So much good information! I didn't realize I knew so little about passwords! Great video :)
@Cyberspatial4 жыл бұрын
Thanks a lot!
@coweatsman Жыл бұрын
For my password manager I use a passphrase combine with a randomly placed and determined special character in it, also generated by diceware.
@R-ok3cl6 ай бұрын
How can you distinguish a & character randomly selected by diceware from a & character arbitrarily picked by me?
@godividarr Жыл бұрын
Holy crap. An information-dense but still comprehensible explanation of a tech topic in plain friggin' English. Subscribed.
@sirmikeylikesit7 ай бұрын
Yeah I thought the same thing, also subbed :)
@aarronscott66793 жыл бұрын
You earned yourself a new subscriber.
@Cyberspatial3 жыл бұрын
Welcome aboard! 🙂
@ytirucsbo3 жыл бұрын
Computerphile has covered this topic pretty extensively. I'd recommend watching those videos.
@Cyberspatial3 жыл бұрын
His recommendations are close, but not quite sound. Passwords need to be random.
@coweatsman Жыл бұрын
A 10 word passphrase is I consider to be too long for a password manager and still be convenient. Convenience and security are a trade off against each other.
@siddheshghag58893 жыл бұрын
Very Useful Information.
@Cyberspatial3 жыл бұрын
Thanks!
@nivek90023 жыл бұрын
Hi, I'm new about the topic, KZbin has recommended you and I really appreciate your contents. I'm curious about 2:35 : phrase password vs unicode, ascii and single number password (psw later). The question is why there is more difficulty for computer to "read" a phrase psw? Cannot it be read just as a long lower case psw separated with inner spaces? If in UTF-8 the reading is character by character and so there is a chance in 256 for each position in the psw, why in phrase psw computer would "read" entire words, and so one word in 7776 (Diceware reference)? Why doesn't the computer read each position and try to guess a single character? So applekim is easier to guess than apple kim? I'm sure that I didn't understand something, could you clarify that? Thanks.
@Cyberspatial3 жыл бұрын
Password cracking software like JohnTheRipper can "read" words, by treating them just as another type of symbol. These symbols can be either single characters or entire words. - Diceware has a character space of 7776 (words). This symbol space has 12.92 bits entropy per symbol. - Lowercase alphabet has a character space of 26. This symbol space has 4.7 bits entropy per symbol. A 7-word passphrase, parsed as *words* would have *90.44 bits* of strength. (7 times 12.92) If you assume the average English word is 6 characters, a 7-word passphrase, parsed as *letters* would have *197.4 bits* of strength (4.7 times 42) So if a password cracker were to treat a Diceware passphrase one character at a time, the length would make it more difficult to crack than attempting words at a time.
@nivek90023 жыл бұрын
@@Cyberspatial Got it! Thank you very much.
@tajammulrizvi95042 жыл бұрын
So please tell me How these password managers are vulnerable? Apart from being a one stop shop to all the systems you have access to?
@adityadas93704 жыл бұрын
I sub ♥️🔥You are awesome 👍
@Cyberspatial4 жыл бұрын
Aditya Das thanks!!
@ccc8220073 жыл бұрын
while I agree, we should be beyond passwords by now. Biometrics and facial recognition should be the new thing. There is also retina scanners. Something new is a fingerprint scanner that also scans the vessel structures in the finger. this prevents false positives because it basically can image the finger and the vascular pattern in the finger. I don't understand why all keyboards aren't built with this function it prevents having to remember 20000 passwords.
@Cyberspatial3 жыл бұрын
We’ll get there one day. It’ll look like a combo of authentication methods. For now, the tech hasn’t caught up yet. Some issues with biometrics: - Pregnancy can change a woman’s blood vessel patterns in her iris. - Twins and look-a-likes don’t mix with facial recognition - Injury and trauma can wear away fingerprints. - There may be instances where you don’t want to authenticate using features tied to your identity - Machine learning has given rise to deep fakes that let attackers generate face and voice prints. Biological features aren’t something you can hide easily. Passwords are still in use because they have a proven track record of working well when implemented correctly. It’s a love-hate relationship for people and we’ll all celebrate when they’re phased out!
@liesdamnlies33723 жыл бұрын
@@Cyberspatial I don’t think they’ll ever be phased-out, especially not in high-security settings. It’s another factor of authentication, and for things where it really super-duper matters, no one should just toss-out the “something you know” factor just because you have a bunch of others. Maybe I’m paranoid, but you know what they say, it isn’t paranoia if they’re really out to get you.
@Cyberspatial3 жыл бұрын
@lies damnlies Totally agree. "What You Know" is always going to be a factor.
@letsgobiden6532 жыл бұрын
Yeeeah, riiiight. Having passwords leaked in data breaches isn't enough, let's leak my genetic sequence as well
@coweatsman Жыл бұрын
I have found that biometrics are prone to give false negatives. The number of times I have to enter my pin to open my phone because the phone doesn't recognise my finger is about 50% of the time. I don't see passwords going away any time soon.
@user-mg1utr1p Жыл бұрын
Is there a lack of recommendations on how exactly to make a strong pass, or I've just missed it?
@naeem84343 жыл бұрын
Amazing video sir
@Cyberspatial3 жыл бұрын
Thanks!
@vikashshukla11753 жыл бұрын
Hi Do you have any online courses??
@retrohead53133 жыл бұрын
I didn't get why Phrase's size is 7776, can you please explain it to me? btw, your videos are verrry helpful, thank you and keep goin :)
@Cyberspatial3 жыл бұрын
It's a bit arbitrary, but you start to get diminishing returns for larger dictionary sizes because of the logarithmic nature of entropy.
@prospectsurge49473 жыл бұрын
Very good stuff
@Cyberspatial3 жыл бұрын
Much appreciated
@alecjordan61002 жыл бұрын
Mind = blown when I realized a pass phrase can be easily cracked if it’s not random 🤯
@spiderjump2 жыл бұрын
Memorise a short sentence. Make random And silly. Include uppercase letters . Add symbols and random numbers. BeansandeggsFART#178180
@liberaltalks40523 жыл бұрын
How to check if my pw has 128 bits?
@WPWeekends4 жыл бұрын
So powerful
@Cyberspatial4 жыл бұрын
Thanks! More coming...
@thomasjohnson44564 жыл бұрын
ok, it's time for me to update my password to 128 bits
@Cyberspatial4 жыл бұрын
We'll show you how to build up to this using in password manager very soon!
@frkangungor3 жыл бұрын
If we didn't use it in the past, what can we do now?
@Cyberspatial3 жыл бұрын
You can start with one and slowly change your passwords over to a random and unique one. Do a few accounts everyday and after a month or two you'll be good to go!
@manny78863 жыл бұрын
I use a PM + salt + 2FA.
@Cyberspatial3 жыл бұрын
Salt should already be built into the PM. 2FA probably means you're using a cloud PM.
@manny78863 жыл бұрын
@@Cyberspatial - If I understand how PM works, salt and 2FA have nothing to do with PM either cloud-based or not.
@Cyberspatial3 жыл бұрын
Your PM will may support different key derivation algorithms that uses salts. Cloud-based PMs use 2FA to authenticate you. It's not a true 2FA for encryption of the database. KeepassXC supports pseudo 2FA for encrypting, whether through Challenge Response with a Yubikey or a keyfile on a thumb drive.
@juliandelapena42932 жыл бұрын
Just type ñ and you are good
@ng.Ik_h2 жыл бұрын
Is typing randomly a strong password?
@Ken.- Жыл бұрын
no
@mqb3gofjzkko7nzx3811 ай бұрын
Human beings are very bad at doing things randomly.
@bassmaiasa1312 Жыл бұрын
So a site that limits you to 14 ASCII characters is condemning you to a 91-bit crackable password?
@Cyberspatial Жыл бұрын
Assuming the password is random, 91-bits is actually pretty strong if the site is using a proper key derivation function. It's 91-bits multiplied by the number of seconds it takes to attempt each try. If the KDF is bcrypt or better yet Argon2d, the time it would take is infeasible to brute force.
@bassmaiasa1312 Жыл бұрын
@@Cyberspatial I'm still annoyed that the 14 character limit blocks using the dice method. Google allows 100 characters, which allows a good DICE phrase. Another site allows 250 characters. So it seems to me like those sites are aware of the newer password security methods.
@redcloud47413 жыл бұрын
Ship Clever Dolphin
@Cyberspatial3 жыл бұрын
Low entropy. You're gonna want 4-5 more words.
@bassmaiasa1312 Жыл бұрын
The 90's TV show Seaquest. That's not random, it's a pop culture reference.
@bassmaiasa1312 Жыл бұрын
So psychology reduces the entropy of of the phrase dictionary? My passphrases are taken from childhood inner incidents that no one else knows -- not my family, not my therapist, not my 2nd grade teacher or best friend, literally nobody but me.
@Cyberspatial Жыл бұрын
If you were to create a dictionary based words from all your childhood inner incidents and did a log2() on the final number, how many bits of entropy would you get per word? For instance log2(100) is 6.6 but log2(10000) would be 13.2
@bassmaiasa1312 Жыл бұрын
@@Cyberspatial But a hacking software couldn't know that dictionary. From my point of view, the words are not random, which makes them memorable. But wouldn't the hacker still have to brute force the English language? But if I just picked 5 general words that popped into my head, there would probably be some associative pattern that's already been recognized and pre-programmed. If I picked a string of key historical dates, those have probably already been pre-programmed. But 'where was I on such and such historical dates', how could that be programmed?
@jeanpierrereynoso-fournel0052 жыл бұрын
@senritsujumpsuit60213 жыл бұрын
I wanna make a password manager give me a password where every character is from a different countries symbols so not even god can find out my password lol
@Cyberspatial3 жыл бұрын
KeepassXC can do Extended ASCII, which gets you part of the way there. If you want all Unicode characters too, learn to write a python script to generate it for you! It's not hard!
@JarppaGuru2 жыл бұрын
1:44 fail they cant know they cant even estimate.universe has no edge