API is absolutely awesome. He also gives love to all the developers who use it to build applications by posting links on the website.

One thing to keep in mind with using that python script is that you are probably storing the password as clear text in your command history.

From time to time i come back to this video for some entertainment

Thumbs up, if you're a developer who salts passwords. This makes one of several examples for why salting is important :)

Thank you for this video. I have now changed my password from iloveyoukate to iloveyoujan. Now I can rest easy.

My passwords from when I was a kid have surprisingly never been cracked. I'm shocked.

urmom : 6367 times urmom1 :12626 This was true for many passwords. It seems adding a 1 at the end of a password might actually make it less secure.

It’s also fun to go onto the password site to find all the horrible phrases people have as passwords that have been pwned

One "strong password" (459 matches for strongpassword) technique folks use is to choose the first char of a series of words from a song. The results for "Jumpin' Jack Flash it's a gas gas gas (jjfiaggg)": 56 matches. For the typing class phrase "The quick brown fox jumps over the lazy dog (tqbfjotld)": 956 matches. (Yes, I know computerphile (1 match) recommended adding special characters to such a PW, so, "jjfiaggg!": 1 match :) ). Golly (541 matches) it's fun to guess the cleverest (90 matches) passwords, like "iamclever": (164 matches) but "youareanidiot" (57 matches) and hit this range API with my little golang (24 matches) script. And thanks for introducing me to k-Anonymity (0 matches!!), neat!!

He uploaded this the day my account got compromised.

Oh, that's a really elegant solution! I like it.

Those buttons are amazing. I spent far too much of this video looking at those buttons.

"correct horse battery staple" was compromised? Time to change to "incorrect horse battery staple".

I love all Videos Mike makes to computerphile, I wish I could meet him!

I actually knew about this! Huge fan of this approach. Have gushed about it to some coworkers.

Mike's videos are the best ones.

I know computerphile is hosted by a different person, but it feels strange to not hear Brady's voice behind the camera

This guy is awesome. I knew all this stuff already yet I still was entertained!

well it is nice to know a bit more about the "Have I been Pwned" site... even if i hear it is safe i would rather have multiple sources of trust to confirm... even tho you are the second! (the other was a PC security channel that tests antivirus programs)

Which thinkpad model is that?

Thanks for posting this, now I can link this video to people who think I'm trying to hack them, when I link HaveIBeenPwned

I like that you make your notes on tractor feed paper

What's your stance on password managers in the cloud such as the mentioned one password or dash lane for example? So many people seem to be using one of these kind these days, but I'm still very sceptical.

Surely using this API to check a password before you use it is a bad idea? If you input a password, and it's not found, you would think it's safe to use. But you've just given it to the API, so now it will be in there, and that means it's not secure anymore.

Mike, talk to us about AES. I know that deep down, you have an urge to do so!

I'd love to tell you just how great my password is, but then I'd have to change it, so just believe me.

so how do you work out diacritical marks / accents? I am cheking Polish for password (hasło) and I get 0 matches even if I enter it on /password site directly.

I enjoyed the Hackers reference at the end

Of course Mike's code is in the doobly too. Legend

How do you install requests? The pip command returns "'pip' is not recognized as an internal or external command, operable program or batch file."

Hi. Love your content. This question might seem a bit off topic, but since you like to look at things from a different perspective, I think you might have an interesting opinion on this: I have been looking into amateur music production lately and I found out that sound cards in laptop is just not a thing. Which really surprised me. But I got to think that with the help of graphic cards you should be able to model oscillators properly and therefore I figured there should be a way to use one's graphics card capacity for sound rendering?

Yet another great, clear and concise video. Thanks

Bitwarden password manager also has a password leakage detection built in.

I love this channel especially the vids that involve security

I know several languages, so in order to create a password I just think of some sentence that has my personal, unique association with the service, then translate it through several languages and at the end I translate it into an agglutinative language where it is a convenient long word. Even if I tell you the word out loud it would sound like a bunch of gibberish, but it makes perfect sense to me and is connected to a specific software/service in my head. So far I haven't forgotten any of my passwords.

I have been leaked 10 times with 0 pastes and had used the same password everywhere from the early 2000s up until 2016 :O

I know it seems radical but its about time we just get rid of passwords. Any time you type in a password its a liability that it will be recorded or compromised. Using your phone as authenticator is great. If your phone gets stolen you just have to remove it as an authenticatior. If you want to have some time so the thief can't immediately get into your accounts add a phone lock with pin or fingerprint. While these methods are not super hard to crack it'd still take hours to days. Phones can also be remote locked and easily deactivated. The only problem is there's no universal or standardized way to authenticating this way.

Extremely useful information! Thanks for making this video

I ran the script today and password1 was found 2413945 times! And password1234 was found 23183 times Iloveyoukate was found 95 times Correct horse battery staple was found 120 times @computerphile , does your video has negative effect?

If you're using that python command on a Bash terminal make sure you add a space before the command. This way (on most versions by default) it is not stored in the bash history for someone to accidentally stumble upon all of your passwords.

dsenti may just be on to something. If you take the SHA-1 hash of Dr. Mike's example - be it password1, or Password1, or password 1, or Password 1, the hash doesn't start with FA2241C. And if you use cURL to input any of those actual hashes into the website, it doesn't return ANY corresponding leaked hashes! Of course, the hash depends on SO much more than just what the password is - like the font you use, whether it is ASCII or UTF-8 encoding, whether you create the password in Notepad vs. Wordpad vs. RTF vs. MSWord, etc. and probably a hundred other things. Which renders the whole exercise of hashing your password yourself for submission rather pointless. Or worse, it lends a false sense of security when no hits are returned. So you're really only left with the option of typing your password into a random box on the internet. I think I'll give it a try it right now - NOT!

Hilarious closing - "I thought you were leaked. (embarrassing look). Definitely not. " You guys provide informative and useful content. You should be a the ten million subscriber mark. Keep on keeping on!

And the hash for 'iloveyoukate' starts with BABE... Of course it does! LOL

Problem with correcthorsebatt*erystaple though is that people can modify a dictionary attack by trying to insert characters like that. It's not likely, but it's still possible, so best practice would probably be if the original four-word password is in the database, try using something different first anyways.

I was in the process of checking "correct horse battery staple" when he said to try "correct horse battery staple". :D

Decided to go to haveibeenpwned and search my main 2 emails, and I’ve been Pwned on both. Guess I’m creating a new identity and moving to the other end of the earth.

Bloody beautifully explained

Thank you for making useful vids. I will be using your code at home and work right away. I also love that you use python. I have learned much from reviewing code that you've offered. Cheers!

it blew my mind that correcthorsebatterystable is now a used (and leaked obv) password :D

Glad you guys mentioned this site, it's rad 😊

10:01 i love the pure disappointment in his voice

But what's in between n00b and l33t?

It's not great to type a password in the command prompt like Dr Pound did - he passed the password to his python program as a command line argument when he ran it. That means it will be in his command line history etc. It's better to design the program so that it asks you to type in the password after you start it.

Fun fact: his e-mail address from Nottingham University (which can be found easily by searching on internet) is also on the pwned list. :)

Every video this guy makes, a password dies.

lastpass is really lagging behind not implementing this

I've always heard it said as just normal "owned". Not sure if it's the first source but look up the Pure Pwnage videos here on the Tubes. They say it as normal "Pure Ownage" and not "pone-age".

Someone actually used my real name as a password, it got 4 occurrences. wtf lol Mind you that my name is so rare that if you google it, you'd find me and only me.

When I was in high school I cracked the admin password for our IT guy. it was kari3sko.... I wasn't allowed to use the computer anymore

Some people are actually using password from xkcd? *facepalm*

Great Hackers reference!

I always wonder, is there anyone on the background you're talking to ?

Nice video as always. Why were you using duckduckgo though?

Is there a repository where he uploads the code so we can take a look at them?

Why does this filming style remind me of The Office?

great video again !!! can you make another to explain the spoofing; like when we receive mail from your own adress...

i get a name error : "module not found error" is not defined. what can i do about this, sorry i'm a noob at this

For two of my passwords, I took four random words out of a dictionary, pulled 4 to 6 letters out of each, scrambled upper case and lower case, then added random numbers at random intervals. Pretty sure it doesn't get much safer than that without simply making a longer password.

As a teen growing up in the early 2000's I refused to use words in my passwords it was always 1 capital letter followed by a string of numbers and a symbol. I felt it was a great idea and no one could every guess a password as random as that while trying to sign into an account with my email. As I got older I learned that wasn't a great idea to begin with and I'm not creating a password to fool people but computers. Computers do not care if my password if 100 characters or 100 digits at the end of the day it will test everything and people are smart they realized a lot of passwords have similarities like a capital letter first, and numbers at the end/symbol and you can alter dictionary to counter act this which made my password scheme pointless. Now knowing how hashes are I just add a new character or symbol each year and hope best case the servers of the sites I use do not store passwords in plain text and salt their hashes with something like the day of the month I joined and time. Enough to keep it simple but enough to make each hash different, salt that is the same for every hash servers no purpose. Now my main password is 20 characters/digits long with multiple caps, and symbols on top of that I use the sites name in each pass like YT for KZbin to add a little bit more of a variable to the hash and not use the same exact password for everything. Looking at the hash they can't tell if my password is pass1 or sdfgonigasdfiojserjipw34r-u924t08iar-t0 8ywq4-82y345w4y5- 048404958-w 084 t shfgj nsdgb fgkab as you just 1 character/digit/symbol difference will dramatically effect the hash. Length is your friend it gets to the point where just 1 more character can make your password 10 times harder to dehash and that's really your only defense... You can't beat the computer... you can't but you can annoy the person trying to dehash the database enough for them to simply discard your hash as it's not worth their time trying to dehash 1 password if it takes their computer 2 straight months to do.

Is it possible the API returns only the remaining of the hash to ensure that even if that list was somehow intercepted it is of no use without the prefix that was sent over https?