We've all been there: you've got an unopened can, an unscrewed screw, something to be measured, an unopened bottle, and you don't know what time it is--an everyday conundrum! Solve all those problems and more with the All-Access Card! This tiny credit card-sized tool has juist about everything: can opener, knife edge, screwdriver, ruler, can opener, 4-position wrench, butterfly screw wrench, saw blade, sun compass, and another wrench just to show off! We're giving away 10 All-Access Cards (a $9 value each) free for people who enter our weekly giveaway at gimme.scamstuff.com More on the All-Access Card: www.scamstuff.com/products/10-function-credit-card-tool-kit Congrats to the winners of last week's Lace Escape Tool giveaway: Lavi Glassman, Louis Buck, Corey Posnanski.
Here's a good tip, there are real world things that have complicated combinations of characters and letters. Think of your sound system's full model name, a full name for a car including engine size and spec. They will very easy for you to remember, but a tough nut to crack for anyone else.
Intel had a video i remember a while ago showing that basically said how "c0mPl3x!ty < length" or something like that. typed that phrase right there in quotes and showed how long it would take to break.
Not a fan of online password managers. Sounds like a company with a massive target on its back to me. No company is flawless; breaches and exploits are going to happen. It's just a matter of time, especially if it gains popularity.
LastPass had breaches already, but the passwords are encrypted on their servers, so the hackers still cant get your passwords, as the password will only be decrypted on your Computer.
This is exactly correct. All you're doing by putting passwords in a password manager is giving hackers access to everything once they exploit it - and it WILL be exploited.
Really old comment here but as it's one of the top comments on this video I feel I should add some things: - Passwords are encrypted clientside with 256-bit encryption so even the company can't decrypt them. - Your main password is never sent to the company and is only used to encrypt/decrypt your passwords before sending them to the server over an encrypted connection. - All password managers recommend, or even require two factor authentication and if you're not using it, you're asking for trouble. So, any attackers will need access to either [your password AND your phone] or [the servers AND your password]. I'll also leave this little snippet from the brute-force attack page on wikipedia: "Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (10^18) AES keys per second (if such a device could ever be made) would, in theory, require about 3×10^51 years to exhaust the 256-bit key space."
"I AM VERY PROUD OF MY PASSWORD MAKING SKILLS" -- Brian sings after typing his most secret password on a site, who's owner he does not know and intention he has not learned. That password is now on a secret list to hack Brian Brushwood somwhere in Russia or USA :)
This episode is spot on! When I do penetration testing, password reuse is one of my favorite things to exploit! What's even better is when people used to use the same password everywhere, but now has switched to using a password manager... USING THEIR OLD PASSWORD AS THE MASTER PASSWORD! Talking about making my job easy.
Wkterr that's exactly what makes me sceptical about password managers, because if you can crack the password for the password manager, you get all the passwords! And if one of those password managers' servers get cracked, then what? I've opted to just write down all my passwords on a sheet of paper that I keep in my wallet and on the wall next to my PC.
If you keep your passwords written down somewhere, don't tell the entire world where you keep them... About password managers: A properly implemented password manager will not see its users passwords compromised if their central servers are compromised. Users passwords should be stored encrypted on the server, and only be decrypted on the actual client itself. How do you know if a password manager is securely implemented tho? Well, that's a story for another time when we advocate for open source software. Anyhow, yes, one of the downsides with password managers is that if your master password gets compromised, all your stored passwords are compromised too. There are ways to work around that, such as keeping your password manager on a 2nd offline device and typing in your passwords manually, but most people won't accept such an inconvenience. Personally, I just try to keep the amount of important accounts I have to a minimum so that I can remember all my passwords without having to write them down, and use a password manager for the less important stuff.
That’s insane. When I was a kid, I used “Star Wars” for the password on my old computer. (The computer and hard drive are long gone.) as an adult, I realize that it wasn’t the most amazing password in the world. But, I had no idea so many other people had the same password.
This video (or, more accurately, the day of the week this video was uploaded on) confused my world. I thought "what, the Modern Rogue uploaded, is it Friday?! Is life even real?! Is the universe a hologram?! How am I eating this food when 'there is no spoon?!'" So, as you can tell, when you change your uploading schedule by one day, it can give a person an existential crisis. A little warning next time.
My steam account was literally hacked today but meh two-step verification on my email stopped that bugger! The hacker then tried to sign into my email! My SMS two-step verification stopped the hacker again! This is the second time a hacker has lost lol!
I had a similar problem with my Facebook account. Two-step verification saved me there as well! I got an SMS 'Use XXXXXX to log into your Facebook account.' I changed my password immediately after.
Serious question: How worried should I be about LastPass (or any other password managing software) being compromised and/or stealing my passwords themselves?
LastPass themselves don't even have access to your passwords, the company has been hacked multiple times and none of the passwords stored in LastPass have been compromised. The most you'll ever have to do if LastPass gets hacked is change your master password and that's just an extra precaution.
Lizard813 if you're really worried about it use something like keepass instead and keep the database and key file on a usb stick. obviously don't leave it plugged in when you're not using it.
Appart from other points from other people you can use yubikey + lastpass combination ( which I m doing) which is like overkill and I guess for user like me more than enough. I´m using last pass for some time and curentlly it is superB program.
You can always create your own encryption service which runs local on your machine, like if you run windows just encrypt a .txt file with your passwords. Passwords which would obviously be randomly generated.
lastpass uses your master-password to encrypt your passwords. So they have no access to the plain-text and cannot de-crypt it easily. If they had malicious intent, they could just grab your login data and store it, but if they do that once and someone finds out, their brand is done. They can close their business. They rely on a good reputation, otherwise they won't survive. You should never feel 100% secure with anything you do. There is always a risk remaining. But the risks with using last-pass are definitely smaller than with other comparable password-systems, since the passwords are encrypted and stored in the cloud, making them safe and accessible.
I'm very happy with how your channel is coming about. Been a fan since around 100k, and I'm really happy for your success! I hope that even when you get really big you keep making videos like this!
There is the possibility that they log and sell information. even if they don't tell you doesn't mean they don't do it. Checking things like auto fill, search history, and cookies can let them know exactly where to use the passwords. I hurt a bit seeing you do that. Also just the number of characters eliminates about 50 percent of the guesswork.
Checking for an SSL connection should be another segment of the video itself. No matter how secure of a password one uses, sending it over an unencrypted channel negates the value of it. Many users are unaware of what an SSL channel is and the true vulnerability not using one can lead to...perhaps a future video topic. (Yes, 2FA still prevents unauthorized access here.)
Putting your passwords for all your vital things into a random jank looking website that is not a verified https domain is the smartest thing I have seen all week. Besides that fun video gentlemen.
Elder Eggplant my password is 32 digits of a section of python codes from a certain game with the code itself transfered from c+ to java and then put in python
Also is using a different language for your password better or worse as its a detail thats easy to figure out about you (that you know that language) or is it better becouse its less wide spread like english is?
Actually there was a flaw in the design of the Enigma machine which allowed the Allies to crack it, but yes the flawed human users were a contributing factor. Numberphile has a great video on it, well worth a watch.
One of the things I do with my passwords is nicknames of people important to me, combined with a date that's important to our relationship, combined with a description of the activities we did on that day. It's things only known to me and that other person, and it's generally long, which is as you said is one of the biggest factors in security.
I've been using LastPass forever, swear by it. It's amazing how many passwords you have when you start logging them. Having each one unique and not having to remember them is awesome. I wish 2FA was more prevalent, particularly in the banking industry. Enjoyed the vid. Keep up the good work :)
One of the easiest combinations to use is Pass-phrasing, pick two to three random words, add/remove spaces, add/remove capitals, add/remove special characters and you have a nearly impossible password that's still relatively easy to remember.
The most important thing with passwords is to have a different password for each site you're using. Because the number one way that people get hacked is because there is one leak, on one website, and they will use a bot to sign in to a banking site, or amazon using the emails, and passwords they got from that leak. It's very rare for someone to be specifically targeting you, so even changing a single character in each password is going to make your accounts more secure. If you really want to be secure use a password generator, and write your passwords onto a piece of paper, or use an encrypted password manager.
if you get an old password for gmail and the victim has a youtube account you can use when was this account created as a security question! the answer will be on the youtube about page.
You know, learning German, I was thinking the whole time of passwords in English and German, then I realized that mixing words from other languages into one password would work amazingly! It may not be a word the software would guess at all (particularly obscure words), and it's very unlikely that it would pick random words from 3 or 4 languages and mix 4 full dictionaries to find it! *I STUMBLED UPON THE PERFECT SECRET!* Random foreign obscure swears! Especially if you also add umlauts, accents, and Ñ if possible in that password service.
The number one way to not get hacked is don't tell anyone your password. How do most drug dealers get caught? They told someone they shouldn't have. Everyone would be safer if they kept their collective fucking mouths shut
Amos Backstrom I had someone log in on my phone once. He clicked allow on every thing without looking and I now have access to his mothers agenda, his contacts and emails.
Kevin Mitnick (who coined the term "Social Engineering") has always said that the weakest point of any security system is the user. He recounts the story of how he cracked the police's secure lines by getting some basic information on what system they used and using that to convince a dispatcher to give over the secure password and admin number. There's also a story out of...I think DefCon...where a team won the event's "Capture the Flag" competition by tricking a security guard to give them access to the server room. Five minutes of basic computer use, and they'd won. Take yourself out of the equation. Use an algorithm like "First letters of a very long sentence no one could guess" or "8-character secret key no one could guess followed by the letter 'a' 56 times" for your key locker, then never give a single hint to what your password could be. Change your passwords from the secure site itself, and never from an email (even if it looks legit). And, for the love of all that is good, don't do those Facebook quizzes that take your name and ask for personal information to give you your "stripper name" or something. That's an easy way to give up information on your security questions. EDIT: I use neither of those algorithms. Nice try.
I literally used to login to my preschool teacher’s computer whenever she left the classroom. She’d change the password almost everyday, yet I could still get in. Good times...
A bit a of a trick I've used for passwords (as a math major and a nerd) is that I write 2 or 3 numbers nearby my computer, and then I have a series of equations that I run those numbers through, now only I know the equations is easy to remember, so if I forget my password is 123893754803245623643924132, It's relatively easy to type those 2 or 3 numbers through the calculator on my phone in an order that only I know but use for all my passwords. So I can safely keep all my passwords written down without actually writing them down. And since letters are more secure than numbers I can have different number strings correlate to letters or words.
2FA is securer than just a password but it's not completely secure and some of the weaker implementation aren't much better than just a single password. The fact that some really important passwords are guaranteed to be in LastPass makes it worth the effort for an attacker to spend the time to crack it. Besides, everything gets hacked eventually.
A couple years ago someone did an SQL injection on last pass and almost everyone's info was robbed. Last Pass almost went out of business, and if it weren't for their strong supporters they would be definitely dead. 2FA is very secure from someone knowing your password, but another (stronger) SQL injection could do this all over again. I would never recommend using an online bank to keep your passwords because of how they have a tendency to get breached.
I use a password manager because of a personal recommendation from a friend. Highly recommend finding one. LastPass is solid, as is 1Password, and Nord's password manager. The trick is, you have to actually use it. The other trick is, be aware that the master password you use is crucial to keep secret. Do not write it anywhere unless it's on paper in a safe or something. Make it something memorable, but also difficult to guess, etc. LastPass and 1Password are named that way because the master password should be the only password you need to remember. From there, you can (and should) use strong passwords for everything, which you don't need to remember.
Making all your weaknesses able to be found in one place.....smart... legitimately same scenario as having all your passwords the same because they only have one obstacle to overcome to get all your info... thats like hiding something from a tolder inside their toy box.... the net is what hackers play with, just because its out of your hands doesnt make it safe, write it down, put it on paper, hide paper.... unaccessible to hackers period
that makes perfect sense, if you truly believe you're better than a team of full-time professionals you'd hire to handle your security. Are you claiming that you're better than a team of full-time professionals at protecting your security?
The important difference is that by using the same password, you are reliant on the worst secured website that you use, whereas with Lastpass or keypass, a problem would have to be found in one specific site that presumably cares a lot about protecting passwords.
LastPass does put you at a single point of weakness, sure, and once LastPass is hacked and the passwords are leaked that's a big problem, but other than that it's safer than the other alternatives. As for "unacessible for hackers" that's only true if you use a proper cryptic password AND have no keylogger or similar on your PC. Any other password, especially ones that contain common words, can be guessed using brute force. If you want to evaluate how strong a password is that uses common words, treat every word like its 2 random letters and then evaluate the length of guessing. The comic at 3:50 is entirely wrong in this regard. The password on the bottom with 4 common words is essentially as secure as 8 random characters. Since the original uses no capitalisation either, we'll use none in our comparison. So you can say it would take a little over a minute to brute force that password.
But a password manager can't have their password database leaked because they don't have one. The passwords are encrypted with a one-time pad the key of which is the current hash of your password. If you try using an incorrect password you'll just get the wrong passwords back. Since the key is essentially random (due to the avalanche effect) and the passwords are actually random, all possible passwords are equally likely. In other words, your password manger doesn't tell them anything.
I often write a word and then encrypt it with a Caesar Cipher (like Vigenere Cipher) and then use the result as a password. So that way it is pretty much a seemingly random letter sequence (often with a couple numbers added for good measure) and not a word someone could guess.
Randomness, either by hand or computer, is still not truly random. Only nature can be random, and even then there are normally recognizable patterns in most cases. Also, as already mentioned in the video, coherent words are too easily guessed by a hacker because of the human factor. So a passphrase is still not secure enough. A seemingly random string created via an encryption algorithm is about the same as any other computer generated "randomness". Even the best "random number generators" still use an exploitable algorithm as that is what computers are bound by: Math. They can't go against their programmed logic. It is still better than "human randomness" however as the computer could use any number of possible algorithms that are hard to guess, but a human is limited literally by their imagination. Or in other words, their pattern loving nature.
According to that Password Meter site used in the video, "Summer2017!" is a 100% strong password. Please don't assume an algorithm on a website can tell you if your password is strong or not.
Hey guys, I'm actually NOT sponsored to say this like they are but I have to agree with the MR guys, LastPass is fantastic for keeping track of super secure passwords. I've used it for about a year and it's really a life saver.
An IT person once told my friend "think of a song and use the 1st letter of the word of lines" so you can sing the song in your head and type the 1st letter. I dont use that but thats one way of remembering long passwords
tmn36 don't completely trust online ones cause they'll commonly pull from a bank of passwords or log passwords you've used. It's safer to use one that's downloaded and delete it when you're done
When you said "why wouldn't a person have a second lock on their door, would they just rather leave it open all the time? haHAA" you have to think about how practical it is for certain services to ask for multiple "keys" to a "door". Sure, I'll use as many security measures to secure my bank account, but I'm not going to barricade my door every time I go to the store to pick up milk. All and all this might have sounded like an angry rant, but I really enjoyed this video and I feel like you overlooked practicality. :)
If they told me to put in my passwords for that contest, I'd be like, "Well, all of my passwords are just randomly-generated gibberish stored in LastPass", haha. Of course, before I found LastPass, I was one of those poor sods who didn't even have a wall-- I mean, used the same password for every website, with small variations when there were "rules" to be followed. Bonus points if you caught the reference.
An extremely annoying thing about making long passwords is not that they are long, but instead some websites won't allow you to use say more than 16 characters. This includes many sensitive information websites that you'd totally want more room to have a password as long as you'd like. If a free forum hosting website that nobody really cares about doesn't really limit password length, why in the world does a damn bank limit them? Some even go as far to limit certain characters. WHY? MORE IS BETTER YOU FOOOOOOLS.
Passwords with words, a symbol between them and a number at end is easy to remember but hard to brute force, for example: Disk-Nails-Container-Coconut-2
In the end when they put their own passwords I got very worried for them, cause exactly these kind of websites are used to spoof you, because the password you enter you have used once, are using or will use in the future. As an analist here this is very scary.
This about this nightmare scenario: You have created a 36 characters password, completely random, actually you wrote a random number generator in your favourite programming language, on a laptop, that was freshly formated and never connected to the internet. You have used it, to protect your cryptos, now you have forgotten it.
I would recommend using a password generator, and store all of your passwords locally, in a text file, preferably on a flash drive. also, use 2fa ALWAYS
Another tip for using password managers. Back the passwords up in another password manager (KeePass for example). Or have a backup on a usb. Maybe make two backups.
Take a mixture of 3 either words or names, make it 4-6 characters long combining the words, then take a random number generator to get 4-8 characters, through in some random allowed symbols and put it through a jumbler. Rinse and repeat for every password with different words and numbers, get lastpass and store them there, you'll eventually remember them over time but it does take a long while
A note, if you are going to use thins relevant to your life in your password, use obscure ones. For example, my old password was the name of a street I passed everyday when I was in a different state. It's so obscure that even if you saw the name, you wouldn't have any idea what it meant to me
My childhood best friend used the word Dragon in every password he would use. It was always his favorite Yugioh card at the time, which was always a dragon.
Top tip: Never re-use passwords. This is very important. It's unlikely your password will ever be brute-forced if you have a decent one. These days most password leaks are done through website vulnerabilities or phishing. Use nice unique passwords for everything and one super impossible one for your email.
Another thing... Well two things that are kinda related. First is using guest checkout. For most sites, if you can go without a password, you're better off. It would be nice if this was more of a standard than not for commerce sites. Furthermore, most of our site interactions aren't storing useful information. Social media sites SHOULDN'T store birthdates, phone numbers, addresses, etc. but rely solely on people sharing their usernames personally with their family, friends, etc. It's a bad practice that shouldn't have ever been put into place. Treat everything you can as a burner account. (the closest we have other than the above mentioned "guest accounts" is that some credit cards offer rotational one time use CC numbers, [and in m line of work I have seen this used for one particular business where an email is sent with a one time use CC number, and I have also dealt with a business specific CC number where only one business is whitelisted for transactions with it, but these rely on the CC companies and users rather than using a "guest pass" system as a business end default). If you want to set up an account for the purposes of saved history and such, that's fine. Keep it separate from transactional data. I know with NJ, paying state taxes allows for people to log in and see certain information with just a business name and a tax ID #, but you can't actually pay your taxes or do any sort of modification/transactions without logging in with the business name and password. A differentiation between what information needs to be encrypted and what does not should also be a standard. My netflix account and playlist shouldn't require much to get in, but to access the account or pay my bill should. (and since often that is autopaid, really, you could have an 800 number with some automated menu to update any billing related issues, which would remove access to this info from the web. In short, if we didn't USE a highly insecure system (the web) to story highly sensitive data, passwords wouldn't be a huge issue.
two factor is the worst in the way it works in most cases, where if you have acces to the phone or sometimes even phone number, you can use that to reset a password and get in the acount that way, essentially making 2 factor just 1 factor. i work in IT and i have a pretty good ground in cyber security and the amount of people that got their acounts compromised because they had set up 2 factor you wouldnt belive, so if a site offers 2 factor please make sure its for login only and you cant just reset the acount password with the phone number or phone, if this is the case DONT USE 2 factor, in that case just a storng password or as they would call it in cyber a passphrase is the better option, and ofcourse never repeat a password and make sure you have as few acounts linked as possible so if one gets hacked in to or compromised the others are likely to be safe
"1Password is the only commercial password manager I recommend, but I'll go further than that when it comes to LastPass and say: I really think you should avoid LastPass, and, if you're using it, migrate to something else. I'm not going to go into details, sorry." - Thomas Ptacek, a well-respected security expert. Take from that quote what you will, but I personally know that he has a much more experience with password security than I do, so I take he advice on this one.
For even bigger security freaks, I suggest not using lastpass because it send all of your password (I know they are encrypted but still) to the cloud. I' d strongly suggest a local based password manager, like KeePass or PasswordSafe, they store them in a file on your computer or smartphone. Then you eigther manually keep the latest verion of the file on your computers over usb or sync them but using your own server. Your server don't has to cost you a single more dime as file sharing servers can run on your computer in background and so your password will only be synced over your local network. I'd also suggest checking out YubiKey. It's like a usb stick that's made specifically to store your passwords and can send them to your phone using NFC whne you need to log in somewhere. PostScriptum 2FA is often a good way to get your phone number as it shouldn't be required for the 2FA setup. Many sites don't ask it. Those are good sites. Some like facebook apparently can't do without... Just sayin'
You should do an episode about making mouth clouds. It's cool, you make your mouth humid, then pressurize your mouth, then blow. The vapor will condense and make a cloud
One of the major flaws with the Enigma code however was technical in nature; it couldn't encode a character as itself. So you might have a garbled string like, "fjkhdfauyuiwopqpfvlkuehjkassdoguoiui," but you could be sure that if you saw "f" that the original character could not have been an f.
One problem with multi-factor authentication, especially push notifications sent to your phone, is MFA fatigue. If people are constantly getting codes sent to the phone and entering them into websites they're more likely to do it without thinking. Which is bad because if someone compromises your password they'll send the push notification and you just push yes without thinking. Or they'll send so many of them one after another that you'll just push 'yes it's me' to stop the MFA flood.
Been using LastPass for years, Its a great tool to keep track and make secure passwords. PRO TIP: when you sign up for Lastpass or any password manager. Use a "Privet Email account" an account that you never give out, this will make it twice as hard to get in to. IT won't stop hackers but it will make it a lot harder
Coming back to this episode after a while. I don't use 2FA unless something makes me. My passwords are all weak. Most of the safety guidelines are more aggressive than they need to be and I'm doing okay without them. It isn't hard. 1. I try not to keep anything valuable online. 2. Anything I have online that is valuable to me is linked to a separate email. 3. I don't tell people squat about myself (on a security question level). 4. I use Wi-Fi at home and mobile data everywhere else. 5. I don't sign in on anybody else's devices for any reason. Standards don't keep you safe. Using your head does. Same thing goes for not getting yourself hurt, not having things stolen, and not getting viruses on your computer.
tbh the reference to door locks is not very good, since if a thief compromised one lock, compromising the second one would most likely be as easy as the first. However, 2FA is different because if someone 'guessed' your password it is rare that he will have access to your devices/eyes/hands.
They always warn you not to use your own name as a password. Instead of my own name, I use my favorite internet personality's name. On one super important site, my password is a misspelled version of a word in a foreign language (and some numbers in there).
My passwords are based off of things in movies and TV shows that very few people watch. That way I can remember the password by watching the show or movie, then I see something that makes me remember the password.
My thought process is: use easy passwords for sites you don't care if people have access to it - difficult passwords for sites that you would prefer to stay private but it wouldn't be the end of the world if broken into, and then complex passwords for emails/banking/etc
At one job, the training manager needed my password. I was on vacation, so they sent me a text. I replied with the password. They bungled that. When I go sick of texts, I called. Explaining it to them took an hour. When I left the company, they wanted my newest password. I could train my dog to cook in the time it took to get the training manager to enter it correctly. You would think someone in the aviation industry would be able to understand L1329-6, and you'd be wrong.
Brian's email password is a series of 7 lowercase letters and a single lowercase letter separated by a series of 4 numbers. I've calculated that this gives us 4,176,541,291,520,000 possible passwords. Guessing it can be made more efficient by starting with some assumptions: the 7 letters is a word, the number is a year, likely the year he was born or the year he opened that email.
We've all been there: you've got an unopened can, an unscrewed screw, something to be measured, an unopened bottle, and you don't know what time it is--an everyday conundrum! Solve all those problems and more with the All-Access Card! This tiny credit card-sized tool has juist about everything: can opener, knife edge, screwdriver, ruler, can opener, 4-position wrench, butterfly screw wrench, saw blade, sun compass, and another wrench just to show off!
We're giving away 10 All-Access Cards (a $9 value each) free for people who enter our weekly giveaway at gimme.scamstuff.com
More on the All-Access Card: www.scamstuff.com/products/10-function-credit-card-tool-kit
Congrats to the winners of last week's Lace Escape Tool giveaway: Lavi Glassman, Louis Buck, Corey Posnanski.
first reply?
The Modern Rogue i FuCk!n LUv ye'Re v1de0s. Keep it up lads
The Modern Rogue do you guys know how to make a blue lagoon? I am sure Trever does...
The Modern Rogue what if your tech does not have double locks?
Here's a good tip, there are real world things that have complicated combinations of characters and letters. Think of your sound system's full model name, a full name for a car including engine size and spec. They will very easy for you to remember, but a tough nut to crack for anyone else.
I have the best defense of all against bank hacking: a negative balance.
OH SNAP
Lol
same hahaha, the joke is on them
MAKE THEM PAY UR BILLS
Aleister Gein I use that all time!!
Fun fact: according to the password strength check website I found, the title of this episode is a pretty secure password.
hah! That's awesome. enjoy your thumbs-up, sir.
Estimating strength of password "Y0urPas5word$ucks":
Approx time to crack: 3 minutes
(in seconds): 74.066
Strength score (1-5): 1
Entropy estimate (bits): 20.498
How the password "Y0urPas5word$ucks" was broken into parts:
0:
pattern: dictionary
i: 0
j: 3
token: Y0ur
matched_word: your
rank: 27
dictionary_name: english
l33t: true
sub:
0: o
sub_display: 0 -> o
base_entropy: 4.754887502163469
uppercase_entropy: 1
l33t_entropy: 1
entropy: 6.754887502163469
1:
pattern: dictionary
i: 4
j: 11
token: Pas5word
matched_word: password
rank: 1
dictionary_name: passwords
l33t: true
sub:
5: s
sub_display: 5 -> s
base_entropy: 0
uppercase_entropy: 1
l33t_entropy: 1.5849625007211563
entropy: 2.584962500721156
2:
pattern: dictionary
i: 12
j: 16
token: $ucks
matched_word: sucks
rank: 762
dictionary_name: passwords
l33t: true
sub:
$: s
sub_display: $ -> s
base_entropy: 9.573647187493323
uppercase_entropy: 0
l33t_entropy: 1.5849625007211563
entropy: 11.15860968821448
Intel had a video i remember a while ago showing that basically said how "c0mPl3x!ty < length" or something like that. typed that phrase right there in quotes and showed how long it would take to break.
I guess the site I found was crap then ;)
It's technically good, but it uses common substitutions that would be easy to guess.
My favorite, I think from Steve Corell: I Change all my passwords to "incorrect". So whenever I forget, it says, "your password is incorrect"
"The Longer the better" - Jason Murphy 2017
I mean... he's not wrong.
“Suck it Brushwood!” - Jason Murphy 2017
That's what she said
Chief Shack but the question is I'm not enough...
Intel had a video i remember seeing that basically said how "c0mPl3x!ty < length" or something like that
Not a fan of online password managers. Sounds like a company with a massive target on its back to me. No company is flawless; breaches and exploits are going to happen. It's just a matter of time, especially if it gains popularity.
Yeah same thing for me, I just a have a fairly good password (78% according to password meter) and 2FA
LastPass had breaches already, but the passwords are encrypted on their servers, so the hackers still cant get your passwords, as the password will only be decrypted on your Computer.
FISA warrant
This is exactly correct. All you're doing by putting passwords in a password manager is giving hackers access to everything once they exploit it - and it WILL be exploited.
Really old comment here but as it's one of the top comments on this video I feel I should add some things:
- Passwords are encrypted clientside with 256-bit encryption so even the company can't decrypt them.
- Your main password is never sent to the company and is only used to encrypt/decrypt your passwords before sending them to the server over an encrypted connection.
- All password managers recommend, or even require two factor authentication and if you're not using it, you're asking for trouble.
So, any attackers will need access to either [your password AND your phone] or [the servers AND your password].
I'll also leave this little snippet from the brute-force attack page on wikipedia:
"Breaking a symmetric 256-bit key by brute force requires 2^128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (10^18) AES keys per second (if such a device could ever be made) would, in theory, require about 3×10^51 years to exhaust the 256-bit key space."
"I AM VERY PROUD OF MY PASSWORD MAKING SKILLS" -- Brian sings after typing his most secret password on a site, who's owner he does not know and intention he has not learned. That password is now on a secret list to hack Brian Brushwood somwhere in Russia or USA :)
well, also it's a dead password from long ago...
"Starwar's Password?" "I 've retired that one... Long ago..." So close... Should have said, ""A long time ago in a galaxy far, far away."
That's a name I haven't heard in a long time
"strip him of EVERYTHING" -Brian, 2017
Jaden Henderson I think Jason said that
This episode is spot on! When I do penetration testing, password reuse is one of my favorite things to exploit! What's even better is when people used to use the same password everywhere, but now has switched to using a password manager... USING THEIR OLD PASSWORD AS THE MASTER PASSWORD! Talking about making my job easy.
Wkterr that's exactly what makes me sceptical about password managers, because if you can crack the password for the password manager, you get all the passwords! And if one of those password managers' servers get cracked, then what? I've opted to just write down all my passwords on a sheet of paper that I keep in my wallet and on the wall next to my PC.
If you keep your passwords written down somewhere, don't tell the entire world where you keep them...
About password managers: A properly implemented password manager will not see its users passwords compromised if their central servers are compromised. Users passwords should be stored encrypted on the server, and only be decrypted on the actual client itself. How do you know if a password manager is securely implemented tho? Well, that's a story for another time when we advocate for open source software.
Anyhow, yes, one of the downsides with password managers is that if your master password gets compromised, all your stored passwords are compromised too. There are ways to work around that, such as keeping your password manager on a 2nd offline device and typing in your passwords manually, but most people won't accept such an inconvenience. Personally, I just try to keep the amount of important accounts I have to a minimum so that I can remember all my passwords without having to write them down, and use a password manager for the less important stuff.
Wkterr penetration testing?
That sounds kinky
If only you knew how much action that phrase has given me...
(Hint: None, because as fat computer nerd I'm not very sexy)
But if you use TWA on the Password Managers, wont they be as secure as it can get?
when I was younger my first Runescape password was "Farts"
That’s insane. When I was a kid, I used “Star Wars” for the password on my old computer. (The computer and hard drive are long gone.) as an adult, I realize that it wasn’t the most amazing password in the world. But, I had no idea so many other people had the same password.
This video (or, more accurately, the day of the week this video was uploaded on) confused my world. I thought "what, the Modern Rogue uploaded, is it Friday?! Is life even real?! Is the universe a hologram?! How am I eating this food when 'there is no spoon?!'" So, as you can tell, when you change your uploading schedule by one day, it can give a person an existential crisis. A little warning next time.
bill bill read their laptop
But today is Thursday
I knew it couldn't have been a coincidence that that theory was used in a comment 4 hours after Kurzgesagt released a video on it.
My steam account was literally hacked today but meh two-step verification on my email stopped that bugger! The hacker then tried to sign into my email! My SMS two-step verification stopped the hacker again! This is the second time a hacker has lost lol!
nice!
Two-step certification OP!
Vertification* lol
I had a similar problem with my Facebook account. Two-step verification saved me there as well! I got an SMS 'Use XXXXXX to log into your Facebook account.' I changed my password immediately after.
2FA is great, everyone should use it
Serious question: How worried should I be about LastPass (or any other password managing software) being compromised and/or stealing my passwords themselves?
LastPass themselves don't even have access to your passwords, the company has been hacked multiple times and none of the passwords stored in LastPass have been compromised. The most you'll ever have to do if LastPass gets hacked is change your master password and that's just an extra precaution.
Lizard813 if you're really worried about it use something like keepass instead and keep the database and key file on a usb stick. obviously don't leave it plugged in when you're not using it.
Appart from other points from other people you can use yubikey + lastpass combination ( which I m doing) which is like overkill and I guess for user like me more than enough. I´m using last pass for some time and curentlly it is superB program.
You can always create your own encryption service which runs local on your machine, like if you run windows just encrypt a .txt file with your passwords. Passwords which would obviously be randomly generated.
lastpass uses your master-password to encrypt your passwords. So they have no access to the plain-text and cannot de-crypt it easily.
If they had malicious intent, they could just grab your login data and store it, but if they do that once and someone finds out, their brand is done. They can close their business. They rely on a good reputation, otherwise they won't survive.
You should never feel 100% secure with anything you do. There is always a risk remaining. But the risks with using last-pass are definitely smaller than with other comparable password-systems, since the passwords are encrypted and stored in the cloud, making them safe and accessible.
"What are you Shaggy?"
haven't heard that reference in years
Plottwist: there was a keylogger installed on that laptop
I'm very happy with how your channel is coming about. Been a fan since around 100k, and I'm really happy for your success! I hope that even when you get really big you keep making videos like this!
thanks so much, man. Makes my day to hear.
episode about password security, and then at 14:02 they enter their passwords at some randon website over a "Not secure" network. nice job
and?
Well, that's not secure (bad practice). Also you crashed their site, it's been down to half an hour hahaha
oreskec they said that they replaced all the passwords they put onto the site
There is the possibility that they log and sell information. even if they don't tell you doesn't mean they don't do it. Checking things like auto fill, search history, and cookies can let them know exactly where to use the passwords. I hurt a bit seeing you do that. Also just the number of characters eliminates about 50 percent of the guesswork.
Checking for an SSL connection should be another segment of the video itself. No matter how secure of a password one uses, sending it over an unencrypted channel negates the value of it. Many users are unaware of what an SSL channel is and the true vulnerability not using one can lead to...perhaps a future video topic. (Yes, 2FA still prevents unauthorized access here.)
This show is like a crossover between mythbusters and teleshopping
Putting your passwords for all your vital things into a random jank looking website that is not a verified https domain is the smartest thing I have seen all week. Besides that fun video gentlemen.
Around 20 random characters with no correlation to each other forcefully memorized for each account ever. I win.
Elder Eggplant my password is 32 digits of a section of python codes from a certain game with the code itself transfered from c+ to java and then put in python
and I thought I was the boss with my 9 digit password of random letters and numbers
Logan McNabb Mine is a dick recognition program that requires a studio quality picture and a fingerprint reading of the tip.
Elder Eggplant why not write it on a piece of paper
My password is 42 characters.
Oh Crap!
Now I gotta change my password!
Modern Rogue: "Your password sucks"
Me: *Sweats Nervously*
MR: Says phrase passwords are secure vs random passwords
Also MR: Look at how secure this character jumble is
Also is using a different language for your password better or worse as its a detail thats easy to figure out about you (that you know that language) or is it better becouse its less wide spread like english is?
Actually there was a flaw in the design of the Enigma machine which allowed the Allies to crack it, but yes the flawed human users were a contributing factor. Numberphile has a great video on it, well worth a watch.
I'm not sure I'd call it a flaw when the solution to it was "invent the computer"
One of the things I do with my passwords is nicknames of people important to me, combined with a date that's important to our relationship, combined with a description of the activities we did on that day. It's things only known to me and that other person, and it's generally long, which is as you said is one of the biggest factors in security.
I've been using LastPass forever, swear by it. It's amazing how many passwords you have when you start logging them. Having each one unique and not having to remember them is awesome. I wish 2FA was more prevalent, particularly in the banking industry.
Enjoyed the vid. Keep up the good work :)
+Rick Sattler glad you liked it!
We need an episode on cigars!
ZockMedic YES
ZockMedic or an episode on cqc from metal gear solid!
Brian's email password:
Length: 13
Uppercase: No
Symbols: No
Lowercase: 8
Numbers: 5
??????X??[0-9][
One of the easiest combinations to use is Pass-phrasing, pick two to three random words, add/remove spaces, add/remove capitals, add/remove special characters and you have a nearly impossible password that's still relatively easy to remember.
The most important thing with passwords is to have a different password for each site you're using. Because the number one way that people get hacked is because there is one leak, on one website, and they will use a bot to sign in to a banking site, or amazon using the emails, and passwords they got from that leak.
It's very rare for someone to be specifically targeting you, so even changing a single character in each password is going to make your accounts more secure. If you really want to be secure use a password generator, and write your passwords onto a piece of paper, or use an encrypted password manager.
if you get an old password for gmail and the victim has a youtube account you can use when was this account created as a security question! the answer will be on the youtube about page.
ow that's dumb as fuck, I didn't know that
Anyone know his cats name
You know, learning German, I was thinking the whole time of passwords in English and German, then I realized that mixing words from other languages into one password would work amazingly! It may not be a word the software would guess at all (particularly obscure words), and it's very unlikely that it would pick random words from 3 or 4 languages and mix 4 full dictionaries to find it! *I STUMBLED UPON THE PERFECT SECRET!* Random foreign obscure swears!
Especially if you also add umlauts, accents, and Ñ if possible in that password service.
Love that disclaimer at the end about the passwords. You know someone was trying to look at them and be naughty lol
Love your videos, Modern Rogue! Keep up the good work.
The number one way to not get hacked is don't tell anyone your password. How do most drug dealers get caught? They told someone they shouldn't have. Everyone would be safer if they kept their collective fucking mouths shut
Amos Backstrom How is the drug trade these days?
Jack Barr Johnston but it is if they tell someone else (or make a copy of the key for someone else) their point is still valid
Jack Barr Johnston Well your friend might keep your account logged in on their phone, then someone else gets on their shit.
Amos Backstrom I had someone log in on my phone once. He clicked allow on every thing without looking and I now have access to his mothers agenda, his contacts and emails.
Kevin Mitnick (who coined the term "Social Engineering") has always said that the weakest point of any security system is the user. He recounts the story of how he cracked the police's secure lines by getting some basic information on what system they used and using that to convince a dispatcher to give over the secure password and admin number.
There's also a story out of...I think DefCon...where a team won the event's "Capture the Flag" competition by tricking a security guard to give them access to the server room. Five minutes of basic computer use, and they'd won.
Take yourself out of the equation. Use an algorithm like "First letters of a very long sentence no one could guess" or "8-character secret key no one could guess followed by the letter 'a' 56 times" for your key locker, then never give a single hint to what your password could be. Change your passwords from the secure site itself, and never from an email (even if it looks legit).
And, for the love of all that is good, don't do those Facebook quizzes that take your name and ask for personal information to give you your "stripper name" or something. That's an easy way to give up information on your security questions.
EDIT: I use neither of those algorithms. Nice try.
I literally used to login to my preschool teacher’s computer whenever she left the classroom. She’d change the password almost everyday, yet I could still get in. Good times...
A bit a of a trick I've used for passwords (as a math major and a nerd) is that I write 2 or 3 numbers nearby my computer, and then I have a series of equations that I run those numbers through, now only I know the equations is easy to remember, so if I forget my password is 123893754803245623643924132, It's relatively easy to type those 2 or 3 numbers through the calculator on my phone in an order that only I know but use for all my passwords. So I can safely keep all my passwords written down without actually writing them down. And since letters are more secure than numbers I can have different number strings correlate to letters or words.
Are you guys actually kidding? Why would you give all your passwords to one website? Someone can just hack that website.
which is why they changed their passwords lol
LastPass is cool because you only have to remember 1 master password and the rest can be 100 Digit random characters that you never have to remember.
Fizizy and then someone can get your 100 passwords with 1% of he effort
+Nope Nope Not really, you can use 2Way-Auth on Lastpass aswell...
2FA is securer than just a password but it's not completely secure and some of the weaker implementation aren't much better than just a single password. The fact that some really important passwords are guaranteed to be in LastPass makes it worth the effort for an attacker to spend the time to crack it. Besides, everything gets hacked eventually.
until last pass is hack and all their passwords are leak. (Already happen once)
A couple years ago someone did an SQL injection on last pass and almost everyone's info was robbed. Last Pass almost went out of business, and if it weren't for their strong supporters they would be definitely dead. 2FA is very secure from someone knowing your password, but another (stronger) SQL injection could do this all over again. I would never recommend using an online bank to keep your passwords because of how they have a tendency to get breached.
As an IT guy, your password won't do shit to protect you. As long as their database has a breach, we are all fucked up
I use a password manager because of a personal recommendation from a friend. Highly recommend finding one. LastPass is solid, as is 1Password, and Nord's password manager. The trick is, you have to actually use it. The other trick is, be aware that the master password you use is crucial to keep secret. Do not write it anywhere unless it's on paper in a safe or something. Make it something memorable, but also difficult to guess, etc. LastPass and 1Password are named that way because the master password should be the only password you need to remember. From there, you can (and should) use strong passwords for everything, which you don't need to remember.
Making all your weaknesses able to be found in one place.....smart... legitimately same scenario as having all your passwords the same because they only have one obstacle to overcome to get all your info... thats like hiding something from a tolder inside their toy box.... the net is what hackers play with, just because its out of your hands doesnt make it safe, write it down, put it on paper, hide paper.... unaccessible to hackers period
that makes perfect sense, if you truly believe you're better than a team of full-time professionals you'd hire to handle your security.
Are you claiming that you're better than a team of full-time professionals at protecting your security?
nope im saying paper is, thnx for reply none the less, big fan :)
The important difference is that by using the same password, you are reliant on the worst secured website that you use, whereas with Lastpass or keypass, a problem would have to be found in one specific site that presumably cares a lot about protecting passwords.
LastPass does put you at a single point of weakness, sure, and once LastPass is hacked and the passwords are leaked that's a big problem, but other than that it's safer than the other alternatives.
As for "unacessible for hackers" that's only true if you use a proper cryptic password AND have no keylogger or similar on your PC. Any other password, especially ones that contain common words, can be guessed using brute force. If you want to evaluate how strong a password is that uses common words, treat every word like its 2 random letters and then evaluate the length of guessing. The comic at 3:50 is entirely wrong in this regard. The password on the bottom with 4 common words is essentially as secure as 8 random characters. Since the original uses no capitalisation either, we'll use none in our comparison. So you can say it would take a little over a minute to brute force that password.
But a password manager can't have their password database leaked because they don't have one. The passwords are encrypted with a one-time pad the key of which is the current hash of your password. If you try using an incorrect password you'll just get the wrong passwords back. Since the key is essentially random (due to the avalanche effect) and the passwords are actually random, all possible passwords are equally likely. In other words, your password manger doesn't tell them anything.
This reminds me to change my YT password since its shit
INB4 his password is literally "shit"
No its "since it's shit"
SvMazz its "it's
TheMarijn27 you got me there
my steam password was Fuckingbullshitpassword up until a year or two ago when i got keepass and i got 2 step on everything that matters.
I often write a word and then encrypt it with a Caesar Cipher (like Vigenere Cipher) and then use the result as a password. So that way it is pretty much a seemingly random letter sequence (often with a couple numbers added for good measure) and not a word someone could guess.
Randomness, either by hand or computer, is still not truly random. Only nature can be random, and even then there are normally recognizable patterns in most cases. Also, as already mentioned in the video, coherent words are too easily guessed by a hacker because of the human factor. So a passphrase is still not secure enough. A seemingly random string created via an encryption algorithm is about the same as any other computer generated "randomness". Even the best "random number generators" still use an exploitable algorithm as that is what computers are bound by: Math. They can't go against their programmed logic. It is still better than "human randomness" however as the computer could use any number of possible algorithms that are hard to guess, but a human is limited literally by their imagination. Or in other words, their pattern loving nature.
According to that Password Meter site used in the video, "Summer2017!" is a 100% strong password. Please don't assume an algorithm on a website can tell you if your password is strong or not.
sup
Sup
Sup
'sup
sup
bill bill 8
Look at my username, you think my password is short?
hahahaha
Your password is:
TIAPLUNWTFWHDTSTEWTUI!
I *know* your password is short.
Hey guys, I'm actually NOT sponsored to say this like they are but I have to agree with the MR guys, LastPass is fantastic for keeping track of super secure passwords. I've used it for about a year and it's really a life saver.
An IT person once told my friend "think of a song and use the 1st letter of the word of lines" so you can sing the song in your head and type the 1st letter. I dont use that but thats one way of remembering long passwords
hash and salt my friends, hash and salt
Just search random password generator on google and save it
tmn36 don't completely trust online ones cause they'll commonly pull from a bank of passwords or log passwords you've used. It's safer to use one that's downloaded and delete it when you're done
Or just use lastpass. It generates it for you.
chill dude
I'm with tmn36, use a "random" password generator!
Kee2Pass is pretty awesome.
When you said "why wouldn't a person have a second lock on their door, would they just rather leave it open all the time? haHAA" you have to think about how practical it is for certain services to ask for multiple "keys" to a "door".
Sure, I'll use as many security measures to secure my bank account, but I'm not going to barricade my door every time I go to the store to pick up milk.
All and all this might have sounded like an angry rant, but I really enjoyed this video and I feel like you overlooked practicality. :)
Two factor verification:
Having two different keys, one being the handle lock, the other being the top lock.
If they told me to put in my passwords for that contest, I'd be like, "Well, all of my passwords are just randomly-generated gibberish stored in LastPass", haha. Of course, before I found LastPass, I was one of those poor sods who didn't even have a wall-- I mean, used the same password for every website, with small variations when there were "rules" to be followed. Bonus points if you caught the reference.
Came for XKCD reference. Time 3:50. If you do it XKCD's way, and use four truly random words, your password will be nigh invulnerable.
I can't stop laughing at the way Brian said, "You have a bad friend." XD XD XD XD
"Hmm, why did Brian change all his... !" "Ooooooooh."
haha... yuuup.
An extremely annoying thing about making long passwords is not that they are long, but instead some websites won't allow you to use say more than 16 characters. This includes many sensitive information websites that you'd totally want more room to have a password as long as you'd like. If a free forum hosting website that nobody really cares about doesn't really limit password length, why in the world does a damn bank limit them? Some even go as far to limit certain characters. WHY? MORE IS BETTER YOU FOOOOOOLS.
Passwords with words, a symbol between them and a number at end is easy to remember but hard to brute force, for example: Disk-Nails-Container-Coconut-2
In the end when they put their own passwords I got very worried for them, cause exactly these kind of websites are used to spoof you, because the password you enter you have used once, are using or will use in the future. As an analist here this is very scary.
This about this nightmare scenario: You have created a 36 characters password, completely random, actually you wrote a random number generator in your favourite programming language, on a laptop, that was freshly formated and never connected to the internet. You have used it, to protect your cryptos, now you have forgotten it.
I would recommend using a password generator, and store all of your passwords locally, in a text file, preferably on a flash drive. also, use 2fa ALWAYS
Saving your passwords on text file on a flash drive is low level. Writing your passwords on paper is the high level!
I've been using Last Pass for months now and absolutely love it! Add a VPN and you feel invincible online...
Another tip for using password managers. Back the passwords up in another password manager (KeePass for example). Or have a backup on a usb.
Maybe make two backups.
Take a mixture of 3 either words or names, make it 4-6 characters long combining the words, then take a random number generator to get 4-8 characters, through in some random allowed symbols and put it through a jumbler. Rinse and repeat for every password with different words and numbers, get lastpass and store them there, you'll eventually remember them over time but it does take a long while
My new password is just gonna be the tragedy of Darth Plagueis the wise
How did I know before the video started that this was an ad for LastPass...
Next episode: Brian demonstrates how to use a keylogger, using Jason's passwords as demonstration.
A note, if you are going to use thins relevant to your life in your password, use obscure ones. For example, my old password was the name of a street I passed everyday when I was in a different state. It's so obscure that even if you saw the name, you wouldn't have any idea what it meant to me
My childhood best friend used the word Dragon in every password he would use. It was always his favorite Yugioh card at the time, which was always a dragon.
The biggest flaw of the enigma machine was that a letter never became itself if you typed it into the machine, I think..
Top tip: Never re-use passwords. This is very important. It's unlikely your password will ever be brute-forced if you have a decent one. These days most password leaks are done through website vulnerabilities or phishing. Use nice unique passwords for everything and one super impossible one for your email.
Another thing... Well two things that are kinda related.
First is using guest checkout. For most sites, if you can go without a password, you're better off. It would be nice if this was more of a standard than not for commerce sites. Furthermore, most of our site interactions aren't storing useful information. Social media sites SHOULDN'T store birthdates, phone numbers, addresses, etc. but rely solely on people sharing their usernames personally with their family, friends, etc. It's a bad practice that shouldn't have ever been put into place. Treat everything you can as a burner account. (the closest we have other than the above mentioned "guest accounts" is that some credit cards offer rotational one time use CC numbers, [and in m line of work I have seen this used for one particular business where an email is sent with a one time use CC number, and I have also dealt with a business specific CC number where only one business is whitelisted for transactions with it, but these rely on the CC companies and users rather than using a "guest pass" system as a business end default).
If you want to set up an account for the purposes of saved history and such, that's fine. Keep it separate from transactional data. I know with NJ, paying state taxes allows for people to log in and see certain information with just a business name and a tax ID #, but you can't actually pay your taxes or do any sort of modification/transactions without logging in with the business name and password.
A differentiation between what information needs to be encrypted and what does not should also be a standard. My netflix account and playlist shouldn't require much to get in, but to access the account or pay my bill should. (and since often that is autopaid, really, you could have an 800 number with some automated menu to update any billing related issues, which would remove access to this info from the web. In short, if we didn't USE a highly insecure system (the web) to story highly sensitive data, passwords wouldn't be a huge issue.
The two passwords I remember having were "Princess33440" and "Minecraft10" before I got more creative.
two factor is the worst in the way it works in most cases, where if you have acces to the phone or sometimes even phone number, you can use that to reset a password and get in the acount that way, essentially making 2 factor just 1 factor. i work in IT and i have a pretty good ground in cyber security and the amount of people that got their acounts compromised because they had set up 2 factor you wouldnt belive, so if a site offers 2 factor please make sure its for login only and you cant just reset the acount password with the phone number or phone, if this is the case DONT USE 2 factor, in that case just a storng password or as they would call it in cyber a passphrase is the better option, and ofcourse never repeat a password and make sure you have as few acounts linked as possible so if one gets hacked in to or compromised the others are likely to be safe
What about KeePass? It has the password management without the online repository.
"1Password is the only commercial password manager I recommend, but I'll go further than that when it comes to LastPass and say: I really think you should avoid LastPass, and, if you're using it, migrate to something else. I'm not going to go into details, sorry." - Thomas Ptacek, a well-respected security expert.
Take from that quote what you will, but I personally know that he has a much more experience with password security than I do, so I take he advice on this one.
For even bigger security freaks, I suggest not using lastpass because it send all of your password (I know they are encrypted but still) to the cloud. I' d strongly suggest a local based password manager, like KeePass or PasswordSafe, they store them in a file on your computer or smartphone. Then you eigther manually keep the latest verion of the file on your computers over usb or sync them but using your own server. Your server don't has to cost you a single more dime as file sharing servers can run on your computer in background and so your password will only be synced over your local network.
I'd also suggest checking out YubiKey. It's like a usb stick that's made specifically to store your passwords and can send them to your phone using NFC whne you need to log in somewhere.
PostScriptum 2FA is often a good way to get your phone number as it shouldn't be required for the 2FA setup. Many sites don't ask it. Those are good sites. Some like facebook apparently can't do without... Just sayin'
You literally devoted a whole episode to the sponsor... Crazy man
+Anik Kundu how so?
There's no better security practice than having a single point of failure!
-LastPass
You should do an episode about making mouth clouds. It's cool, you make your mouth humid, then pressurize your mouth, then blow. The vapor will condense and make a cloud
I really do like the occasional sit down and discuss episode of Modern Rogue
One of the major flaws with the Enigma code however was technical in nature; it couldn't encode a character as itself. So you might have a garbled string like, "fjkhdfauyuiwopqpfvlkuehjkassdoguoiui," but you could be sure that if you saw "f" that the original character could not have been an f.
Just so you guys know, you misspelled "vastly" in the 2FA description found at 8:02
Man you guys have no how hard I tried not to watch this during class
One problem with multi-factor authentication, especially push notifications sent to your phone, is MFA fatigue. If people are constantly getting codes sent to the phone and entering them into websites they're more likely to do it without thinking. Which is bad because if someone compromises your password they'll send the push notification and you just push yes without thinking. Or they'll send so many of them one after another that you'll just push 'yes it's me' to stop the MFA flood.
Been using LastPass for years, Its a great tool to keep track and make secure passwords.
PRO TIP: when you sign up for Lastpass or any password manager. Use a "Privet Email account" an account that you never give out, this will make it twice as hard to get in to. IT won't stop hackers but it will make it a lot harder
Coming back to this episode after a while. I don't use 2FA unless something makes me. My passwords are all weak. Most of the safety guidelines are more aggressive than they need to be and I'm doing okay without them. It isn't hard.
1. I try not to keep anything valuable online.
2. Anything I have online that is valuable to me is linked to a separate email.
3. I don't tell people squat about myself (on a security question level).
4. I use Wi-Fi at home and mobile data everywhere else.
5. I don't sign in on anybody else's devices for any reason.
Standards don't keep you safe. Using your head does. Same thing goes for not getting yourself hurt, not having things stolen, and not getting viruses on your computer.
Correct horse battery staple
ETA: posted before they mentioned it.
What is really stupid is when it REQUIRES you to have at least this and that, narrowing it down for the bot to randomize.
tbh the reference to door locks is not very good, since if a thief compromised one lock, compromising the second one would most likely be as easy as the first. However, 2FA is different because if someone 'guessed' your password it is rare that he will have access to your devices/eyes/hands.
good point.
They always warn you not to use your own name as a password. Instead of my own name, I use my favorite internet personality's name. On one super important site, my password is a misspelled version of a word in a foreign language (and some numbers in there).
My passwords are based off of things in movies and TV shows that very few people watch.
That way I can remember the password by watching the show or movie, then I see something that makes me remember the password.
My thought process is: use easy passwords for sites you don't care if people have access to it - difficult passwords for sites that you would prefer to stay private but it wouldn't be the end of the world if broken into, and then complex passwords for emails/banking/etc
At one job, the training manager needed my password. I was on vacation, so they sent me a text. I replied with the password. They bungled that. When I go sick of texts, I called. Explaining it to them took an hour. When I left the company, they wanted my newest password. I could train my dog to cook in the time it took to get the training manager to enter it correctly. You would think someone in the aviation industry would be able to understand L1329-6, and you'd be wrong.
Maybe i'm only one who reads description of video, i'm thrilled that Jason play LOTRO didn't know that :)
Brian's email password is a series of 7 lowercase letters and a single lowercase letter separated by a series of 4 numbers. I've calculated that this gives us 4,176,541,291,520,000 possible passwords. Guessing it can be made more efficient by starting with some assumptions: the 7 letters is a word, the number is a year, likely the year he was born or the year he opened that email.
+Kanada Ichigodesu you'll also need a time machine to take full advantage of your insights...