Iwentotheparkto_day.

iwenttotheparktodie

I agree. I've changed my password to "passphrase" in solidarity.

Came here from Edward Snowden s recommendations?

"Passcode" would probably be even better then.

I was wondering that, thanks!

My twinkle

Thank you!

But none of my dice have a 6 on them! They have a 9 instead! What should I do?

@@__Brandon__ Excuse me... my eleven-sided die has two number 9 s. Where is the missing number 6 ?

That is not the point. The problem is nation states and criminal organizations. They both have access to cloud computing services. Also bitcoin farms and hacking farms can use the same technology. The same equipment a government uses a civilian can buy unless the equipment is classified. You think there is a difference in terms of capacity? You are wrong. We're not talking petty theft. We are talking about criminal organizations who make a fortune off of your stolen data.

@@jamesedwards3923 I don't know, I think you're the one missing the point here. A high-entropy password is great, but you are vulnerable against a $5 wrench attack and if your adversary is willing and able to use that method, your secure password stops mattering.

@@xXx_Regulus_xXx In most states in the United States. Getting a 'legal' gun is easy. If a criminal organization comes with a $5 wrench. I can unload on them. Got to love the Castle Doctrine :) ! Although in my state and city in particular. Has stricter gun laws. Thinking they are going to stop criminals. Yet in a bunch of videos and articles I have read. Obviously not. The excessive gun laws in my state; city in particular. Are designed to keep lawful citizens from defending themselves. Bet you know which state I am talking about. Even the city.

@@jamesedwards3923 wrench attack is just a catchy name. Believe it or not it would be possible for your attacker to be armed and a quicker draw than you. I won't be arguing semantics or investing how quick of a shot you claim to be. The point is someone who is better at violence than you might sidestep the password security issue entirely. Do you understand what I'm saying to you?

I know 🤣😄😄

Encrypted text file here.

But then you have to remember the encryption key.

Not if the encryption key is your password.

something like one pad vigenere cipher? that's very clever. it's not until you have to convey your secret password to customer service via the phone that it becomes a problem.

Joshelin recursion

It gets currupted because it's rw. Maybe it's time to "chmod -w tapir"

Does your tapir often receive bribes ?

Alexander Robohm Who corrupted it? Some guy from Libya?

Knew this comment would be here to like, I just had to look for it :D

I'm going to glue all your dice to the table, just so you _can't_ roll. Mwaaaaaaa ha ha ha ha ha!

@@PeteMcDonald You stunningly subtle sophisticated psychologist, you!

On the other hand. I've seen a website just on the last week which allowed me to use only letters and number in the password. I cannot say which one is more rediculous out of these two.

What if we combine the strengths of those two to have Password: $7N7e@6MwoB/,@* Its much stronger than those both. Although, right now Im on mobile, so it takes some time to switch between symbols and letters. Thats why you can see an altering symbol/letter and uppercase/lowercase pattern. On Desktop this shouldn't be a problem.

I've seen a site that only allows 6 to 8 character passwords, and THEY ARE NOT CASE SENSITIVE.

Mostly because these developers are too lazy do write sophisticated software. But they still need to comply with standard security tests. And these tests will include "are secure passwords enforced" and the devs will say "yeah we check them before accepting". Point done. And then it comes to stuff like you can't use spaces, you can't use ; or ' or " and other characters, that could be used for command injection (no, and santinizing escaping the characters is way too much effort to implement for the lazy devs), you need uppercase, lowercase, numbers... And so people will chose something like "BankName" as passwords, which is among the weakest password you could chose. Or even better: "Your password must be between 8 and 20 characters" - "But mine has 45..." - "meep! computer says no!" I even have seen a service that turncates your password if you wrote more than 12 letters... m(

Pointing the blame at web developers is generally wrongheaded. Your bank's developers didn't decide the password restrictions. Management handed them a set of requirements, and they implemented them. For all you know, the developers did push back, because even if they did, it almost certainly wouldn't have made any difference.

I cracked, lol

I like chalupacabra

Wait... that's not right...

@@QBelly i like chawawaa

@@abdulwahabjag #obvious

£ or #?

@@jasoncox5263 Not so obvious. A # isn't called a pound in Britain, it's called a hash.

@@abdulwahabjag TIL that Americans call a hash a pound sign... interesting!

...and for those who deal in slightly illicit substances which you smoke.... perhaps they don't like the hash sign.

sounds like you need a password manager.

Some systems have strange and specific requirements, like the first character has to be an uppercase letter and the last character has to be a number, or stuff like that. Why? That requirement is public information, so it makes passwords _less_ secure. And the systems that force you to regularly change your password are very annoying.

@@perimiter I do.

It's best to use an offline password manager with completely random characters of at least 15 characters, and not trying to remember them. Offline is essential since often hashed password files are stolen from cloud servers. Personally I use a simple text file for all my longins, encrypted with a 64 character pseudo-random password by 7Zip AES-256 method. Let's just say, it's pretty darn secure. ;)

@@BillAnt 15 to 20 characters is the statistical average for password length. Bad idea for any important password. Where you control the length and complexity limit.

Bravo :) >Sean

Luckily my trusted sidekick can make you talk, Agent M! Watch out! He's, shall I say, rather bitey!

Travel across a ball? I don't understand, you cannot stand on a ball!

Hey, that’s the same way like I do . 🤔😨

@@santoshpss you must be using translation software. He said globe, as in a map that is projected onto a sphere. Not a ball, as in the round thing that children play with.

Yup, there's a great comic about this somewhere. If they're going to brute-force your password, they are going to *brute-force* your password, if you get what I'm saying. How many fingers can they break/cut off before you decide maybe the data isn't worth protecting *that* much.

Tiavor Kuroma In those sites you can use password "secretlol" and don't use/put anything valuable to those accounts. Use your spam email etc.

Do you mean the email that I use for getting spam or the one for sending it? Oops...

That's why you should have a tiered password schemes, and Diceware should probably be reserved for the highest level, like a password manager or encrypted hard drive/OS. Lower level passwords can rely on your password manager.

Mike Pound for king of computerphile!

Brian A he's more princely in my opinion.

I suggest Tom Scott as his... queen?

:3

Sassy The Sasquatch nmm

clearly you have not seen the prices on proper, unstamped casino dice.

It's a fun way to generate a password so why not do it number by number...

Is your hand big enough to hold five dice at once? ;)

How do you decide which dice to take for which digit? It can be biased. It's more random to roll a single dice 5 times.

The first time I used diceware I didn't have ANY dice, so I flipped about 20 coins together a bunch of times...

I know what you mean. It's just muscle memory for us when we go and type it.

Same! I once tried logging into my PC remotely from my tablet and couldn't do it, because the keyboard layout is slightly different. My password is a pattern that's muscle memory now - I don't even know what the actual characters are anymore.

Yep! I know that pain, I can't log into anything from my phone x) I don't remember my passwords... I can just type them...

Is it "1234567890-=qwertyuiop[]asdfghjkl;'#zxcvbnm,./" ?

@highks Same :/

Doubling the word list increases entropy by only one bit per word. It doesn't hurt, but the benefit is negligible.

Yeah. But the wordlist dubbles and but you don't know what language I have used. In my case you know but you need to translate that list to every language to brute force it. Just adding swedish dubbles the list. Adding all of Europe languages... that's about 25. And so on. And that's my point. Not that everyone take a Swedish word. Hope you hanging on. My phone got in to this discussion and messing with my text... xD

Bra plan synd bara att Tapir = Tapir

Diceware word lists are available in multiple languages (they contain different words) so you could roll the dice one more time to choose your word list.

"Most people understand two languages" Spoken like someone who has never left Sweden.

There are so many ways to do it, it is insane. Unfortunately, yes there are so many services. That have not even attempted to update their security. Would not surprise me if sites using such character limits are using MD5.

Look up "The Subway Piranhas" by Edwin Morgan. It's a short and slightly startling poem.

You can only impose retry limits on authentication systems, but not on encryption systems.

Great point.

If you own the system, you can key stretch to a silly amount though. Try brute forcing when each iteration of your KDF takes up megabytes of memory.

10 purely random characters are not that hard to remember. And they are faster to type. Anyway, I don't get why people aren't using password managers and still try to remember all their passwords. My passwords are all at least 16 random characters (letters, numbers, special) which is way more secure than what is shown in this video. I don't know any of them by heart but then again I don't need to - i copy and paste them directly from my password manager (which makes me immune to keyloggers as well).

@@teeds88 doesn't make you immune to clipboard sniffers

LOL, that is the point is it not. Diceware or Leetspeak - Taking something easy to remember for you. However for a computer it is insanely complicated. Some people put down leetspeak. I logically disagree. As we all know, the longer and more complicated your password. The harder it is for a 'computer' to figure it out. Also, if a person can not figure out. If a human and a computer can not figure out what you did. That makes it all the better as a password.

@@jamesedwards3923 I build password cracking dictionaries. And leet speak is easy to crack. Actually combining words some with leet speak and some with out. While sharing vowels is best. "!l1kEtHr3epeoPLE" is hard to crack

Yeah, it's amazing :) >Sean

Your mistake was.Posting your ruleset. Now hackers will add it to their attack models.

I assume what you mean buy "important passwords" means stuff you have to remember. Most people make the mistake of keeping all their passwords in their heads.

@@jamesedwards3923 Important passwords, like for email or a password manager. The sort of thing you need to remember, but also that could be devastating if someone nefarious got access to it. There are some less important passwords I really don't care too much about, because they're for inconsequential websites or something that nobody else could really benefit from hacking into. Everything else can be a string of 16+ random characters, and memorized by a password manager. That keeps everything pretty secure.

@@sk8rdman At least you had the common sense to do it. So many I meet and talk to. Do not care until they get hacked. Or spoofed. You would be surprised how lazy people are with cyber security. How could you 'understand' the situation? Yet not take basic efforts to deal with it?

you aren't wrong. I've been using diceware passwords for about 6 years and noticed that I am more likely to rotate passwords that are hard to type after 3 months than I am for passwords that are easy to type which I will sometimes keep as long as 6 months. I think that you could probably build a probabilistic distribution of diceware passphrases that is a slight improvement on the advertised value against users who misuse the list. However, it is unlikely that will strongly affect any users who use the list correctly.

@Brendan Hart-Nutter First thanks for your reply. Yes if you use the list right that doesn't matter. The point is that I believe many maybe even most user don't use it correctly and non of the systems addresses this topic by saying don't roll multiple times.

neumde neuer The Diceware website actually addressed this problem, emphasizing that you should accept every word generated in order.

Chenfeng Bao thanks for your input

7776(5)

That is something you would have to commit. In A great deal of the world. Learning another language is a requirement. You can social engineer that. Via country, age, and education level. However you are not wrong.

I think I've seen the video for that...

How many bits you need to store the number 7776, which is log2(7776).

Pampersrocker cool, thanks!

Correct.

He pretty much explained it at 8:40

2^12.9 = 7643.40626667 which is approx the 7776 word choices in the list

Robin Hilton Really long. So long that he probably don't have the resource to actually locate this at all.

With a fast hash, like SHA 256, and dedicated equipment, a 60 bit password can be cracked in one or two weeks. Obviously, that's an example of how *not* to do things. On the other hand, assuming proper storage on a server with many users, the hash should complete one iteration on the millisecond scale, in which case the password will be cracked in around 40 million years, less on dedicated cracking hardware. Same on home hardware, for which you can key stretch up to a few seconds, but is also much weaker than dedicated cracking hardware.

Even if the attacker knows the word list, how many words you use and even the separator character, it won't change anything. The number of combinations is finite, but is huge! It's ~ 20 billion billion possibilities for 6 words.

I think the idea is that most easy words people think of are also easy for an attacker to find out, like your kids' names, your birthday, your maiden name, your first school, the kind of stuff that's often used for "security questions".

I think this video didn't do the best job explaining why "choosing random words from your head" is a bad strategy. It's not so much that someone could be spying on you, but rather that the words that are most at hand when you try to think of a "random" word come from a more limited "dictionary" than you would probably think. Humans don't have random number generators in our brains. What we have instead is a fantastic ability to recall concepts that we associate with other concepts. So if you ask someone to name a "random word" out of their head, what they will tend to do is play word association with the word "random". So they'll say "potato" or "haberdashery", because those are the words that come to mind when they think of randomness. If they know to avoid this bias, they'll try to search around for some other word in their vocabulary, but they have _no_ control over the distribution, and no effective way to "break out" of the set of words that happen to be mentally close at hand at the time. So it's not that someone can figure out your "dictionary" by watching you. It's that someone could study the passwords that people tend to mentally generate, and build up an effective process for limiting their search space. And because you didn't use a truly random password, you have no idea how susceptible your password would be to that process.

+chaumas Human memory is also subject to the availability and recency effects that bias human recall especially when asked to select a random item from some class, the availability effect biases them towards members of that class they remember seeing more often and the recency effect biases them towards members of the class they have seen most recently. Of course the word frequency distribution of the users language significantly affects both of these more frequent words are both seen more often and statistically are far more likely to be among the words you have seen or heard most recently too. That can of course be used to prioritise the order in which words from the dictionary are used too just sort them by the word frequency of the language first. This could even be made worse if you have any additional information about the target like level of education or profession, for example the word frequency list will deviate from the average among the general population if you were to use word frequency data from the writings of university educated engineers for example.

They don't need to spy on you, just identify some patterns generally used by humans. Assume the attacker has a huge database of previously leaked passwords. He can start with the most common words combined with the most common obfuscation strategies and gradually move towards the least common ones. He can try an enormous number of combinations and surely will crack a lot of passwords this way which depended on some human bias. The farther you gone from common patterns the more chance you can get away with it, but you cant be sure. Or you can use some simple methods which does not introduce such bias and can create passwords with high entropy such as diceware. It is very straightforward, and you can determine the password strength in number of bits. You dont need to outsmart anyone or think too much to generate your passwords, just follow some simple instructions. You can do it even if you are tired, have hangover etc. yet your passwords will be as safe as ever because the process gets entropy outside your brain, like from dice rolls. It is somewhat scaleable, because you can add more words for higher entropy, but it becomes harder to remember and longer to type in. Maybe you can practice with 5-6 words per password and go to 7 if you need very high security, but this is just my understanding of the subject, I am not an expert on the topic.

@@seraphina985 Your stated that perfectly sir.