Here's an idea. We should change the word "password" to "passphrase" to subconsciously discourage people from using a single word.

@RainBoxRed

5 жыл бұрын

Iwentotheparkto_day.

@aanon4019

5 жыл бұрын

iwenttotheparktodie

@shawniscoolerthanyou

5 жыл бұрын

I agree. I've changed my password to "passphrase" in solidarity.

@zenon8627

5 жыл бұрын

Came here from Edward Snowden s recommendations?

@kafosoo

5 жыл бұрын

"Passcode" would probably be even better then.

The 12.9 bits he mentions comes from the fact that log2(7776) = 12.9.

@nO_d3N1AL

6 жыл бұрын

I was wondering that, thanks!

@birbdrkhadka5944

4 жыл бұрын

My twinkle

@ErebuBat

4 жыл бұрын

Thank you!

@simonmultiverse6349

2 жыл бұрын

But none of my dice have a 6 on them! They have a 9 instead! What should I do?

@simonmultiverse6349

2 жыл бұрын

@@__Brandon__ Excuse me... my eleven-sided die has two number 9 s. Where is the missing number 6 ?

"I'm just looking at your collection of cubes" "All solved. That's how I roll" Hahaha

@PeteMcDonald

5 жыл бұрын

Knew this comment would be here to like, I just had to look for it :D

@simonmultiverse6349

2 жыл бұрын

I'm going to glue all your dice to the table, just so you _can't_ roll. Mwaaaaaaa ha ha ha ha ha!

@simonmultiverse6349

2 жыл бұрын

@@PeteMcDonald You stunningly subtle sophisticated psychologist, you!

"We're talking nation-state level security - you can choose to protect against them, but they might just visit you instead." Haha this is the logical step that's been missing in so many conversations I've had with cybersecurity enthusiasts - they seem to think the FBI is reading their emails but pay no mind to physical security. True story, I had one friend who insisted on 20-character randomly generated passwords, but wouldn't even bother lock his front door when he left the house because we were going "just up the street."

@jamesedwards3923

4 жыл бұрын

That is not the point. The problem is nation states and criminal organizations. They both have access to cloud computing services. Also bitcoin farms and hacking farms can use the same technology. The same equipment a government uses a civilian can buy unless the equipment is classified. You think there is a difference in terms of capacity? You are wrong. We're not talking petty theft. We are talking about criminal organizations who make a fortune off of your stolen data.

@xXx_Regulus_xXx

Жыл бұрын

@@jamesedwards3923 I don't know, I think you're the one missing the point here. A high-entropy password is great, but you are vulnerable against a $5 wrench attack and if your adversary is willing and able to use that method, your secure password stops mattering.

@jamesedwards3923

Жыл бұрын

@@xXx_Regulus_xXx In most states in the United States. Getting a 'legal' gun is easy. If a criminal organization comes with a $5 wrench. I can unload on them. Got to love the Castle Doctrine :) ! Although in my state and city in particular. Has stricter gun laws. Thinking they are going to stop criminals. Yet in a bunch of videos and articles I have read. Obviously not. The excessive gun laws in my state; city in particular. Are designed to keep lawful citizens from defending themselves. Bet you know which state I am talking about. Even the city.

@xXx_Regulus_xXx

Жыл бұрын

@@jamesedwards3923 wrench attack is just a catchy name. Believe it or not it would be possible for your attacker to be armed and a quicker draw than you. I won't be arguing semantics or investing how quick of a shot you claim to be. The point is someone who is better at violence than you might sidestep the password security issue entirely. Do you understand what I'm saying to you?

@jamesedwards3923

Жыл бұрын

I know 🤣😄😄

"They may just visit you instead." Ha ha, great capper.

@swimmingshi

3 жыл бұрын

I cracked, lol

I hate when my tapir gets corrupted and I didn't make a backup

@bytefu

6 жыл бұрын

It gets currupted because it's rw. Maybe it's time to "chmod -w tapir"

@frankschneider6156

6 жыл бұрын

Does your tapir often receive bribes ?

@topsecret1837

5 жыл бұрын

Alexander Robohm Who corrupted it? Some guy from Libya?

My passwords are generally random words, characters, number, uppers and lowers and also misspelled words and major length.... Then i write it down and stick it on my pc screen so I dont forget.

@misterhat5823

6 жыл бұрын

Encrypted text file here.

@Demki

6 жыл бұрын

But then you have to remember the encryption key.

@JoshelinRico

6 жыл бұрын

Not if the encryption key is your password.

@simpletongeek

6 жыл бұрын

something like one pad vigenere cipher? that's very clever. it's not until you have to convey your secret password to customer service via the phone that it becomes a problem.

@victorgiovannoni

6 жыл бұрын

Joshelin recursion

I can't begin to imagine which random symbol Mike Pound uses.

@jasoncox5263

4 жыл бұрын

@@abdulwahabjag #obvious

@RyanOByrd

3 жыл бұрын

£ or #?

@NoodleCollie

3 жыл бұрын

@@jasoncox5263 Not so obvious. A # isn't called a pound in Britain, it's called a hash.

@roofkat

2 жыл бұрын

@@abdulwahabjag TIL that Americans call a hash a pound sign... interesting!

@simonmultiverse6349

2 жыл бұрын

...and for those who deal in slightly illicit substances which you smoke.... perhaps they don't like the hash sign.

I personally dislike Tapir backups, Iguana-based backups are just way more reliable.

@QBelly

5 жыл бұрын

I like chalupacabra

@QBelly

5 жыл бұрын

Wait... that's not right...

@bruceli9094

4 жыл бұрын

@@QBelly i like chawawaa

I made a program back in secondary school, where you type in random numbers, and it tallies them up. It really shows how not random you really are.

I think web developers need to be more educated in this. I hate it when I'm forced to come up with all sorts of crazy passwords with this symbol and that case and this number in that position. I mean, popsiclegoldfishigloobulgaria is a far stronger password than g41@9S. Guess which one my bank does and does not accept?

@SergeMatveenko

6 жыл бұрын

On the other hand. I've seen a website just on the last week which allowed me to use only letters and number in the password. I cannot say which one is more rediculous out of these two.

@__mk_km__

6 жыл бұрын

What if we combine the strengths of those two to have Password: $7N7e@6MwoB/,@* Its much stronger than those both. Although, right now Im on mobile, so it takes some time to switch between symbols and letters. Thats why you can see an altering symbol/letter and uppercase/lowercase pattern. On Desktop this shouldn't be a problem.

@Demki

6 жыл бұрын

I've seen a site that only allows 6 to 8 character passwords, and THEY ARE NOT CASE SENSITIVE.

@dreamyrhodes

6 жыл бұрын

Mostly because these developers are too lazy do write sophisticated software. But they still need to comply with standard security tests. And these tests will include "are secure passwords enforced" and the devs will say "yeah we check them before accepting". Point done. And then it comes to stuff like you can't use spaces, you can't use ; or ' or " and other characters, that could be used for command injection (no, and santinizing escaping the characters is way too much effort to implement for the lazy devs), you need uppercase, lowercase, numbers... And so people will chose something like "BankName" as passwords, which is among the weakest password you could chose. Or even better: "Your password must be between 8 and 20 characters" - "But mine has 45..." - "meep! computer says no!" I even have seen a service that turncates your password if you wrote more than 12 letters... m(

@chaumas

6 жыл бұрын

Pointing the blame at web developers is generally wrongheaded. Your bank's developers didn't decide the password restrictions. Management handed them a set of requirements, and they implemented them. For all you know, the developers did push back, because even if they did, it almost certainly wouldn't have made any difference.

I love that they knew that the Rand was our currency,that got me excited a lil bit.Great video as always.

I have stumbled on to this channel a few months ago, and find them quite fascinating. I found maths really challenging at school, but as I get older understand more and find maths is used in EVEN more places and things than I ever considered. Thank you for creating these short shows with great explanations.

I'm really diggin' the series. An episode about password managers would be great!

It's the man, the legend, Dr. Mike Pound!!

Dice on the floor is always a reroll!

The last video on the subject had lots of comments about KeePass, so I started using it. I absolutely love it. Now every website gets its own password, and I have no idea what they are! The only password I know is the one for KeePass, which is five words that spell another word as an acronym, with a symbol and spaces.

I love that after the great talk on the finer details of password security he alludes to the possibility of a wrench attack.

My passwords requires you to solve riddles and travel all across the globe writing algorithms and finding patterns in scattered around notes, take 16 randomly chosen characters encrypted with a custom encryption scheme appended to a salted hash of my favorite dog race bitwise xored with the name of the cat of the neighbors 20 years ago and 64 digits of pi randomly selected in sequence either forward or backward prepended with 5 words with substitutions from a chinese character set based on the pseudo random number generator built in my nintendo 3ds.

@Computerphile

6 жыл бұрын

Bravo :) >Sean

@Hunnter2k3

6 жыл бұрын

Luckily my trusted sidekick can make you talk, Agent M! Watch out! He's, shall I say, rather bitey!

@santoshpss

4 жыл бұрын

Travel across a ball? I don't understand, you cannot stand on a ball!

@ezerikdaswahreleben2715

4 жыл бұрын

Hey, that’s the same way like I do . 🤔😨

@jasoncox5263

4 жыл бұрын

@@santoshpss you must be using translation software. He said globe, as in a map that is projected onto a sphere. Not a ball, as in the round thing that children play with.

And then some random website enforces a character limit of max 10 symbols, no spaces, a special character, a capital letter and a number

@Jako1987

6 жыл бұрын

Tiavor Kuroma In those sites you can use password "secretlol" and don't use/put anything valuable to those accounts. Use your spam email etc.

@bytefu

6 жыл бұрын

Do you mean the email that I use for getting spam or the one for sending it? Oops...

@ChenfengBao

6 жыл бұрын

That's why you should have a tiered password schemes, and Diceware should probably be reserved for the highest level, like a password manager or encrypted hard drive/OS. Lower level passwords can rely on your password manager.

my problem is that at my work i have literally 17 different passwords (i just counted). They all have different requirements of min/max length (lots are 20 chars max), upper/lower case, special characters, numbers etc. and they expire every month or 3 months or never. If i get one wrong 3 times it gets locked out. In one system it took me 2 months to get a new username set up because the password was locked and there was no other way to resolve this and in another system if i lock my password (or don't use it for 3 months) i have to go on a half day course (every time) about basic use of that software in order to get a new password. All this means everyone uses the same short passwords for everything and so security is made worse because of the measures introduced to increase security.

@perimiter

2 жыл бұрын

sounds like you need a password manager.

@ironcito1101

2 жыл бұрын

Some systems have strange and specific requirements, like the first character has to be an uppercase letter and the last character has to be a number, or stuff like that. Why? That requirement is public information, so it makes passwords _less_ secure. And the systems that force you to regularly change your password are very annoying.

@jamesedwards3923

Жыл бұрын

@@perimiter I do.

@BillAnt

Жыл бұрын

It's best to use an offline password manager with completely random characters of at least 15 characters, and not trying to remember them. Offline is essential since often hashed password files are stolen from cloud servers. Personally I use a simple text file for all my longins, encrypted with a 64 character pseudo-random password by 7Zip AES-256 method. Let's just say, it's pretty darn secure. ;)

@jamesedwards3923

7 ай бұрын

@@BillAnt 15 to 20 characters is the statistical average for password length. Bad idea for any important password. Where you control the length and complexity limit.

Mike's videos are always informative. More of him please...

The videos with Mike Pound are always good and funny. xD

I had a password so secure, I literally can't remember it unless I have a keyboard in front of me.

@johnk3841

6 жыл бұрын

I know what you mean. It's just muscle memory for us when we go and type it.

@thejskwared

6 жыл бұрын

Same! I once tried logging into my PC remotely from my tablet and couldn't do it, because the keyboard layout is slightly different. My password is a pattern that's muscle memory now - I don't even know what the actual characters are anymore.

@CorrosiveCitrus

6 жыл бұрын

Yep! I know that pain, I can't log into anything from my phone x) I don't remember my passwords... I can just type them...

@muizzsiddique

6 жыл бұрын

Is it "1234567890-=qwertyuiop[]asdfghjkl;'#zxcvbnm,./" ?

@atavy

5 жыл бұрын

@highks Same :/

"all solved, that's how I roll" - Dr Mike Pound

"They may just visit you instead." Wow, what a great ending! XD

I learn a lot a watching this channel. Thank you guys, keep up the good work.

I enjoyed the little addition at the end that unless you are being directly targeted a simple password (4 words in this example) is good enough, and if you are being directly targeted there are more physical methods than brute forcing a password.

@AureliusR

2 жыл бұрын

Yup, there's a great comic about this somewhere. If they're going to brute-force your password, they are going to *brute-force* your password, if you get what I'm saying. How many fingers can they break/cut off before you decide maybe the data isn't worth protecting *that* much.

Buy 5 dice next time! Then it's one roll (of 5 dice) for each word!

@Mike_Hogsheart

6 жыл бұрын

clearly you have not seen the prices on proper, unstamped casino dice.

@3rg1s

6 жыл бұрын

It's a fun way to generate a password so why not do it number by number...

@TheGTP1995

6 жыл бұрын

Is your hand big enough to hold five dice at once? ;)

@ThePhoenix107

6 жыл бұрын

How do you decide which dice to take for which digit? It can be biased. It's more random to roll a single dice 5 times.

@ChenfengBao

6 жыл бұрын

The first time I used diceware I didn't have ANY dice, so I flipped about 20 coins together a bunch of times...

I love this type of video :3

@the_real_ch3

6 жыл бұрын

Mike Pound for king of computerphile!

@ScipioWasHere

6 жыл бұрын

Brian A he's more princely in my opinion.

@Selektionsfaktor

6 жыл бұрын

I suggest Tom Scott as his... queen?

@Furiends

6 жыл бұрын

:3

@kewaljutlla8173

4 жыл бұрын

Sassy The Sasquatch nmm

awesome. I have been using your scheme for all my passwords ever since you suggested it. love the explanation.

I love this content! Speaking of password security, could you make a video on key stretching, i.e. CPU and possibly memory hard password hashing functions. Legacy schemes include MD5Crypt, bcrypt (which were and to some extent still are widely used on UNIX) and PBKDF2, then there are more modern ones like scrypt and Argon2. CPU hard hashing is also built into the SCRAM protocol. Speaking of which, I'd also love to see a video on challenge response authentication. :-D Either way I'll be recommending your videos to my (IT) coworkers since security is important and your videos are really accessible.

Absolutely great video. Had an amazing time learning this new concept. Thanks.

After watching the other password videos you made, I made a new password. When you mentioned that 5-6 words is nation state level of security, I realized that my new password is very secure and I shouldn't need to change it for a long time.

One of the easiest yet secure passwords I once had (before yahoo forced me to change it) was a 6 character password when the minimum was 8 characters

When you have to create an account on a website that requires a password between 8 and 12 characters long, have at least one lower case letter, upper case letter, number and other character in order to be accepted, this video helps so much! :P

@jamesedwards3923

2 жыл бұрын

There are so many ways to do it, it is insane. Unfortunately, yes there are so many services. That have not even attempted to update their security. Would not surprise me if sites using such character limits are using MD5.

Can you do a video on vulnerabilities on PGP/GPG protocol? It's in the news right now.

I like the mention of rubber-hose cryptoanalysis at the end

This guy is an absolute BOSS.

It's like having a 5 letter password but from an alphabet of 7776 letters!

You could also choose a synonym for each word after you roled the dice. "True Thoroughbred Accu Principal" in the XKCD case.

Thanks, I didn't have a dice so I used the password you created ;) finally I have a secure password for all my accounts

@arsalanhashmi2911

6 жыл бұрын

here's what i did: tossed a coin three times and added the value i got. Three coin tosses = 1 dice roll. Now repeat that 5 times.

I use the first letters of the words of the second verse of an obscure poems. Easy to remember or to reconstruct from a hint, if you forget.

@simonmultiverse6349

2 жыл бұрын

Look up "The Subway Piranhas" by Edwin Morgan. It's a short and slightly startling poem.

If you would like that way to make a password more secure you just need to translate of or two of your word I to in other language. Most people understands two languages. For me I can translate all or some of them to Swedish and suddenly I have doubled the word list. 😊

@chaumas

6 жыл бұрын

Doubling the word list increases entropy by only one bit per word. It doesn't hurt, but the benefit is negligible.

@ThecMaster

6 жыл бұрын

Yeah. But the wordlist dubbles and but you don't know what language I have used. In my case you know but you need to translate that list to every language to brute force it. Just adding swedish dubbles the list. Adding all of Europe languages... that's about 25. And so on. And that's my point. Not that everyone take a Swedish word. Hope you hanging on. My phone got in to this discussion and messing with my text... xD

@GinoTheSinner

6 жыл бұрын

Bra plan synd bara att Tapir = Tapir

@idk-bv3iw

6 жыл бұрын

Diceware word lists are available in multiple languages (they contain different words) so you could roll the dice one more time to choose your word list.

@B3Band

6 жыл бұрын

"Most people understand two languages" Spoken like someone who has never left Sweden.

One other great use for something like this would be if you need a secure password for telephone access to sensitive accounts. The fact that they are words makes would make them very easy to express orally over the telephone while still being secure (provided you don't go blabbing them in earshot and such).

At first i thought well this is still terrible but its actually a lot better than it seems at first glance. If you run 80bil (educated) guesses p/s you will on average crack a password every 1 hour. And if i remember correctly you had an 8bil guesses p/s in your last video. So even for much stronger computers this is challenging. Not considering the fact that there are other password types you might want to dedicste processing power to as well. Great job. Really nice video explaining this :)

I love that thumb position ABS shine on your spacebar :)

Such a likeable character Mike Pound

To save people the effort of using wolfram alpha, there are 6^5 words (7'776), 7776P5 is 2.839E19 combinations from that list - which is about as secure as a 10(.85) digit password that contains A-Za-z0-9 (62 different characters).

A variation of this theme is used in BIP39, a bitcoin/blockchain standard, where everyone uses a published list of 2048 words with some special characteristics. Since it's a smaller list, you choose more of them to be a passphrase, sometimes 12 or 18 or 24 of them, to avoid brute forcing. Its purpose is a sort of passphrase which (1) gets used exceedingly rarely, and (2) should be statistically guaranteed to be globally unique for all time like a GUID.

Excellent video.

Seems like setting operating systems, web sites, etc., with a default delay (10 minute, 30 minute, whatever) after 5 password misses on login would solve a lot of password guessing problems. I doubt most people use such settings/tools available to them. Of course there are many places where passwords are used other than operating systems and web sites, but it would be a great start. Thanks for the video. Great topic!

@ChenfengBao

6 жыл бұрын

You can only impose retry limits on authentication systems, but not on encryption systems.

@SyberPrepper

6 жыл бұрын

Great point.

@overwrite_oversweet

6 жыл бұрын

If you own the system, you can key stretch to a silly amount though. Try brute forcing when each iteration of your KDF takes up megabytes of memory.

Hon much more secure would it be you added an extra dice roll(1-6) after each word?

I know this is a bit of an older video, but I have learned a lot watching this series from computerphile, some of my passwords are trash (despite me knowing how important security is) but really some of the sites I log into, I really do not care if someone gets into it, but if I do care about it, I do attempt to make it a more secure password, usually involving an uppercase/special character, and number in it, but aye I am realizing how insecure that is. I have always tried to keep my social media posting to a minium because I never wanted anyone to be able to social engineer my more precious passwords. (Yes I will admit that my most secure passwords belong to my games, and anywhere my private info is stored in one way or another... i.e banking, etc.) - One thing I wonder after watching these, and something I have suggested/thought of in the past is just using shorthand to make a password more secure, and I wonder how secure it would actually be, I know they could still brute force it due to a small number of possible inputs, but at least it wouldn't be a common word used in the dictionary. So for example: My password is not password 54 would be this: Mpwinpw54 ---- It should be fairly easy to remember and should be a bit harder for someone to just outright brute force their way in.

@jamesedwards3923

4 жыл бұрын

Your mistake was.Posting your ruleset. Now hackers will add it to their attack models.

I learned from XKCD that Correct Horse Battery Staple is a really secure password so I use that everywhere.

Instead of using words to create passwords, I determined that it would be really hard to crack a password where each letter made a name but each individual character is stepped forwards or backwards on the alphabet (so if you have Johns, it would turn into Knimr as each letter is moved in a specific way forwards or backwards) as well as using underscores instead of spaces (because I’m a geek with an affinity with secrecy) or you could just generate a password with the computer automatically remembering it. Dashlane fills in passwords for you so you don’t have to remember them, so that is how I’d improve on that.

You can use a dice with a dictionary. 3 rolls for page, and word number then choose the closest 4 or 5 letter word. Certainly seems more random than that list, but still a nice scheme until next year when computers are 10 times faster. :)

the way is was tought to choose passwords is pick a obscure phrase you really like, so something you will remember, take the first charactere of each word (i sometimes add the last ones as well if the phrase is to short) swap out a few charecteres for capital numbers or special charecter.

i use diceware for every account that doesn't have 2 factor authentication available. I have about 4 i use daily, all six words, and it's surprisingly easy to remember and distinguish them.

you could also take a dictionairy and then roll in which sixth your word is. repeat around 7 or 8 times for the oed and you get any word

A niffy method when you have a password with no length maximum is to set your password as an excerpt from a ebook. Then copy and paste the password when you need to use it. That way you can have a password that is a paragraph or even a page long. Of course you can put a symbol in the middle of a key word and that would make it more difficult.

No extra bit. I live for the extra bit. I'd also love a book shelf pass for all the guess you have. It's where I find new books the read. lol

I love how he uses an asterisk as a multiply symbol.

one way for pw is use someone's phone number>transfer it to a symbol number mix>put it in b/w a word >repeat the same process that give u at lease 16+ pw with upper/lower case character mixed with nonsense but at the same time easy to remember

That's an interesting idea. I generally just look at all the labels on anything on my desk and use the first letter from each label until I think it's decently long scramble a number in with it that is familiar to me but doesn't have anything to do with me jumble in a couple symbols and upper case and call it a day. Then I clean off my desk. Edit: Maybe I'll continue to do that and bookend the one I generate in that way with a couple random words from the OED selected this way.

I just came up with an even better method: Take any dictionary. P = page count C = column count per page N = max words per column R1 = Rand[1, P] R2 = Rand[1, C] R3 = Rand[1, N] For each word needed: * Generate random numbers using any trusted source of true or cryptographically secure random data * Go to page R1 * Look in column R2 * Go to word R3 (if there are fewer than R3 words on this column, continue on to the next column or loop around, your choice) Entropy is MUCH higher as there are a lot more words to choose from. (The dictionary I used says "over 70,000 definitions" on the cover.) EDIT: If you can remember 8 words, and use a 70,000 word dictionary, that's a full 128 bits of entropy, but even at 5 words it's 80 bits. You can get 64 bits with only 4 words.

For anyone curious, Let's compare this 5 word password to a more traditional 10 character password pulling from a pool of 74 random characters. 74^10 = 5E18 possibilities. Compared to the example shown in the video, 7776^5 = 3E19. So this method is slightly better than 10 purely random characters (which is very hard to remember)

@teeds88

6 жыл бұрын

10 purely random characters are not that hard to remember. And they are faster to type. Anyway, I don't get why people aren't using password managers and still try to remember all their passwords. My passwords are all at least 16 random characters (letters, numbers, special) which is way more secure than what is shown in this video. I don't know any of them by heart but then again I don't need to - i copy and paste them directly from my password manager (which makes me immune to keyloggers as well).

@TheSkepticSkwerl

5 жыл бұрын

@@teeds88 doesn't make you immune to clipboard sniffers

@jamesedwards3923

5 жыл бұрын

LOL, that is the point is it not. Diceware or Leetspeak - Taking something easy to remember for you. However for a computer it is insanely complicated. Some people put down leetspeak. I logically disagree. As we all know, the longer and more complicated your password. The harder it is for a 'computer' to figure it out. Also, if a person can not figure out. If a human and a computer can not figure out what you did. That makes it all the better as a password.

@TheSkepticSkwerl

5 жыл бұрын

@@jamesedwards3923 I build password cracking dictionaries. And leet speak is easy to crack. Actually combining words some with leet speak and some with out. While sharing vowels is best. "!l1kEtHr3epeoPLE" is hard to crack

I would like to know your view on password managers like 1password. Combined with a hardware password or security token.

Great video. I have a question on how entropy was calculated. Where did the 12.9 bits come from?

@AdroitConceptions

6 жыл бұрын

2^12.9 = 7643.40626667 which is approx the 7776 word choices in the list

When I decided to update my important passwords, I used a method very similar to this. I just found an online dictionary of English words and uploaded them into a spreadsheet, then wrote a small bit of code that would select 5 random words from that list of 10s of thousands and concatenate them together. This ensures the words I chose were random. However, they weren't totally random, because I did this several different times until I got a password that I found easy enough to remember.

@jamesedwards3923

3 жыл бұрын

I assume what you mean buy "important passwords" means stuff you have to remember. Most people make the mistake of keeping all their passwords in their heads.

@sk8rdman

3 жыл бұрын

@@jamesedwards3923 Important passwords, like for email or a password manager. The sort of thing you need to remember, but also that could be devastating if someone nefarious got access to it. There are some less important passwords I really don't care too much about, because they're for inconsequential websites or something that nobody else could really benefit from hacking into. Everything else can be a string of 16+ random characters, and memorized by a password manager. That keeps everything pretty secure.

@jamesedwards3923

2 жыл бұрын

@@sk8rdman At least you had the common sense to do it. So many I meet and talk to. Do not care until they get hacked. Or spoofed. You would be surprised how lazy people are with cyber security. How could you 'understand' the situation? Yet not take basic efforts to deal with it?

His books: Anderson - Security Engineering Second Edition Ferguson Schneier Kohno - Cryptography Engineering Erickson - Hacking The Art of Exploitation Yoshua Bengio and Aaron - Deep Learning

Which password generator app you are using for generating ur password? In some video ou mentioned the name of the application

Thanks for existing

what's the reason behind maximum password lengths? is it just for space/storage or is it related to hashing?

Don't know whether I'm watching because of the content or Mike anymore...

One simple way to defeat the average dictionary attack is to use an accented character where there is none, an incorrectly accented character or one without an accent where there should be, e.g. venêrable.

“I’m just looking at your collection of cubes up there” “All solved, that’s how I roll”

He missed the added complexity of using a random number of words. This take the total combinations from 7776^5 (all 5 word combinations) all the way up to 7776^5 + 7776^4 + 7776^3 + 7776^2 + 7776 (all 5 word option + all 4 word option + ... + 1 word options). That's the point of the words being so varied in length.

I feel like often increasing the difficulty of breaking passwords is proportional to the ease of use of the password. A complete sentence, or several is much easier to type and remember, and much harder to crack than a few random words. It could be social engineered, but if we are being honest any password you can remember can be social engineered. Additionally this entire comment is my password. Too bad so many places only allow around 10 characters, they are insecure by design.

I use 2 randomlygenerated strings concatenated together. Its badically an md5 hash

Would it be more secure to remove the spaces between the words? Or would having the spaces be "less" secure because an attacker then would know the size of each word? My Passphrase has ( 4 ) words but no spaces should I add the spaces to make it more secure or does it matter?

@muizzsiddique

6 жыл бұрын

It could help increase security if they don't know spaces are in your password, but if they know you are using diceware it's the same either way. It also elevates your character count and character set. As Mike said, you can make those spaces anything you want to make it more difficult for bruteforce and diceware attackers.

how will adding a few unicode characters affect the password "strength"?

3:42 That a Panasonic Lumix DMC-lx100? I have one of those, neat little 4k cameras

@Computerphile

6 жыл бұрын

Yeah, it's amazing :) >Sean

Instead of words, you could try using emoji. It won't work all the time, but the dictionary is pretty large too and way easier to remember, probably easy enough to make a whole story worth of emoji.

actually those square casino dice, are only for casino games such as craps. you need the rounded corners dice for regular dice throwing to get more randomness. You can get dice with rounded corners that are also completely unbiased to any side.

But just where can you get sweaters like Dr Mike?

If you are security conscious enough to use diceware then realistically you should just use a password manager and have the passwords be entirely random. Of course you still have to pick a master password but honestly again just generate a random string of like 25 characters and save it in the password manager and write it down somewhere physical and very well hidden.

That last sentance translates as: "My associate here will now begin to hack your password. He is going to hack your kneecap with this tire iron until the password comes out of your mouth."

If I ever make a social network or a website with accounts, it would support ALL Unicode characters (even control chars), to give people the freedom to use a password in their native language, or a gibberish one. The only requirement is that it must be longer than 3 codepoints, this is because some codepoints need more than 1 byte to be encoded. Of course, I would add a non-intrusive dialogue suggesting how to choose a password or passphrase depending on the user's needs

Question... sorry if it was already answered, I need to watch the video again. But regarding entropy and passwords made out of random words, would a dictionary attack significantly lower the entropy of it? I imagine it'd be hard figuring out the correct length of the password, and then you'd need a whole lot of word combinations and recombinations to the to the correct length. I'm currently using just random alphanumeric with a password manager, but in the future I'd like to switch to an offline password manager and combinations of words in different languages, significant numbers and symbols thrown around.... that I imagine would be plenty. xD Still relatively memorable at least for the most used stuff, and the rest would have to be recovered using the offline password manager.

@overwrite_oversweet

6 жыл бұрын

The entropy calculation is *assuming* the attacker is using a dictionary attack *and* knows what dictionary to use. It would be more accurate to say that if the attacker doesn't do a dictionary attack, the entropy would greatly increase.

what about choosing 4 words, each containing a random symbol, but each word is in a randomly chosen language... anyone can learn one word of 4 languages so it would be easy to remember. That seems pretty solid compared to limiting yourself to just one language.

@jamesedwards3923

3 жыл бұрын

That is something you would have to commit. In A great deal of the world. Learning another language is a requirement. You can social engineer that. Via country, age, and education level. However you are not wrong.

"All solved that's how I roll" was better than Mike's "it does" Bob and Alice analogy from E2EE video

any recommendations for password managers ?

Where did you get this list of words?

Can you please do a video about Password-Managers and their security?

If you use this system to generate a password, but then only use the first X characters in each word, wouldn't that increase the security level of the password since it reduces the meaning behind it, still making it easy to remember because you know the words it comes from?

"All solved!" Love it

Could you make a video about keychain and its security?

you can calculate the amount of bits much easier, by taking the amount of dice rolls to the base of 2. log(6^25) / log(2) = 64.624...

I think you're probably intended to buy 5 dice lol