Thanks! I changed my password to correct horse battery staple

A small tip that works to trip up script kiddies is to include escape characters like ;

I recently discovered you and your channel. Great stuff! I have been binge watching all of your content (both old and new) until late into the night. Subbed!

Snowden said it right. Don’t think of passwords as words, but more like sentences or phrases.

everytime i see ur vids i learn soo much its incredible... you are not like the other youtubers that just show up with the solution and mumble for 9.55 minutes.

Damn, that Octopus stole my lunch Monaaaaaaayyyy....

Well this is how my old Computer Science teacher taught me to do it, and now I am gonna teach you all. You start with a sentence, a nice and long one, but one you really like and will always remember. 1.) Furthermore, I am of the opinion that Carthage should be destroyed now you take the first letter of each of these words 2.) F,IaototCsbd Already wonderful we got a special symbol even, now you need an extra rule, his favorite was the @ symbol and when it was said so 3.) F,IaototCsbd@146bc (source: wikipedia, dude trust me) Now you got a password that literally no one can crack and you can remember. might even use the first part of your favorite song, the sudo password for my HTPC was video killed the radio star.

I used to have the same password or variations of it on all my accounts. I started using a password manager a few years ago. Best decision ever. I tried to get one of my friends to do the same, and they got hacked.

came here to hear kenny say "chungus" i'm satisifed

I just recently came to your channel. Even though most of the things goes over my head. With a lil patience, a normie like me can use some of the simple advices you give like this one. THANK YOU.....

Use a key file and/or security key to secure the database with 2FA. Then encrypt and backup the key file in case you need to access the database without the security key. Also could encrypt and backup the seed to the security key challenge-response so that you can recreate the key if you lose it or break it. Then use a separate database to create a strong master password for the main database. A hacker would need your master database, then get either the key file or seed backup and decrypt it, then your other database and password to that database in order to get the password for the master database. It’s kinda redundant but it’s like locking a key in a safe and locking that safe’s key in a safe.

One of mine is a combination of English, Spanish and Nahuatl (Aztec language) words. It sounds complicated but if you grew up in Central Mexico, like me, it's not hard to remember. Those three languages are all over the place. Not to mention most Nahuatl words you can't really find online, you learn via word of mouth. Or knowing weird aztec names for things.

That punch line at the end 😂😂😂😂😂

I love how you keep talking in first person when talking about how a hacker would go about cracking passwords.

I really appreciate your content, thank you.

Man, You are one of the treasure I found in YT... i wish i could do more for you in return rather than just watch you without AdBlocker... Creators like you deserve better. ❤️❤️

I feel like having a decent password is good but using an authenticator with your main password manager is way more important.

I'm a bit late to the party here, but... Even common words work if you just use a couple more. A single new common word added to your password, according to your metric, increases the cracking time by a factor of 10 000, assuming secure hashing. I'd say that's about the same as changing from common words to uncommon words (from 10k dictionary to 100k seems reasonable). Even six common words is not that difficult to remember, and it's a hundred million times harder to guess than four common words. I personally used diceware to choose my master password's six words (plus one random obfuscating symbol somewhere in there). My password is basically 32 die throws (over 82 bits of entropy) in a row (I actually used a real die here), encoded in a way that's pretty darn easy to remember. Yeah, the diceware dictionary has a little less than 10 000 words in it, but since I have six of them that doesn't really matter. Mathematically, increasing the exponent generally trumps increasing the base.

Always funny how often supposedly smart people in fiction have terrible passwords. eg Ozymandias in Watchmen. A notable exception was in Doctor Who where the eleventh doctor uses the reasonably secure four-rare-words method for his password.

my master password is uncrackable

7:50 the password is good, even against dictionary attacks with the attacker knowing the exact word count! There are like 10^3 common words and those are four random words which means that there is 10^12 possible passwords (= 40 bits of entropy). Since your password manager you use uses argon2 (< 100 hash/second if configured properly) there is no way that anyone will crack it ever.

I just keep making combinations I can remember until the Ubuntu installer tells me I'm in the green

Can you do a video on encrypting disk ??

13:38 All of a sudden, the overfocus of this channel on privacy makes a hell lot of sense...

Yametez, octo-san, don't take my banku no pin

The ending was pure gold

Dumb question: If I speak multiple languages, would using words/phrases/symbols from each be more secure? I'd assume hackers aren't all native english speaking only. But on the contrary I've done something similar to that and some websites won't let me back in because their backend doesn't know how to handle such symbols I'm guessing.

I think it would be a good idea to select words from multiple languages, as in "libertatum jahannam beylerbeyi vodka sushi" the cracker would need 5 dictionaries for 5 different, unrelated languages. Most people don't know multiple languages, but you probably know at least a few words from other languages. I don't know Arabic, Latin, Russian or Japanese, but I could come up with these words.

11:30 Plot Twist: He revealed his master password

i guess i just have a good memory because for passwords/phrases I really need to be secure I dont follow any guideline I just literally randomly mash the keyboard for a good 20 or so characters and then permanently memorize the result on the spot, and type it from memory every time I have to use it again. The longest one I've used was 36 random alphanumeric characters, but I think that's really overkill. I never store or write this I only memorize, even though I change them relatively often as well I usually remember all of them for years after I replaced them. a few times i have had to think for a minute for some but I have never forgotten any when I needed them.

Great content with a lot of humor though. Damn, I can't stop laughing at 13:38

7:50 Fun fact, that exact password, in the worst case scenario has 44 bits of entropy, just as it says, taking 550 years at 1000 guesses/sec to crack. If the attacker knows less about how the password was generated, the entropy will only go *UP*

an md5 hash of my normal password for accounts that are valuable to me is good enough for normies such as myself

A good idea for a video is to talk about hashes and its relation with security and maybe some Linux examples

I really enjoy your content, thank you!

The worst thing about "how to make a password" video is that it also feeds into password cracking dictionaries. Still, this video is pretty good for at least introducing the idea of "making up your own word." What are people's thoughts on even a slight marrying the two concepts? The one thing that always bothers me about the correcthorsebatterystaple is that it doesn't even try to use caps or punctuation. "Correct horse, battery: staple." requires little mental effort to manipulate and yet can deter a dictionary attack by chance in case they hadn't accounted for extra characters. Technically it's not 10,000 ^ 4 as so much as now 20,000^4*(50? 100? Whatever the size of the padding characters could be)^4 at least.

Humorous and informative video 😄

Will foreign characters work? Is multilingual gibberish a viable option? Because I guess that some good ol’ French mixed with Arabic can be pretty hard to crack when you take all the points you gave in the video.

I made a sentence about my personal information which I will never forget, used the first litters and numbers with punctuation (e.g., 'Lmni,RtvaJRLaKNCoNt12t1,4,3.') for my pass manager then use complex randomized generated passwords. A good suggestion could be the first sentence/paragraph of your favourite book (which you own) and the ISBN

When your school's SSO doesn't let you use half of the special characters visible on the standard US keyboard

If only password policy allowed for some passphrases instead of requiring special character mixed case spaces invalid

can you make a video of how to deal with the situation of: a 1080p monitor with a 4k one in a desktop enviroment? the downscale with xrandr is awful.

Mental should just give us all a superstrong password we can all use

I feel like long German words (for example Lebensabschnittpartner) are pretty useful basis for password

i came up with a method that allows the most simple passwords ever, but it's a bit awkward to use atm, need better software support. you simply hash your password with a slow hash

0:10 bet, I convert a phrase to something other than english that has different characters, like arabic for example, then convert that into Unicode and paste it in.

not that I'm an expert but I'd suggest that it's even better to simply find a list of 100,000 words and randomly pick four or five of them. Picking character names or brand names sounds very social-engineer-able

Randomly generated pass phrases are pretty good

what about PINS? I use those on my password manager but idk also (fingerprint and face)

I had a question about password cracking attacks. If I as a web developer implement attempt limits on my sign in, doesn't that eliminate a hackers ability to do a dictionary attack or brute force it? After X number of attempts the account becomes locked, so not only can they no longer make any more attempts to login, but it won't matter if they do some kind of ip spoofing to "reset" their attempts, because the account internally will be locked until the true user goes through an authorization unlocking process.

Hey this vid is almost like a reply to my comment in the last vid =D

Who would have thought being fluent in an obscure language would be so useful?

Oh, fun fact: medieval world of occult used curses and random nonsense from multiple languages (from low German to Aramaic) as spells and incantations. I think in some cases it was a sort of cypher or literal trolling (they loved memes and taking a piss at everything and everyone for some reason. Medieval monks would probably frequent 4chan today). Try it out yourself.

The real big brain move would be using non English words.

Thank you for this video, it was very helpful.

I sometimes use whole lines from national anthem lyrics. Probably shouldn't say this but I'm not a POI anyway.

I just bash my keyboard, and reset my password every time i need to login.

What should happen to my passwords when I die?

MFA like time-based codes to a phone or a smart card can be more secure than a password alone

I've been using a password manager for a while now. At what point do you change it's password? I assume It's also the time to change all the passwords within the manager. Every year or two? I don't have TikTok installed on my phone but I've recently learned that it saves your clipboard every couple of seconds (even in the background) afaik there's nothing stopping other apps from doing so also. Is it wise to split your accounts in two .kbdx files? i.e. for life-ruining and everything else. Maybe even append a string to the passwords so that if your clipboard gets stolen it doesn't have the string needed to crack your pw.

one of your best videos

what about foreign words?

13:47 oh damn.... I found that funny but I think I'm gonna have to remove that from the playlist on my channel now 💀

wow thats a great password ! im going to use it

Password; "Coitus et medicamentum et petra et volvere" Latin; Sex and drugs and rock and roll. Not going to forget that one.

I just got a notification from google because my password had been found on a data breach, the same one I used on paypal It apparently leaked from Linkedin in 2021, and the only reason I still have my savings is because no one tried hard enough

My password on social media is an easy one but hashed. Since its hashed again by the database, will be hard to know what is my password. The least strong unhashed password which is actually strong for most people is to log in on my computer. Well... now is less stronger since you all know, but is yet quite strong. Hahah

I wrote down a part of my master password on a paper irl and another part of it I memorize. Can anyone tell me how safe that is

5:20 I see you too are a man of high culture

does this method still work?

So just make my password ebonics?

Which password manager do you recommend? 2FA worthwhile or a meme?

Hey unsure about this but is it possible for websites to see whats in your clipboard? Maybe copy and pasting isn’t the most secure.

is my password ******** good?

CHUNGUS!

Create Strong and easy to remember password in bash : $: read -s pass; echo $pass | md5sum | tr '[AaNnTt]' '@' | base64 | tr '[EeHhLl]' '#' | cut -c -25 this is just an idea/example, YOU SHOULD MAKE YOUR OWN VARIATION(DO NOT COPYPASTE THIS!!!) you can change md5sum to any other hash generator (e.g. sha256sum) tr '[AaEe]' '@' changes some characters to make your pass indecryptable (at least harder to decrypt) cut -с -25 gives you only 25 first characters from the output (you can set it from 1 to 40 )

what if my password is a word spelled wrong?

Gotta change kakarot to Ultra Instinct Kakarot, since Tournament of Power!

I like this video a lot

13:38 ;))

this video is TOP V!

Why not nonsense words? I never see this mentioned. Why not “jilly nilly shipple hipple twing” or “gopple stopple awesome twang”. Something phonetic that you can remember. Open a text editor and start playing. See how fast you can type what you come up with. Once you think you’ve got a good flow going with your chosen phrase, type it several times to stick it in memory then close without saving and use it. And of course as others have mentioned, toss some random punctuation in there too. Tack an exclamation mark on the end or if you’re using windows look into using the alt key plus number pad to generate whacky characters like ñ or æ if the website or app will take it.

Maybe not the safest method around, but the way I create my passwords is that I invent long random sentences and take the first letter from each sentence. So something like 43 long legged neckbeards landed with star-shaped choppers on the roof of my house. They stole five dollars and kidnapped my dearest ginger auntie. Fortunately i caught them and sent them to jail. That would give a password looking like: 43llnlw*-scotromhTs5$&kmdgaFIct&stt# I get that it's not perfect in terms of entropy because sentences just must have certain structures and there probably is a certain distribution of letters in beginning of words, but it can be fairly well remembered and can create some damn long passwords.

Not even GPUs Im sure some organizations have password cracking ASICs at their disposal...

44 bits of entropy is not safe. If the attacker has enough money they don’t need it to take decades to crack. They can buy unlimited cloud computing power easily. You should analyze the cost of cracking in addition to time.

I was scared that my password is going to be brute forced or social engineered, I literally just closed my eyes and randomly typed things and included randomly holding down shift. And I forced my self to remember this 15 characters long string, which I did. And I “reverse” hashed with one of my failed hashing programs that expanded the key into 125 characters instead of hashing it. Which I made sure outputted consistently, and imported only the bare minimum of libraries. AND, I flashed the binary into a atmega microcontroller that looks like a normal usb to input the password by showing itself as a HID to any computer while haing specific gpio ports shorted. I use it as my homemade homemade keypass. I even modified the key to be successfully recognized as input method on android phones and ipad by modifying some libraries. When I can’t short any gpio ports, the key simply opens a notepad program on the current system and writes the whole binary of the program that I wrote, and automatically run it asking for any string input, which only outputs the password that I wanted when I type the 15 characters (I can also just input any other new password to be expanded into a somewhat “reverse hashed” string.

Ok, but what if we present a human/algorithm with random keyboard mash type characters and ask them to pick out sequences they can remember, then collect like idk 20 characters, substitute the e a o etc for 3 @ 0, add a random number somewhere and maybe some punctuation so we get pkovzqkdwkdwcsciujbchyfvccswueeopfowkgotskenzkmpjddhfs -> pkovz csci hyfv wueef gotskenz kmpj -> Pkovz 894624 CSC!, hyfv wu3ff G0tskenz KMPJ. I have a feeling that if replace a biased human with an algo that can distribute characters well and not ignore the least used ones like z q x, etc then no dictionary is applicable. Especially if every person that has a copy of the generator retrains it a bit.

Is a 29 caracter password secure enugh?

Sneaking in Big Chungus I see.

I don't mind memorizing extremely long randomized passwords. Would a randomized alphanumeric 64 character password be ok? I could memorize a random 128 character password but it would take a few days to memorize.

50AnyIII@y,,IStaRRtedB1@stinG - would this be a good pass? It's easy to remember, shouldn't be very guessable. (I'm not using this one, if you're wondering)

Protip: use neologisms and intentional spelling errors (make sure they're fun, cringy or otherwise emotionally engaging to reinforce the neural pathways, have some fun with wordplay, make it a whorse) and mix languages, even within words. You don't have to be a poliglot to be able to do this, it can even help you learn a language if you change the password regularly (I know, weird technique but what works...)

You'll still have the problem of people using the most common words in their password. What happens when half the passwords are Love, Success, Money and God (nod to the movie Hackers :-) )

Just use diceware

Don’t use well known phrases like “One ring to rule them all.”, “Live long and prosper.”, or “To be or not to be”. Do not use variations of those phrases either like “2B||!toBe”. My red team guys use a dictionary from Wikipedia which captures well known phrases. Think of a phrase that you can easily type but is long enough to make it difficult with punctuation. “Mihawk will not be an opponent 2 Zoro, right? #OP”

i use a long string of different locomotive models, most websites estimate 2 trillion years+ to crack

I found a stupid site that straight up doesn't allow any special characters and the password must be under 13 letters.

bro you cant get hacked if you use japanese,cyrillic,litterally any letter that isnt english

it was kinda funny watching 10:40 while having jmnedict on my computer (not for hacking of course)

Some video games have cheat codes that aren't really dictionary words. Such as rosebud, klapaucius, hesoyam, aezakmi