I almost had a heart attack when I started working where I do now and discovered all of our user's passwords were in plaintext. I brought up objections to it, and was told it wasn't worth changing because we don't hold onto any data that really matters (basically an email address). Had to point out that the passwords the user uses are probably the same password for accounts elsewhere; so if I could see their passwords and email addresses, then I could probably log into their email and just go from there. They still didn't think it was really an issue. After arguing and out of desperation I had them pick a random user from the database, and I used the clearly visible information to log into that user's email. Suddenly hashing the passwords became a priority.
@@itismethatguy ...probably almost had a heart attack when his email provider showed him another device he didn't know had logged in to his email account.
@@Xnoob545 It's at least a good starting point. I know, some hashing algorithms can relatively easily be reversed these days but there are always new hashing algorithms that are more time-consuming to crack.
Kind of disappointed you didn't end on "if you find a website that DOES email you your password, run, because proper security is... a thing they might not know."
@@maoitsme0 I realize this video and comment are old, but I just wanna say that people don't use MD5 because it's too fast and is prone to collisions, which is really bad for passwords. Use something like bcrypt instead.
Adobe sent back password hints, not passwords. It's not quite as bad as sending back passwords but given that password hints are typically easy to solve, it's still rather bad.
Does Adobe send passwords? I thought that their database got hacked and the hackers looked up the passwords up on a rainbow table. Adobe's fault for not salting the passwords.
I was also surprised to see that the forum for the LWJGL (a Java game library) sends you your password. Now it's a fairly small forum that's probably using some forum generator service, but still - I'd expect a bunch of programmers to know not to do this stuff :D
***** Seconded! Though I'm not a member of that community (I have used LWJGL in the past, though), I'm sure all the programmers there would be glad to know of and to try to patch any security flaws.
I made an account with a hosting service at one point, I had an issue logging into my account and they emailed me my password. This video is what saved me from putting my personal and payment information into that website.
"If you ever find a company that does email you your password when you say you've forgotten it, well, run" I'd love to, but they control the entire college textbook market and I have to use their services to turn in my homework.
The best you can do then is make very extra sure that you do the thing you ought to anyway: use a different password with them than you use for anybody else. That way if (when) somebody lifts their password & email database, that somebody can't get access to your other online accounts by just trying out your email & password combo with lots of sites.
aah yes, the good old days of receiving your password as an email when you'd forgotten it. Also, salting (for those interested) is the act of adding random bits of rubbish data to the hash. Any potential hacker won't know what part of your password hash is "real" and what is part of the "salt", making it effectively impossible to reverse.
Tom finishes the video with I've made video about password hashing over on computer something but doesn't link in description... this is the comment I was looking for, thanks! Don't need to find the video now.
There's also peppering, which is similar to salting, but your byte sequence is universal for every user and importantly is stored in code. That means a hacker, who got their hands on the database, won't be able to brute force the hash as they are missing part of it
We visited a security company with a cryptography course I did in the summer holidays. My favorite stories from there were a) the director of a company with "password" as a password and b) a company that managed to mess their hashing algorithm up in a way that hashes of passwords would be counted as the password (they realized their mistake after someone got into that database and deleted all of their data - they didn't even have back ups of most of that)
Thank you for the simple explanation. I often tell others about this, but if they're not techies, their eyes glaze over at an over-complicated explanation. This one was short and sweet.
The Hashing Process: Take a coherent sentence → Smoke some hash → Your coherent sentence has been converted into indecipherable, illogical ramblings on the meaning of life and conspiracy theories. WARNING: After hashing, you may feel an increased need to accept cookies.
So I was once signed up for a bank service that emailed me my password in plain text in a confirmation email. Needless to say I didn't stay with them for long.
That's not the same, you could enter a password saved as a session variable - $pass. Then when they email you, "Thanks for being with us, your password is $pass", and then once the scripts have been ran and you close the browser window, ending the session, the variable is forgotten.
Your bank uses passwords? In my country banks have several security features aimed at making direct attacks impossible. One of them is avoiding passwords, and instead using sms-messages and special programs on the phone.
When I was signing up for University accommodation, I was blown away that the system emailed me my password in plain text just as a reminder a few days before moving in!
Turkish government websites tells you to change your password once in a month and changing process requires a lot of ID confirmation but those websites are hacked in the past as well, no one is safe :D
I'd really like to see more of these in a web series or something. Very basic information, dumbed down for non-technical users. I used to work for an ISP so this kind of information would have been awesome to have. "Why can't you just tell me my password for the Internet?" - "Well, because we have a system admin that actually knows about security. Let me change your password and then I'll send you an informational video, darling." God that would have been SO useful.
This is probably the best explanation i have ever had for password encryption ever. I have had people try and explain it before but this way is so simple to understand
well it is technically not an encryption, and using actual encryption for password storage would be a BAD BAD idea, since encryption can be reversed, however yes it is a good explanation of the basics of secure password storage/password hashing
+Alex Harris Sending passwords via email is terrifying in 2 ways: 1) what the video is about (they have to store it) 2) e-mail goes unencrypted over the public internet, and therefore is interceptable by almost anybody, way easier than cracking the database of the server. (sorry for the reply to an old post, wanted to terrify you some more)
tadej petric uhm, no, emails are usually unencrypted, your communication between your client and your mailserver might be encrypted, but the communication between mailservers on the net happens unencrypted. So if I were to send an e-mail from my work e-mail to my gmail, it would go encrypted from my laptop to my employers server, then unencrypted to the google servers, and then encrypted back to me.
Simon Peeters Oh yeah, I was thinking sending to the same domain and all. I've heard that stuff like that is different, but never found anything concrete (and I was only thinking sending to the same mail provider, which, AFAIK doesn't really leave the mail servers unencrypted. Forgot completely about that thing). I'm not going to argue on that since you're probably right. If you find any further read on that, please send me a link. I couldn't find anything relevant, but I've had troubles finding a good search term so you might have more luck here. Edit: either way, most man in the middle attacks don't happen when traffic is being routed between major web servers (but rather between you and the ISP unless there's some DNS spoofing involved or something like that) so at least that's something.
+tadej petric The problem isn't the e-mail being unencrypted. The fact that they can e-mail you your password is a sign that they aren't storing it securely in the database. Take Adobe, for example. They were encrypting passwords but not hashing them. There was a direct relationship between the password length and the encrypted password length and there was no salt so everyone with the same password had the same encrypted password. It was easy then for hackers to even use things like the collective password hints to guess / crack the passwords. This is why it's scary. The security of the e-mail doesn't even come into it.
WOW! This was really enlightening. Thanks, Tom, for this small but crucual bit of information. P.S. I really like your videos. You explain everything in such an easy to understand way.
i live in tiny holland. no building here before 2000 was allowed to be higher then "de dom" which is a church from 1487 (or further back even) and is 151 meters high. now i see the building on the background and i really realize just how puny and tiny our buildings are
Assuming you are talking about De Dom in Utrecht... then something is wrong here. It was built between 1254 and 1517 (in fases). It is 112.32 m high. There are other buildings in The Netherlands higher than 112.32m: - Delftse poort, 151m high, finished in 1991 - Rembrandttoren, 150m high, finished in 1994. So... what are you talking about? :/
Awesome but how about this: Facebook sometimes shows a message when you type in your password but you where off by a character: “Your password is wrong but close, please try again” or somethig like that
Well this is actually not that much of a problem (but still not something I am comfortable with), because facebook takes your input, if it doesn't work replace some characters you typically type in wrong (think of "I" instaad of "L") and try that again. If one of those matches, you get the message "it is close"
My password story usually goes like this: Me trying to log in to a website or app App: please re enter your password Me: enters password App: password incorrect please re enter password Me: enters password (it's DEFINITELY this password) App: password incorrect. Account locked. Please create new password Me: enters password I have been attempting to use the whole time App: password cannot be the same password used previously Me: ARGHHH
Fun fact: If you use Showbie in schools, not only does Showbie just store your password, teachers in the classes your in can see it if they press a reveal password button on your name... run
Important distinction between hashes and prime factors: with hashes there's information loss, which is why it's so hard to crack, because one essentially has to guess what information was lost. With prime factors we genuenly don't have the maths to make an efficient algorithm on classical computers to factorize numbers, there's no information loss, humans are just too stupid.
I've been a software engineer for years and definitely know how hashing data works. still watched through it and enjoyed it, and IDK why youtube recommended me this.
I still remember when I create an account for a website, and they emailed me my username AND password to say "Welcome to ..." I never thought much about it because back then, I don't know ANYTHING about password, encryption, hashing, and I even use the same password for all of my accounts. But now, good god did they store my password in plain text
Just signed up as a technician at NAPCO SECURITY(they make alarm systems) and they sent me a message saying my request was successful and then conveniently listed my username and password. Thank goodness i used a secondary email
Hi Scott great video love this type of content. I think something you missed explaining to the regular user, is that if someone steals that hash of your password it’s no good because when they put it through the same algorithm it won’t give a useful answer. A lot of people will not understand this without being told.
I sincerely love all your videos! You just have this wonderful, and soothing tone that sounds very BBC (if you get what I mean!) Not only that, but the topics you cover end up grasping my attention for hours at end! Please keep it up! :3
I worked at a SaaS place that had passwords stored in plain text in the users table. It was a platform the company had acquired and was phasing out, but it was still a bit of shock. We had to convert some customers sooner than others since they were in a state that required more stringent security practices from vendors.
The only, small bit of info, I think was lacking - was that the hashes made from passwords are (or rather should be) unique. So that ,not only reversing operation to get a password from hash is nearly impossible, but getting the same hash from 2 different passwords as well. Otherwise - nice, clean and easy to follow for anyone :)
xato909 Simple. UA-cam's subbox is shit, therefore anything would be better, due to it's ease of use, the ability to get "instantly" the message that a new video is out, even before it's public (sharing the link to an unlisted video) and being able to interact with the uploader, Twitter gets my "8/8 m8" award for the best UA-cam subbox of the year. Developed enough for ya?
I have actually been working on an encryption program myself, just for fun. It's using kinda the concept of prime numbers, but it also has to work in tandem with a unique 8 digit key, which is a secondary piece of information provided for the user. The algorithm changes based on what key you give it, so the database comparison only works if you have both parts.
I was very disturbed when Virgin Media sent me my password in plain text, IN THE MAIL. It boggles me how one of the UK's biggest ISPs is so lax on security.
I applied for a job and they sent me an email with my password in it (the password I created not an auto generated one) So hoping it was just being sent before it got hashed and stored I clicked the password recovery button. Got my password sent again. So I emailed the company about this. Within 48 hours I got a response from a person saying they where looking into it. I checked their site and they had removed the ability to request password recovery (instead the link took you to a page saying the feature was temporarily disabled) Within a week I got another email thanking me for bringing the issue to light and saying they had rectified it. Now the password recovery sent you an email with a link to enter a new password. So yay, no longer in plaintext (I hope)
I've recently been sent my username & password (together) in an e-mail from a web service. Other people have raised this as a potential security flaw, but the site owners appear to be in denial, saying that the security complies with all of the Government's recommendations (it's a service backed by an arm of UK Govt). I doubt it does.
Perhaps you should tell them to send the I'd and password on a postcard or the back of a sealed envelope through the post and see if they (and the government) think that is ok and not a security risk. (Plaintext emails are akin to postcards- anyone (with sufficient privileges) on the servers through which they pass (plus packet snoopers) can read them.
+Joel Reid they could, usually though they know the hash of that password stored in the database and email off the plain/text on submit. After that its the plain/text password is tossed, when you type the new temporary password in, a hash comparison is done like always and then they ask you to change it again. This is also typically known as a reset token, its the same basic concept which allows you to be validated and authenticated to change your password. Usually for password resets you wont notice the token though, usually its embedded in the URL something like ?token=12301i24kjbh124ljhsdpfiuh28 I handle this by assigning a random token to a user's row in the db, and setting a flag like resetPassword = true. they click the link, software checks the token and checks if resetPassword=true, if it does then it asks for a new password. Temporary passwords work the same way theres just a manual intervention of the user having to type in the temp password.
+Joel Reid That's true, but that temporary password is salted in the same manner as the video said, so they really only know it from the email logs (ie. it's not stored in the database).
it's an old video mate. nobody knows back then besides, if the users uses weak password like 12345678 or qwertyuiop (or any dictionary words), the password could be "easily" uessed using combination of Brute Force and Dictionary Attack
Cool video (though I've seen the computerphile ones before and they quite helped me half a year ago when I got serious about back end dev!). The preview looks AWESOME. Looking forward to it!
+Jan Novák They shouldn't even be doing that, most e-mail is not secure. Passwords should always be generated by sending you to a web page on the site with time sensitive authorisation and allow you to type in your own password.
El Burrito That's why you're supposed to change the password as soon as you log in. Plus, I don't think it matters, if your email is compromised, whether you get a link to change the password, or send a newly created password.
Tom thank you so much for this particular video, especially the ending as I'm sending it right now to a client of mine who is asking me why am I telling them to change their hosting provider after they recovered a password in a plain text email :))
I am an Engineering student but you taught me something today, that for a number to be divisible by 3 then the sum in the number must be a multiple of 3. 👍
But doesn't that open the possibility that a different password will be accepted instead of your real one if it hashes to the same code? Let's say your hashing algorithm is "number % 10", then if my password is 244, I could type in 384 and it would work.
+Najarala Some operations are many-to-one. That is, different inputs can result in the same output, which is your concern. However, the hashing/salting algorithms used for cryptography are always one-to-one operations, meaning that there is absolutely no way that two different inputs can result in the same output.
My local credit union used to email back plaintext passwords for recovery. Thankfully they rectified this, to what degree I don't know. Banks are painfully ironically terrible at information security.
Or sites that set a limit like "password cannot be longer than 15 characters" There's no reason to do that unless you want to save space and avoid errors surrounding plain text... So hopefully not the passwords!
I had a college professor that talked about working with a computer that spent a lot of time finding the prime factorization of really large numbers, and how password decoding would take a ton of time.
That's wrong though. If you hash server side, you MUST, at least for a short time, store the password in plaintext on RAM. Also, most password hash algs aren't "hard" to do backwards, but absolutely mathematically impossible, simply due to overlap.
Most websites don't hash server side though. Usually, the client hashes the password, then sends the hash to the server to be stored; preventing a plaintext copy of the password from being intercepted during transmission.
Oliver: That is wrong and a really, really bad idea. If you create the hash+salt on the client side and send it to the server to be stored, it effectively becomes your password that you send and store as plaintext. Intercepting it would have the same effect as intercepting your original password. If the user database was leaked, anyone who saw the hash could log in to your account easily by modifying the login page code a bit or doing a manual HTTP query. You'd lose almost all the benefits of hashing. Hashing isn't a sound way of securing your traffic. You should encrypt traffic properly with TLS. Re-hashing the hashed password on the server side and storing that would prevent the plaintext problem, but it also adds the disadvantages that come with peppering. Suffice to say it's not good practice. There's a whole slew of other problems with client-side hashing. Updating encryption algorithms would be tricky. I won't even go into the problems specific to browsers.
the notorious Chinese version of StactOveraFlow, CSDN used to store actual unhashed password and leaked them. and millions of people are still using the site everyday, bruh
I am a computer programmer and I always knew that this is what happened but never understood really how before now this was the best video I watched in a long time. Nite to go watch the one that includes salting.
I've gotten the habbit of pretending I forgot my password right after signing up. Even better when I can log in with my Google or Twitter account: no password needed, and no escalation of privileges.
when I was 12 I made a basic password system that hashed a password using the password itself as the hash then stored it. it seemed to work and I was happy
I almost had a heart attack when I started working where I do now and discovered all of our user's passwords were in plaintext. I brought up objections to it, and was told it wasn't worth changing because we don't hold onto any data that really matters (basically an email address). Had to point out that the passwords the user uses are probably the same password for accounts elsewhere; so if I could see their passwords and email addresses, then I could probably log into their email and just go from there. They still didn't think it was really an issue. After arguing and out of desperation I had them pick a random user from the database, and I used the clearly visible information to log into that user's email.
Suddenly hashing the passwords became a priority.
Thanks for protecting the consumers
That one guy...
@@itismethatguy
...probably almost had a heart attack when his email provider showed him another device he didn't know had logged in to his email account.
Hashing isn't even enough these days
@@Xnoob545
It's at least a good starting point.
I know, some hashing algorithms can relatively easily be reversed these days but there are always new hashing algorithms that are more time-consuming to crack.
I don't know my password either! Wow I am so much like Youbtube.
+MLG Cthulhu
you just open your favorite browser and it works? :D
Freakschwimmer yeah.
+MLG Cthulhu mines randomly generated, i just keep an encrypted file so i know what to enter where.
+Tomuhawk clever
👏
Kind of disappointed you didn't end on "if you find a website that DOES email you your password, run, because proper security is... a thing they might not know."
Even hashed, hashing with md5 is still not secure tho
Slightly grammatically incorrect, but I'm with you
@@markmayonnaise1163 better?
Md5 is garbage.
@@maoitsme0 I realize this video and comment are old, but I just wanna say that people don't use MD5 because it's too fast and is prone to collisions, which is really bad for passwords. Use something like bcrypt instead.
That's okay, I can't remember mine, either
How did you get to your UA-cam account, then?
It's stored in his Browser +pixar121
I just download one of those ad infested password managers from softonic,works like a charm!
Obviously I'm joking...
That means *noone* knows!
It's the perfect way to hide your password.
"If they do [send it back], run. They have no idea what they're doing."
*Cough* ADOBE *Cough*
Adobe sent back password hints, not passwords.
It's not quite as bad as sending back passwords but given that password hints are typically easy to solve, it's still rather bad.
Does Adobe send passwords? I thought that their database got hacked and the hackers looked up the passwords up on a rainbow table.
Adobe's fault for not salting the passwords.
They used to a few years ago, but once they were hacked, changed it. Massive leak of data because they didn't store passwords correctly.
I was also surprised to see that the forum for the LWJGL (a Java game library) sends you your password. Now it's a fairly small forum that's probably using some forum generator service, but still - I'd expect a bunch of programmers to know not to do this stuff :D
***** Seconded! Though I'm not a member of that community (I have used LWJGL in the past, though), I'm sure all the programmers there would be glad to know of and to try to patch any security flaws.
I made an account with a hosting service at one point, I had an issue logging into my account and they emailed me my password. This video is what saved me from putting my personal and payment information into that website.
+Ispira Was it 000webhost? They recently had a huge data breach due to them not hashing passwords securely.
i once forgot a password on ucoz and they literally just opened a window with my password in it
I know this is an old comment, but it was most likely 000webhost.
@Artyom Fomin |:| Without any email confirmation? Anyone can literally just say forgot password and get access to your account?
@@serendipity-tilde no, because if u do forgot password, they email it to the person with the email connected to them
"If you ever find a company that does email you your password when you say you've forgotten it, well, run"
I'd love to, but they control the entire college textbook market and I have to use their services to turn in my homework.
The best you can do then is make very extra sure that you do the thing you ought to anyway: use a different password with them than you use for anybody else. That way if (when) somebody lifts their password & email database, that somebody can't get access to your other online accounts by just trying out your email & password combo with lots of sites.
And don't leave sensitive information (eg Credit Card) on that site.
Dang it CollegeBoard!
Just ask them how that is possible if they are storing passwords securely with a salted hash
Just print out your homework and give that to them lmao.
"neither does Facebook"
oh, the good old times before we found out FB stored passwords in plain text
*major vulnerability in debugging logs made for when they were creating the site*
Facebook: eh, forget about it
@@ezshroom ha, log vulns
I wouldn't be surprised if UA-cam stored passwords the same way Facebook does.
@@legendgames128 considering google hasnt had any major database leaks they def care a lot more
@@Heha323 Oh I wasn't talking about that, but good point.
aah yes, the good old days of receiving your password as an email when you'd forgotten it. Also, salting (for those interested) is the act of adding random bits of rubbish data to the hash. Any potential hacker won't know what part of your password hash is "real" and what is part of the "salt", making it effectively impossible to reverse.
salting also prevents same passwords hashing into the same thing
Tom finishes the video with I've made video about password hashing over on computer something but doesn't link in description... this is the comment I was looking for, thanks! Don't need to find the video now.
There's also peppering, which is similar to salting, but your byte sequence is universal for every user and importantly is stored in code. That means a hacker, who got their hands on the database, won't be able to brute force the hash as they are missing part of it
Fisch37 salt and pepper. Is there another security measure named after food or the like?
@@legendgames128 Sadly, I'm not aware of any. However, if anyone manages to serve a cyber security meal, I'd like to know
"Facebook doesn't know your password either"
That aged well
😅
We visited a security company with a cryptography course I did in the summer holidays.
My favorite stories from there were a) the director of a company with "password" as a password and b) a company that managed to mess their hashing algorithm up in a way that hashes of passwords would be counted as the password
(they realized their mistake after someone got into that database and deleted all of their data - they didn't even have back ups of most of that)
Thank you for the simple explanation. I often tell others about this, but if they're not techies, their eyes glaze over at an over-complicated explanation. This one was short and sweet.
The Hashing Process:
Take a coherent sentence → Smoke some hash → Your coherent sentence has been converted into indecipherable, illogical ramblings on the meaning of life and conspiracy theories.
WARNING: After hashing, you may feel an increased need to accept cookies.
I guess I'm always high - nobody can understand my incoherent rambling.
0:02 Facebook was found to have passwords stored in plain text...
That's why I ran.
When?
When?
I don’t care 👍
Just search for "Facebook Plaintext Passwords".
your accent makes you smarter than you already are
remove "al" from already... and replace the "d" with "ll".... muahahaha
+Basel Kader really
True! Why is this guy not on TV? I've seen presenters who sound like they've been picked off the street!
Corvid don't talk about Jimmy Fallon like that!
He's already very smart, the accent just helps him to sound cool.
So I was once signed up for a bank service that emailed me my password in plain text in a confirmation email.
Needless to say I didn't stay with them for long.
That's not the same, you could enter a password saved as a session variable - $pass. Then when they email you, "Thanks for being with us, your password is $pass", and then once the scripts have been ran and you close the browser window, ending the session, the variable is forgotten.
This wasn't a session thing, this was some time later I hit a forgotten password request and it sent me the password in full.
Uhm it's still in his email right?
Not when requesting a new password. Tom just didn't specify the exception that I explained.
Your bank uses passwords?
In my country banks have several security features aimed at making direct attacks impossible. One of them is avoiding passwords, and instead using sms-messages and special programs on the phone.
When I was signing up for University accommodation, I was blown away that the system emailed me my password in plain text just as a reminder a few days before moving in!
Ughh the British government websites email your passwords... awkward haha
Government websites are ludicrously far behind.
Imagine trusting the government
Same here in Italy 😅
Turkish government websites tells you to change your password once in a month and changing process requires a lot of ID confirmation but those websites are hacked in the past as well, no one is safe :D
@瑞安卡特里尔 what
5 years later:
*facebook logged passwords*
*surprised pikachu face*
I mean, I'm coming from 5 years in the future, and Facebook has has dozens of scandals where their user's passwords were just saved as plain text.
It's actually illegal to store passwords in plain text in many countries, namely France.
France is not many countries, but _one_ country. Instead of "namely" the use of "for instance" would have been more adequate.
@@lonestarr1490 you're wrong. In this case, "namely" and "for instance" are interchangeable.
@@kourii who said "namely" couldn't be used to refer to a single element in a group?
@@obiwac Umm nope, you're wrong. "Namely" and "for instance" are never interchangeable.
"More adequate" is also incorrect. 😕
@@sw_9_9_9 niggardly then?
This guy is a gem.
I'd really like to see more of these in a web series or something. Very basic information, dumbed down for non-technical users. I used to work for an ISP so this kind of information would have been awesome to have. "Why can't you just tell me my password for the Internet?" - "Well, because we have a system admin that actually knows about security. Let me change your password and then I'll send you an informational video, darling." God that would have been SO useful.
This is probably the best explanation i have ever had for password encryption ever. I have had people try and explain it before but this way is so simple to understand
well it is technically not an encryption, and using actual encryption for password storage would be a BAD BAD idea, since encryption can be reversed, however yes it is a good explanation of the basics of secure password storage/password hashing
"Thank you, 'forgot password option', for literally being my password."
-Jimmy Fallon
Thank You Notes, Late Night with Jimmy Fallon
“UA-cam doesn’t know your password...
...but Facebook does”
Oh shit I think I've gotten my password via email before. This is retroactively terrifying. : O
+Alex Harris Sending passwords via email is terrifying in 2 ways:
1) what the video is about (they have to store it)
2) e-mail goes unencrypted over the public internet, and therefore is interceptable by almost anybody, way easier than cracking the database of the server.
(sorry for the reply to an old post, wanted to terrify you some more)
+Simon Peeters Emails are usually encrypted, but yeah, still not as secure as a hash.
tadej petric uhm, no, emails are usually unencrypted, your communication between your client and your mailserver might be encrypted, but the communication between mailservers on the net happens unencrypted.
So if I were to send an e-mail from my work e-mail to my gmail, it would go encrypted from my laptop to my employers server, then unencrypted to the google servers, and then encrypted back to me.
Simon Peeters Oh yeah, I was thinking sending to the same domain and all. I've heard that stuff like that is different, but never found anything concrete (and I was only thinking sending to the same mail provider, which, AFAIK doesn't really leave the mail servers unencrypted. Forgot completely about that thing). I'm not going to argue on that since you're probably right.
If you find any further read on that, please send me a link. I couldn't find anything relevant, but I've had troubles finding a good search term so you might have more luck here.
Edit: either way, most man in the middle attacks don't happen when traffic is being routed between major web servers (but rather between you and the ISP unless there's some DNS spoofing involved or something like that) so at least that's something.
+tadej petric The problem isn't the e-mail being unencrypted. The fact that they can e-mail you your password is a sign that they aren't storing it securely in the database. Take Adobe, for example. They were encrypting passwords but not hashing them. There was a direct relationship between the password length and the encrypted password length and there was no salt so everyone with the same password had the same encrypted password. It was easy then for hackers to even use things like the collective password hints to guess / crack the passwords. This is why it's scary. The security of the e-mail doesn't even come into it.
I hate when I have to reset my password because I forgot it, but then I go to reset it and it says that I cannot use an old password.
I've experienced that before, and the worst part is I had already tried logging in with my old password and it was incorrect
I reset my password once and it told me I couldn't change my password to my current password.
They actually log your old passwords hash.
This is not that bad.
WOW! This was really enlightening. Thanks, Tom, for this small but crucual bit of information. P.S. I really like your videos. You explain everything in such an easy to understand way.
i live in tiny holland.
no building here before 2000 was allowed to be higher then "de dom" which is a church from 1487 (or further back even) and is 151 meters high.
now i see the building on the background and i really realize just how puny and tiny our buildings are
tallest building in my city (Adelaide) is 130-140m tall
our skyline is really boring
I live in NYC. I don’t really care about our skyline.
I don't get it... What does it have to do with password encryption?
Mao177 everything
Assuming you are talking about De Dom in Utrecht... then something is wrong here. It was built between 1254 and 1517 (in fases). It is 112.32 m high. There are other buildings in The Netherlands higher than 112.32m:
- Delftse poort, 151m high, finished in 1991
- Rembrandttoren, 150m high, finished in 1994.
So... what are you talking about? :/
Awesome but how about this:
Facebook sometimes shows a message when you type in your password but you where off by a character:
“Your password is wrong but close, please try again” or somethig like that
Well this is actually not that much of a problem (but still not something I am comfortable with), because facebook takes your input, if it doesn't work replace some characters you typically type in wrong (think of "I" instaad of "L") and try that again. If one of those matches, you get the message "it is close"
henlo fellow dasher
That feeling, when yours ISP sends you password for yours account
i miss the days i would see a lot of recommendations from youtube about tom scott doing a video about something computer related
My password story usually goes like this:
Me trying to log in to a website or app
App: please re enter your password
Me: enters password
App: password incorrect please re enter password
Me: enters password (it's DEFINITELY this password)
App: password incorrect. Account locked. Please create new password
Me: enters password I have been attempting to use the whole time
App: password cannot be the same password used previously
Me: ARGHHH
Me: deletes app
This happens with me everytime
Come join us in the 21st Century. We have password managers. :)
Fun fact: If you use Showbie in schools, not only does Showbie just store your password, teachers in the classes your in can see it if they press a reveal password button on your name... run
Tom : youtube does not know your password
Chris me : what if I jumped out that window
Important distinction between hashes and prime factors: with hashes there's information loss, which is why it's so hard to crack, because one essentially has to guess what information was lost. With prime factors we genuenly don't have the maths to make an efficient algorithm on classical computers to factorize numbers, there's no information loss, humans are just too stupid.
I've been a software engineer for years and definitely know how hashing data works. still watched through it and enjoyed it, and IDK why youtube recommended me this.
I still remember when I create an account for a website, and they emailed me my username AND password to say "Welcome to ..."
I never thought much about it because back then, I don't know ANYTHING about password, encryption, hashing, and I even use the same password for all of my accounts. But now, good god did they store my password in plain text
Your last few sentences were the most impacting ones, I think I learned quite a lot from this video, thanks Mr. Scott.
Damn Tom, back at it again with the red shirt!
Just signed up as a technician at NAPCO SECURITY(they make alarm systems) and they sent me a message saying my request was successful and then conveniently listed my username and password. Thank goodness i used a secondary email
Hi Scott great video love this type of content. I think something you missed explaining to the regular user, is that if someone steals that hash of your password it’s no good because when they put it through the same algorithm it won’t give a useful answer. A lot of people will not understand this without being told.
I sincerely love all your videos! You just have this wonderful, and soothing tone that sounds very BBC (if you get what I mean!)
Not only that, but the topics you cover end up grasping my attention for hours at end! Please keep it up! :3
i just brought here by a guy who turns people into red mist using a rollercoaster
Interesting video, this is quickly becoming my favourite channel
I died on a rollercoaster and know I'm here. Wow.
Thanks for the multiply by 11 tip, didn't think about that
"things you [tube] might not know"
I worked at a SaaS place that had passwords stored in plain text in the users table. It was a platform the company had acquired and was phasing out, but it was still a bit of shock. We had to convert some customers sooner than others since they were in a state that required more stringent security practices from vendors.
I'm never going on that roller costar AGAIN!
The only, small bit of info, I think was lacking - was that the hashes made from passwords are (or rather should be) unique. So that ,not only reversing operation to get a password from hash is nearly impossible, but getting the same hash from 2 different passwords as well. Otherwise - nice, clean and easy to follow for anyone :)
Twitter is the best UA-cam subbox
Develop
Nah man, gmail!
RSS, if you're smart.
Tordek Twitter is easier and you get pretty much the same result and you can even interact with the uploader
10/10 would tweet again
xato909 Simple. UA-cam's subbox is shit, therefore anything would be better, due to it's ease of use, the ability to get "instantly" the message that a new video is out, even before it's public (sharing the link to an unlisted video) and being able to interact with the uploader, Twitter gets my "8/8 m8" award for the best UA-cam subbox of the year.
Developed enough for ya?
I have actually been working on an encryption program myself, just for fun. It's using kinda the concept of prime numbers, but it also has to work in tandem with a unique 8 digit key, which is a secondary piece of information provided for the user. The algorithm changes based on what key you give it, so the database comparison only works if you have both parts.
Me: Do you know if I typed my password correctly?
UA-cam: *Well yes, but actually no.*
Oh man, I've been trying to teach people this for ages, and you made it so simple. Thank you!
I'm here from a man who likes building murderous roller coasters.
RTGame?
I find this mildly comforting
I was very disturbed when Virgin Media sent me my password in plain text, IN THE MAIL. It boggles me how one of the UK's biggest ISPs is so lax on security.
I applied for a job and they sent me an email with my password in it (the password I created not an auto generated one)
So hoping it was just being sent before it got hashed and stored I clicked the password recovery button.
Got my password sent again.
So I emailed the company about this.
Within 48 hours I got a response from a person saying they where looking into it.
I checked their site and they had removed the ability to request password recovery (instead the link took you to a page saying the feature was temporarily disabled)
Within a week I got another email thanking me for bringing the issue to light and saying they had rectified it.
Now the password recovery sent you an email with a link to enter a new password.
So yay, no longer in plaintext (I hope)
Or the lads just change the password page to avoid suspicion, but still store them in plaintext
I've recently been sent my username & password (together) in an e-mail from a web service. Other people have raised this as a potential security flaw, but the site owners appear to be in denial, saying that the security complies with all of the Government's recommendations (it's a service backed by an arm of UK Govt). I doubt it does.
Perhaps you should tell them to send the I'd and password on a postcard or the back of a sealed envelope through the post and see if they (and the government) think that is ok and not a security risk.
(Plaintext emails are akin to postcards- anyone (with sufficient privileges) on the servers through which they pass (plus packet snoopers) can read them.
Heh, my school library mails me my password... Can’t exactly run from that.
6:37
How Tom Scott Can Find Your Password Instantly
Tom Scott
375K views
Many sites will send you a temporary password that you have to change immediantly. So they can know your password... until you log in.
+Joel Reid they could, usually though they know the hash of that password stored in the database and email off the plain/text on submit. After that its the plain/text password is tossed, when you type the new temporary password in, a hash comparison is done like always and then they ask you to change it again.
This is also typically known as a reset token, its the same basic concept which allows you to be validated and authenticated to change your password. Usually for password resets you wont notice the token though, usually its embedded in the URL something like ?token=12301i24kjbh124ljhsdpfiuh28
I handle this by assigning a random token to a user's row in the db, and setting a flag like resetPassword = true. they click the link, software checks the token and checks if resetPassword=true, if it does then it asks for a new password. Temporary passwords work the same way theres just a manual intervention of the user having to type in the temp password.
+Joel Reid That's true, but that temporary password is salted in the same manner as the video said, so they really only know it from the email logs (ie. it's not stored in the database).
@@SolidRoot Which means, they have your password during that time
This got me 5 marks in a computing test, thanks!
Its 2019 and I know a website I use regularly that stores my password in plain text. Its stupid this is still an issue in 2019.
You did the shortcut that I thought no one used!
Funny you should mention yahoo....
it's an old video mate. nobody knows back then
besides, if the users uses weak password like 12345678 or qwertyuiop (or any dictionary words), the password could be "easily" uessed using combination of Brute Force and Dictionary Attack
Ian Mustafa They knew, they just chose not to say anything for a while.
didn't Yahoo! use a hash system that had been broken for ages by then,and never upgraded to a secure one?
Cool video (though I've seen the computerphile ones before and they quite helped me half a year ago when I got serious about back end dev!).
The preview looks AWESOME. Looking forward to it!
It's necessary to point out though, that if a company sends you a password, it usualy is a new randomly generated one.
+Jan Novák They shouldn't even be doing that, most e-mail is not secure. Passwords should always be generated by sending you to a web page on the site with time sensitive authorisation and allow you to type in your own password.
El Burrito That's why you're supposed to change the password as soon as you log in. Plus, I don't think it matters, if your email is compromised, whether you get a link to change the password, or send a newly created password.
I totally forgot I was on TYMNK and was awaiting the Computerphile ending. Damn you ***** and your omnipresence abilities...
I don't know my password either.
I've never seen Tom inside an office before. He's always out in the wind in the videos I've seen.
Don’t use abc as a password, kids
Tom thank you so much for this particular video, especially the ending as I'm sending it right now to a client of mine who is asking me why am I telling them to change their hosting provider after they recovered a password in a plain text email :))
I'm a monster *unce* *unce unce* *unce*
i see what you did there :)
I am an Engineering student but you taught me something today, that for a number to be divisible by 3 then the sum in the number must be a multiple of 3. 👍
But doesn't that open the possibility that a different password will be accepted instead of your real one if it hashes to the same code? Let's say your hashing algorithm is "number % 10", then if my password is 244, I could type in 384 and it would work.
+Najarala No
Let's MASSIVELY simplify it. If you multiply 2 by 5 is it possible to get 10 by multiplying any other number by 5? No.
+Najarala
Some operations are many-to-one. That is, different inputs can result in the same output, which is your concern.
However, the hashing/salting algorithms used for cryptography are always one-to-one operations, meaning that there is absolutely no way that two different inputs can result in the same output.
So what I said, but in a more complex manner.
*****
You gave an example, whereas I gave an explanation.
You just answered my programming assignment.
Isn't it funny how dans comment sections are in other videos?
It would be nice if he would unblock them, seeing as the youtube comment section is truthfully much nicer than it used to be.
My local credit union used to email back plaintext passwords for recovery. Thankfully they rectified this, to what degree I don't know. Banks are painfully ironically terrible at information security.
my password is red mist
Even 7 years later this video is still educating people like myself :O
I was sent here by a man who failed to kill Hitler with a 95 positive G explosive rollercoaster.
0:35 Dude! I've never encountered anyone else who uses shortcuts like that!
Or sites that set a limit like "password cannot be longer than 15 characters"
There's no reason to do that unless you want to save space and avoid errors surrounding plain text... So hopefully not the passwords!
I had a college professor that talked about working with a computer that spent a lot of time finding the prime factorization of really large numbers, and how password decoding would take a ton of time.
“I’ll double your bitcoin you send 1000 I send 2000 back!” -Elon Musk, 2020
rollercoaster killing machine
That's wrong though. If you hash server side, you MUST, at least for a short time, store the password in plaintext on RAM. Also, most password hash algs aren't "hard" to do backwards, but absolutely mathematically impossible, simply due to overlap.
Most websites don't hash server side though. Usually, the client hashes the password, then sends the hash to the server to be stored; preventing a plaintext copy of the password from being intercepted during transmission.
Oliver: That is wrong and a really, really bad idea. If you create the hash+salt on the client side and send it to the server to be stored, it effectively becomes your password that you send and store as plaintext. Intercepting it would have the same effect as intercepting your original password. If the user database was leaked, anyone who saw the hash could log in to your account easily by modifying the login page code a bit or doing a manual HTTP query. You'd lose almost all the benefits of hashing.
Hashing isn't a sound way of securing your traffic. You should encrypt traffic properly with TLS.
Re-hashing the hashed password on the server side and storing that would prevent the plaintext problem, but it also adds the disadvantages that come with peppering. Suffice to say it's not good practice.
There's a whole slew of other problems with client-side hashing. Updating encryption algorithms would be tricky. I won't even go into the problems specific to browsers.
the notorious Chinese version of StactOveraFlow, CSDN used to store actual unhashed password and leaked them. and millions of people are still using the site everyday, bruh
Thanks for bringing me here Dan!
Your shockmount has come undone.
I am a computer programmer and I always knew that this is what happened but never understood really how before now this was the best video I watched in a long time. Nite to go watch the one that includes salting.
I've gotten the habbit of pretending I forgot my password right after signing up.
Even better when I can log in with my Google or Twitter account: no password needed, and no escalation of privileges.
It's not pretending, you actually forget it... Happens to me too often,
Plot twist: UA-cam and all of Google actually store all the passwords in plaintext but we assume they don't because theyre big
Very educational video! In fact, all your videos are.
when I was 12 I made a basic password system that hashed a password using the password itself as the hash then stored it. it seemed to work and I was happy
i was sent by a mass murder wielding a roller coaster trying to make people into ''red mist''
oh wow, a video on passwords that DOESN'T make me want to go and live in the middle of a desert, amazing :D