No video
This Trick Will Make Your Passwords Even More Secure
Рет қаралды 22,479
Күн бұрынPeppering is a technique where you add or substract some characters from a stored password, so that the whole password is known only to you. This increases the security for your essential accounts and means that if your stored passwords are ever revealed (by hackers or because your little black book has been stolen) then the attackers don't know the complete password!
---
Let Me Explain T-shirt: teespring.com/...
Twitter: / garyexplains
Instagram: / garyexplains
#garyexplains
@maartentoors Жыл бұрын
'Peppering' is a good mitigation (for those in the 'know'). Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide. Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters. This will (semi) force users to use sentences. A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented). All said, Gary, you're a great source for security knowledge.
@PrivateUsername Жыл бұрын
Yep. Came here to say this. Length is the main contributor to password strength. Correct Horse Battery Staple, and all that jazz.
@maartentoors Жыл бұрын
@@PrivateUsername What? How did you 'guess' my global-admin password??
@BillAnt 11 ай бұрын
@@PrivateUsername- A password's strength is derived from its length and the number of bits used in each character. Ideally you would use all 8 bits in each character for a total of 255 combinations. In reality due to the limitations of the English keyboard, it only allows about 94 unique characters, including lower, upper, and special characters. As long as you're using random characters of at least 30 or more, it's impossible to crack it by brute force using current computing power which of course may change in the future.
@deepgsingh Жыл бұрын
I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary
@taher9358 Жыл бұрын
Gary I wanna give you a hug for this one mate
@BlueFlyer83 5 ай бұрын
Great advice! I watched another KZbinr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.
@farouqstray1411 4 ай бұрын
Gary Explains well
@dezmondwhitney1208 Жыл бұрын
Simple and Effective. A really Helpful Explanation too. Great !
@kered2248 Жыл бұрын
Good stuff, thank you!
@OMGWTFLOLSMH Жыл бұрын
Simple but great tip. Thanks.
@coweatsman 6 ай бұрын
I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.
@manny7886 5 ай бұрын
Peppering, or double-blind, I add mine at the beginning instead of at the end.
@NexuJin Жыл бұрын
I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering. So for example: ~
@MikeWood Жыл бұрын
Using three or four words randomly or pseudo-randomly generated to form a sentence and then turning them into a mnemonic is an interesting idea -with the peppering on the end as the change up now and then.
@send2gl Жыл бұрын
Interesting technique.
@phir9255 Жыл бұрын
I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.
@Victor_Marius Жыл бұрын
Websites can change their domains or just the TLD and still use the same database making the pepper incorrect
@phir9255 Жыл бұрын
@@Victor_Marius Good point but that happens very rarely
@TravelEndleslie 11 ай бұрын
This is great and helpful. You are a genius!
@GaryExplains 11 ай бұрын
Glad it was helpful!
@BillAnt 11 ай бұрын
Wouldn't call it "genius" but definitely clever. :) "Genius" would be discovering something extraordinary like capturing dark matter or E=MC2 ;)
@murtadha96 Жыл бұрын
This is brilliant! Thanks for sharing, I never thought about this
@rahilarious Жыл бұрын
smart clever trick!!
@justchilling5448 5 ай бұрын
Excellent information, thank you.
@user-sd6it2hs2m Жыл бұрын
Thanks, great idea but you need to peppering all your passwords. If no, you may forget which have the pepper
@GaryExplains Жыл бұрын
Not necessarily. You could just use a pepper for your main email account and maybe for your online banking. Everything else leave as it is. That way in the worse case you can change your passwords (since your email is secure), and still access your money.
@manny7886 5 ай бұрын
I use BitWarden. In the note field, I make a note if it's peppered or not.
@edwardjaycocks5497 Жыл бұрын
give this a thumbs up, although I do know that this technique should be said ultimately in the end the length of your password is critical.
@zine_eddinex24 6 ай бұрын
Thank you 😅
@test40323 Жыл бұрын
Clever but my swiss cheese brain will have trouble remembering the pattern 6 months from now. Awesome idea though.
@jonpinkley2844 Жыл бұрын
Then write down your password manager master password and the algorithm you use for pepper, and store it in a safe place (and not in your computer). You store your confidential papers somewhere don't you?
@mick_hyde Жыл бұрын
Good idea, I already do this. 👍
@khayla_matthews Жыл бұрын
Brilliant.
@roku_nine Жыл бұрын
Very informative!
@prakash_77 Жыл бұрын
In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.
@reefhound9902 Жыл бұрын
Peppering will make password managers a nightmare to maintain because of this. They will save what you peppered so you will have to edit the database manually.
@prakash_77 Жыл бұрын
@@reefhound9902 Not really, Chrome's password manager prompts you to save and saves only when you click on it. Now you would get prompts to update the password if you modify it when logging in, but that's the extent of it.
@manny7886 5 ай бұрын
Just ignore the popups. A little inconvenience for a piece of mine, at least in my case.
@uidx-bob Жыл бұрын
Chuck Norris doesn’t use passwords. He is the password.
@BillAnt 11 ай бұрын
Chuck Norris doesn't need a password, he just breaks the login with a kick. ;D
@GustavoMsTrashCan Жыл бұрын
My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)
@benfubbs2432 Жыл бұрын
Someone can write a script to crack your password in about 2 seconds with this information. Delete this and change your passwords immediately. Other than hacking a technique used to get someone's password is called social engineering which basically involves tricking someone into giving out clues about their password. You've given out a huge clue and by the sounds of it you use that password for everything.
@GustavoMsTrashCan Жыл бұрын
@@benfubbs2432 Oh, my! Haven't you heard? You can also crack someone else's password via A KZbin POST! Just like yours right now. :^)
@1MarkKeller Жыл бұрын
BRILLIANT! I should do this ASAP.
@1MarkKeller Жыл бұрын
*GARY!!!* GOOD MORNING PROFESSOR! GOOD MORNING FELLOW CLASSMATES! Stay safe out there everyone!
@GaryExplains Жыл бұрын
Mark ‼️‼️‼️
@olafschermann1592 Жыл бұрын
Great and simple technique ❤
@catmom4265 Жыл бұрын
GREAT idea .. I have a system of my own that is like this. I will incorporate this method with mine. Thanks Gary
@user-bx2qi2xk1z 7 ай бұрын
Help for me
@chmun77 Жыл бұрын
Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.
@benfubbs2432 Жыл бұрын
The pepper could be to literally just add 1 to the end of all passwords, or your initials or your date of birth if someone can't remember that they should probably have a third party controlling their accounts anyway.
@user-ic6ln4lm2x Жыл бұрын
I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know. But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do) Are you related to Veronica Explains?
@klapas1821 Жыл бұрын
Extremely informative, thank you professor
@nycrsny3406 Жыл бұрын
Pretty simple and makes a lot of sense!
@gretafranklin6336 Ай бұрын
Confusing
@eyeshezzy Жыл бұрын
Barefoot Contessa fan too 😅
@chasonsnotes Жыл бұрын
What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months
@reefhound9902 Жыл бұрын
Changing passwords is useless in all but a few niche use cases, such as a shared-password case or insecure work environment. A password cracker is going to crack an 8 character password in less than a second, doesn't matter if it's been in use ten years or ten minutes. A password cracker will take billions of years (aka never) to crack a 20 character phrase using a full character set, doesn't matter if it's been in use ten years or ten minutes.
@dav1dw 6 ай бұрын
Nothing beats is a bold statement. Similar to "xxxx killer" Also these "Nothing beats..." are outdated.
@Saurabh.P Жыл бұрын
I always use 3rd method.
@dav1dw 7 ай бұрын
I had already do peppering, but deleting characters in the saved password and adding my pepper is even better!
@micanalnotienenombre Жыл бұрын
Really interesting video. Same as many commenters, I was skeptical before watching this, but I can say I learned something today.
@nick066hu 5 ай бұрын
I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required. A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.
@reefhound9902 Жыл бұрын
Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.
@GaryExplains Жыл бұрын
So what about a 20 character password saved in the password manager and then you delete 4 characters?
@reefhound9902 Жыл бұрын
@@GaryExplains The 16 character will be extremely secure but still less so than the 20 character. Why would you want to deliberately reduce the security? Is it much easier to delete 4 than add 4?
@reefhound9902 Жыл бұрын
I suppose it might be marginally easier to delete last 4 than remember what 4 you added, if you don't use the same 4 everywhere. But when you hit submit the PWM is going to ask if you want to update password and you need to be sure not to, so that adds a bit of complexity back into it.
@GaryExplains Жыл бұрын
If the password manager is asking to save the new password when you delete 4, it will also ask if you add 4.
@reefhound9902 Жыл бұрын
@@GaryExplains Yes it will, which is why the peppering approach makes using a password manager more tedious.
@Techier868 Жыл бұрын
Gaaaaaarrrryyyyy!!!!! 👋🏽
@PrabhatXLR8 Жыл бұрын
I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords
@byronwatkins2565 Жыл бұрын
Can we control the server-side salting?
@Ken.- Жыл бұрын
Yes! Become the CEO!
@STONE69_ 7 ай бұрын
Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.
@dav1dw 6 ай бұрын
Totally disagree
@STONE69_ 6 ай бұрын
@@dav1dw I do like this for 20 years, never had a problem.
@Ken.- Жыл бұрын
Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.
@Victor_Marius Жыл бұрын
True. Probably it would be more secure if you would have the salt in the program not the database. Use something like the username or the unique username/ handle or the email or the creation date or all of the above in any order you want and this way you save some database space.
@allanflippin2453 Жыл бұрын
Gary, Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!
@john_unforsaken Жыл бұрын
I would say had you found each website can be different. I would include a selection so you can choose what chars to include at any given time. This is what most password managers do.
@allanflippin2453 Жыл бұрын
@@john_unforsaken I thought as much. And this implies that do-it-yourself password generation is not very practical :D
@GaryExplains Жыл бұрын
Could you not just use a subset of special characters that works across most (all) sites?
@allanflippin2453 Жыл бұрын
@@GaryExplains That is what I had hoped for. My question is whether others have already come up with a safe set of characters to use. Websites are not exactly forthcoming with their precise password acceptance rules :D
@JanJeronimus Жыл бұрын
Perhaps you van get some inspiration from other password creating programs. There is not one general rule and e.g. on one site perhaps only numbers are allowed and on another site only characters from a to z. So you need to ask put questions like how many characters must the password be ( between .. and .. ) How many numbers, how many characters, upper and lower case, special characters ( and which) .
@starkistuna Жыл бұрын
another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard
@Victor_Marius Жыл бұрын
The settings path is called "Ease of Access"/Keyboard or just Windows Key + CTRL + O. Out of curiosity I checked this and you are wrong. A python keyboard module (called "pynput") or let's say a "keylogger" as Windows Security called it makes no distinction between a key press of a physical key and one virtual using the Windows 10 On-Screen Keyboard.
@Garythefireman66 Жыл бұрын
Pass the pepper
@ToddMoore1 Жыл бұрын
👍🏼Class is in session, thank you professor👍🏼
@davidrobertson415 Жыл бұрын
You end up using the same password on multiple sites… not good!
@GaryExplains Жыл бұрын
No, the password stored by the password manager should be unique per site, but the pepper is the same.
@davidrobertson415 Жыл бұрын
@@GaryExplains Thanks for the clarification... I didn't pick that up in the video... My bad.
@MikeWood Жыл бұрын
@@davidrobertson415 It thought this too.
@OMGWTFLOLSMH Жыл бұрын
No, you only end up using the same suffix on multiple sites.
@TheCârtiță Жыл бұрын
Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD
@vasudevmenon2496 Жыл бұрын
Might not be applicable to all. I tend to forget the entire password that's the reason i went with password manager.
@GaryExplains Жыл бұрын
Yes, that is normally, I can't keep track of the hundreds of passwords I need. But it isn't hard to remember 4 letters. You use the same pepper for all passwords, you don't need to remember a different pepper for each password.
@vasudevmenon2496 Жыл бұрын
@@GaryExplains yeah it is. Might give it a go for few sites and see how it goes
@whothefoxcares Жыл бұрын
L3t M3 3xplain
@robertsandy3794 Жыл бұрын
This technique is all very well, however if the server is hacked and if the password database is not encrypted, then this method is of no use
@GaryExplains Жыл бұрын
No, quite the contrary. But before I get into that, it would be quite rare today for a website to have a database that is not encrypted. But to your point, this is exactly why you should do it. If the database is stolen and your password is freely available then the hackers DON'T have your password, there are 4 letters missing, which a) they don't know are missing, b) they don't know the length of what is missing, c) only you know the letters. In other words the exact opposite of what you just wrote.
@robertsandy3794 Жыл бұрын
@@GaryExplains If the server database is stolen, if it's not encrypted, how wouldn't the hacker know the password? Whether your password is password1234, it's the one on the server end, not the client end, or have I missed something? How many times have sloppy policies on servers been the cause of password theft?
@jefferycampbell9182 Жыл бұрын
@@GaryExplains But when you create a password for the site, you need to have the whole password to create the login. So they will always know the correct password even if you tell your password manager a different one to save where you add the rest upon it autofilling, so the website gets hacked, they have your password right? I mean they need to know your complete password to log you in.
@AQDuck Жыл бұрын
That's actually pretty smart, it's like public/private key IRL
@iamstartower Жыл бұрын
easy... write it down backwards
@ernstoud Жыл бұрын
My password is 8 asterisks. Every website knows my password when I type it. Weird.
@fanban2926 Жыл бұрын
???
@ernstoud Жыл бұрын
BTW: paraphrasing Dilbert’s boss here to support Scott Adams. He is cancelled by the woke cult.
@chmun77 Жыл бұрын
So do mine as well! What are the odds!
@johnkressel2178 Жыл бұрын
I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me
@GaryExplains Жыл бұрын
Yes, obviously there are lots of ways to generate a password, but you are sacrificing convenience for a long process of string concatenation, multiple hashing etc.
@NoEgg4u 4 ай бұрын
CorrectHorseBatteryStapleq#W7
@spiderjump Жыл бұрын
make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols. for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson. that would translate to mhsctMLhaawtgtPW#120925@961275!
@GaryExplains Жыл бұрын
😂
Jason Rebholz - TeachMeCyber
Рет қаралды 50 М.
Mental Outlaw
Рет қаралды 49 М.
Studying With Alex
Рет қаралды 259 М.