An excellent poem there at the start: "Some people watching will have good passwords, Some people will have thought about this before, Some people should have thought about this and haven't, And hopefully will, after we talk about this, a little bit more"

Dr Mike Pound is my favorite presenter on computerphile.

All this talk about passwords always reminds me of this scene in Harry Potter and the Prisoner of Azkaban (the book at least, not sure if it made it into the movie): In the story, the students have to say a password to get into their dormitory. Because of heightened security, they change the password so often that one of the students with rather poor memory (Neville) ends up writing down the whole list of passwords on a piece of paper. That list ends up getting stolen, defeating the entire purpose of the heightened security.

"Make a password with words people don't usually use." *changes password to "Nickelbackisagoodband"*

"Computerphile - Making you uncomfortable towards your life choices since 20XX"

I´ve had multiple sites/servises tell me my password is too long, and even had one telling me I couldn´t use special characters. How am I supposed to have a safe password when you don´t let me damnit.

"Pick a word that other people don't use very often, like your favorite band name." lol

"Maybe delete your account out of shame" *proceeds to face palm* Straight savage

now they're gonna use the least likely 10,000 words in the dictionary great going mike

2 more of these vids, and we'll socially engineer his master password boys!

as a person that speaks 4 languages I changed my password to 4 words in 4 languages

4 years ago, watching this video made me realize I had a bad password system and I switched to using a password manager. Thanks computerphile

I'd be interested to hear Mike talk about workplace password resets. Lots of places I've worked require employees to reset their passwords every month, and some have onerous requirements for length and symbol usage. I think that rather than improving security, it encourages people to make passwords easy to guess (since they expect to forget), or worse, actually write their passwords down and stick them to the computer.

it would be something if your 128 character uber password gets a hash collision with the password "password"

"Oops! Your password is too long!" "Oops! You need to include a number, a symbol, and an upper and lowercase letter" "Oops, that character is not supported!"

Guys, post your passwords, lets see who's is best!

It's all fine and dandy until you have to use a website that either: a) forces you to use uppercase, numbers, symbols, runes, smoke signals... or b) limits you password to something like 12-16 characters

How about using more than one language in the password? For example, horsecaballocapallceffyl is just horse in English, Spanish, Irish and Welsh - unless the hacker tries dictionary attacking you with multiple languages at once (which would surely increase the search space to the point of absurdity), that should be safe, still only requires you to remember four words, and most people know at least some words from a foreign language.

More tips: - Mix different languages - Use phonetic spelling instead of the dictionary version

Love these videos. Great presentation Dr. Mike! On the subject of choosing passwords, I've ran across something odd myself. A password is something you use over and over again. I've used it as a psychological tool. My password is a positive affirmation of a couple short sentences. If you are going to type it over and over again, then why not? I feel that I perceive a difference in myself just because I changed the password I type constantly. Also cracking full sentence passwords might be hard :)

I just use the entire lyrics of bohemian rhapsody as my password. It makes every login attempt a rock concert.

Always when I type a password it gets replaced with * or •, and that's so easy to crack! They really need to fix this!

That video was very good, I learned a lot. Another approach for coming up with safe passwords is generating a bunch of random passwords and modify them so you can find some meaning and remember it easier.

I got a lot more canny about passwords a few years ago, and have adopted a common scheme for them. I thought this would mean I could remember them all much more easily and still be secure. But the really irritating thing is that whatever rules I choose, there always seems to be one web site that will moan about my choice of characters. Some of them even tell me I can't use a password because it is too LONG. WTF? Are they even hashing it?? Have to wonder. It would be nice if there were an RFC or some kind of standard that all sites followed: then we could all use a scheme and be sure that it would be acceptable in most places.

this guy's videos are the dopest. particularly the image/video based ones...I hope there are more of those to come in the future.

great effort on spreading password and IT security awareness!

Finally! someone who points out the issues with the XKCD system.

He nailed about putting a random underscore in a word. Pass phrases that use random characters inside words are fairly easy to remember and very hard to crack.

learn german and use only ONE word :D some LONG german words: Grundstücksverkehrsgenehmigungszuständigkeitsübertragungsverordnung or maybe Verkehrswegeplanungsbeschleunigungsgesetz, or Unternehmenssteuerfortentwicklungsgesetz. you also could combine this three words xD

A great easy to remember/ hard to crack password I’ve heard is take a song lyric or quote, then use only the first letter of each word in it- For example, “unwritten” Staring- At The Blank Page Before You, Open Up The Dirty Window Reaching- For Something In The Distance So Close You Can Almost Taste It Feel The Rain On Your Skin becomes “satbpbyoutdwrfsitdscycatiftroys” Throw in a few symbols at The pauses in the song for extra security and good luck finding that in a dictionary attack. (You’ll probably want to use a more obscure song, just to be safe)

been using one of these managers, dad got me into it, but this video convinced me to change the master

I think this presentation is brilliant. I have one small point to make when it comes to random websites that require you to make an account. If the website is not going to be storing sensitive information, then surely just using a week password to circumvent this annoying requirement of having to create an account is not much of an issue.

I always make my passwords 'incorrect'. So whenever i forget my password it will say 'your password is incorrect'

What about foreign words? Would people run dictionaries for all ~94 generally used languages?

Great video! Would love one on the implications that will arise with the advent of quantum computing, particularly with respect to current encryption models and what will be needed in the future.

To emphasise the point made around 4:17 , just for fun, I tried typing in "correct horse battery staple" into the password strength checker for my Google account. It was considered strong up until I finished typing the last word, at which case it dropped to medium, so he's absolutely right that XKCD's password is not a good choice, just like any other password everyone knows.

One more point - is there conclusive research on how useful/counterproductive the "change your password every 6 months" policy is? (Especially if the new password can't resemble any of the old ones.)

My favorite stuff is the "Secret Question" stuff that pops up when I forget my password or when I need to answer a "shield" question. I give wrong, easy to remember answers to the questions about what my first car was, where I went to Elementary school, etc. If I get to make up my own question, then it's REALLY fun.

Thank you so much for enlightening us about that, Sir! These two videos were highly informative. :)

1. 4:59 He addressed that: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)" 2. 5:42 The comic assumed the top 2048 words. You can tell based on the bits of entropy in the illustration. One thing I think would be great to mention here is diceware. A nice system for choosing passwords that makes it easy for you to generate memorable passwords with any level of entropy you desire. I use around 100 bits of entropy for my low security master password, and ~120 bits for my high security master password.

For cases where you cannot use a password manager (ex. the password for the password manager) I have found a sentence mnemonic to be capable of generating easy to remember (even when seldom used) passwords that as far as I know are fairly tough to break. Obviously they need to be long enough, especially considering that the character set is somewhat restricted and certainly biased, but they are much better than what many people use for cases where a manager is just not an option. example: PW = Wyu#THHymc23 Mnemonic = (W)hen (y)ou (u)se Hashtag(#) (T)he (H)oly (H)and-grenade (y)ou (m)ust (c)ount to(2) three(3) The PW is dictionary proof, and while not truly random has high enough entropy that I imagine it is reasonably safe from brute force. Certainly their are weaknesses in such a password. It is not random. However you can easily remember very long passwords that contain mixed case, numbers and symbols without any English words. Thus providing reasonable security when you cannot use a password manager.

Also, use 2-step verification on important accounts like your email.

awesome instructor ,you simplify things so nicely.

I never thought I would find a Computerphile video from the Avast website

It'd be interesting to hear his opinion on mixing languages. Let's say you have a 3 word password, you seperate them with spcial characters and then the first word is english, the second is japanese for example and the third one swedish. Would that break these rainbow lists of hashes?

I'll just hope nobody cares enough about me to even try.

This guy is great. Very easy to listen to.

Another good one! Thanks! Would also be interested to know more about bcrypt. Is it still a best practice?

If you're multilingual, perhaps use a combination of words from the languages you speak. For instance, to crack a password that's a combination of Norwegian, English and German words (or any subset of the three), you would need to search a pretty big search space in order to find whichever one I might have chosen.

yeey! I use a manager for a quite some time now. All my passwords are also 25 random characters (with some superior Ansi characters, like Ų#ҹ) and I don't know what they are :D! One day my friend asked me to log into my FB acc on his computer. I just said I couldn't. And I wasn't lying to him!

As a small side project while i was learning c# i made something in wpf that does the same thing as a password manager, I use three root words and the sites name press enter and it produces a garbled mess of a string i then use as a password, i then paste that in the form/loginbox, besides just having been a fun thing to get working (Z+4=space) i don't have any worries about server or local, or keyloggers since i don't actually ever type the password. If you want to make the "four random words" even more secure, type two of them backwards.

this guy is awesome at explaining things of this nature lets just say

Password cracking groups watching this video, furiously scribbling notes about giving low-frequency words a higher precedence

I used XKCD to make an even stronger policy for myself. 4 words of 4 different languages. Example höstjääpalochampionshipmira höst is Swedish for autumn jääpalo is Finnish for the sport bandy mira is Russian for world. my hook to the password is that in the autumn there is a world cup/championship for club teams in bandy. I don't use this particular password, but I think it would be very very hard to crack if I did (and hadn't used it as an example)!

I love steam, they don't have any restriction other than the character one. Nice video, changed my password everywhere now :)

People argue that using a password manager is putting all eggs in one basket, but you can mitigate that by using multiple databases with different keys. The alternatives are always worse, unless your memory is phenomenal and you can remember 100 different complex passwords. Another way is to have some sort of algorithm to generate passwords for different things (which is essentially your own private hashing method), but it can also fail, if some input data changes (e.g. a website URL, name etc). Password manager is easy to use, reasonably secure and has manageable risks. It's the way to go for most people who care about these things.

"Make a password with words people don't usually use." Changes my password to "brain"

You could pick at least 6 different words, all words being longer than 6 characters each, preferably uncommonly used words, and use words from 2 to 4 different languages (English, French, German, Spanish) while ensuring that words you use don't show up in multiple languages.(If they are going to use a dictionary attack, better give them more dictionaries to look through) Also if you wish, you could misspell one or more of those words in a memorable way. You would need to throw in at least 1 symbol and a capital letter somewhere to make most websites happy but the rest of the password would stand on its own. I would not pick "rubiks" or "lemmings" as both of these things are well known in geek culture. Nor would I choose to use brand names as a list of common brand names could easily be created. My guess is if you ask 100 people to list 20 different brand names off the top of their head there would be quite a bit of overlap. (I think people from a similar locality would have closer matching lists but country wide there would still be a lot of overlap.)

Regarding password managers: Is it a good idea to use your browser's ability to remember passwords and sync them with your online account with said browser? For instance Firefox has this, and Google offers it, too, with Chrome. This is, of course, assuming that you use a strong password (and preferably also 2 factor authentication) to protect your Firefox/Google account, and that the individual passwords are random ones.

This was excellent, learned a lot.

My bank limits the length of ones password to I think 8 characters and force you to use a "special character" which they limit you to like . , ? and ! for choices. So my imgur password can be much stronger than my bank password essentially.

Why did I get a Futjitsu Palm Security ad before the video I watched after this? :D 1:57 facepalm "because, oh dear" :D

This is great. I was only slightly put off by the Tesco carrier bag.

Ha, that XKCD comic is EXACTLY what I was thinking of when I clicked on the link to this video. Once upon a time, I think I even used "correct horse battery staple" as part (not the whole thing. I'm not that crazy) of a password. I'll be darned if I can actually remember where I used it. Welp, guess I'll be resetting that one if it's not stored in my password manager!

My password is pretty damn clever. Sadly I can never share it with anyone. *FeelsBadMan*

You should have mentioned the XKCD about the 5$ wrench.

I have used several different passwords over the years, and they get more and more complex. I tend to remember which password to use with a site by when I created my account there. Currently I have two I commonly use, both are 16 random characters.

@Computerphile Mike mentioned LastPass and discussed password managers that encrypt a database of passwords. Could you do a video where he discusses Master Password and the idea of a stateless password manager that cryptographically generates your passwords as you need them?

The real problem is that many sites REQUIRE you to use several symbols, capital letters and numbers. It's annoying, because it means all my passwords are hard to remember. Sure, I can sprinkle one or maybe two special characters in there but more than that and it becomes even harder to remember.

what if my database is sheet of paper can they hack it ?

You can also use different keyboard layouts. For example "rkdnl" doesn't look like a word but in standard Korean keyboard layout, it spells "가위" which means scissors. I can use this and some random English word to make something like "rksuitdnltea" and it is very hard to crack, but easy to remember.

For an upgrade over the xkcd method you can try diceware - which is just a list of over 100,000 English words each with a unique outcome of 5 ordered dice rolls. So you can take one dice and roll it 5 times to generate each word, or take 5 dice with some consistent method of ordering them. The advantage there is that they're true random (not pseudorandom), accessible (can be made with a printout and a single dice), not biased towards common English words, and easily memorable for the same reasons that the xkcd method is. They're currently recommending 6 word passwords to ensure you've got some breathing room over the theoretical capability of an attacker specifically targeting diceware passwords. I do have a question though - are there any attack scenarios in which it matters if a site appropriately hashes their passwords in a hypothetical world where no one reuses passwords? My impression is that an attacker that can access the password store can simply modify the entries to gain access to a target's account on that service and only needs to break the hash to attack other services with a reused password. In that circumstance there's no advantage to proprer hashing as the only compromised service in the event of the hash being broken was the one already compromised by having the database accessed anyway. Am I missing something?

_Never_ reuse a password? I use the same username/password combo for… well, probably hundreds of sites by now, but only for sites I don't care about. It's actually been leaked already, but idgaf. What you gonna do? Steal my account with 0 posts on a random forum that required registration to display URLs I stumbled upon while Googling something a couple years ago? Knock yourself out! I consider those accounts stolen and I'm completely fine with that. Now emails, online banking, social media… that's a different story.

"Never ever reuse your password, ever" Me: I Always everytime reuse my password, everytime.

Nice! Now I know how long all of your passwords are!

What passwordmanager do you use/ whats a safe one? I dont know much about this sort of thing, so any tips on what to look for in a passwordmanager/what to avoid would be apreciated.

Is c0/\/\pu73rp4i|e ok to use for youtube?

Pick some book. Write down a sentence. Insert some underscores and miss some spaces. Done.

This video literally made me change up most of my passwords! xD Hope I'm safe now!

Great video! I have one question though: what about intentionally mispelling words in the password? Say instead of using horse, you put hourse in the password? If you do this with a longer and more unusual word, I can imagine it being even harder to hack and only slightly harder to remember.

Yesterday I had to create a new password on a library website. It forced me to pick one with the length 6 or less. I mean really?

Can you recommend a great password manager?

The biggest problem with password restrictions. Is that many websites and services are fairly lazy. If you set the limit to one trillion characters. With a full character sets. I assure you. You can have secure passwords because most people can not remember trillions of 'random' characters. However, if you use a series of phrases. Not only can your password be long and complicated. It would also be strong enough to remember. Strong enough to resist brute force and dictionary attacks. Passwords are hard for me to do at work because I am restricted to what the passwords can be. Same thing when using some websites or services.

Password Manager + 2FA = best security I can think of. Even they get your master password, they can't do much unless they also have your 2FA device. I personally use LastPass with sesame, and google authenticator as a backup. On top of that I also have 2FA for alot of my specific accounts such as my google account, facebook, amazon, etc. so even if they SOMEHOW get through my LastPass and have all of my other accounts, they still need my phone to get into those accounts.

I had to change all my passwords after watching this

problem with some place where they only allow a small password length :( sad panda

So here's how I figured out my password. On old Nokias 3310 there were games like Snake and Space Impact. I used to play alot of Space Impact and tried to challenge my highscore quite lot of times. Once I've scored a highscore I never ever beaten again. In highscore options you had a code for your highscore (can't quite remember why though) and that highscore was combination of 8 character long random letters and numbers. Since this highscore was so important to me you're damn sure I've remembered that highscore's code and it's my password.

"unbruteforceable" Brilliant word. Should be in every dictionary.

You can also use conlangs, if you're nerdy enough. Nobody expects the Klingon Inquisition.

I've used phrases generated both my manager and diceware on a strength checker. Says that it would take centuries if not decades, depending on the words + things that sites require.

1:57 His expressions are so great :D

I use last pass, gonna make the master pass stronger now though

My password is *********.

"You moving your phone out of your pocket, and Google saying you moved your phone weirdly" I have been laughing to this for 5 minutes.

Excellent presentation that is easier to understand at 0.75 the normal speed.

Also: mix languages and include typos.

How about using words in another language, or every word in a different language?

I use a system where I have a base password, then I append something to the end, unique for each website I have an account with. It's easy to remember, but should also be secure against both brute-forcing and dictionary attacks. It also protects me from having all my accounts breached due to one single breach in one account. I don't use a password manager, either -- I don't need one because of the system I use.

I often use my passwords on accounts at friends' houses or on their phones. Usually if I don't have my phone on me, or like recently when I broke it. This makes a password manager completely impractical.

except most sites will force you to have 6--12 char long password with symbols and numbers in it - you know... so it's safe....