WEBVTT 00:00.229 --> 00:02.295 >> In our next section, 00:02.295 --> 00:05.170 let's talk a little bit about passwords. 00:05.300 --> 00:08.925 But before we go into some of the security concerns, 00:08.925 --> 00:10.935 I just want to address one thing. 00:10.935 --> 00:13.410 We were wrong about passwords and 00:13.410 --> 00:16.005 it's time that we accepted that and move forward. 00:16.005 --> 00:18.150 The National Institute of Standards and 00:18.150 --> 00:20.730 Technology, or NIST, 00:20.730 --> 00:23.100 previously provided guidance on how to create 00:23.100 --> 00:26.130 strong passwords that they now say was wrong. 00:26.130 --> 00:27.780 They used to recommend that people 00:27.780 --> 00:29.295 create complex passwords 00:29.295 --> 00:32.109 of at least eight alphanumeric characters, 00:32.109 --> 00:34.295 including upper and lowercase letters 00:34.295 --> 00:36.305 and special characters. 00:36.305 --> 00:40.160 They also said to change passwords every 60 days. 00:40.160 --> 00:42.365 Well, it turns out that we've made passwords 00:42.365 --> 00:44.390 easier for an attacker to compromise, 00:44.390 --> 00:47.195 but harder for us to remember. 00:47.195 --> 00:50.270 For example, if we require you to 00:50.270 --> 00:52.820 have an uppercase character in your password, 00:52.820 --> 00:54.610 where are you likely to put it? 00:54.610 --> 00:57.555 At the beginning. Hackers know this. 00:57.555 --> 01:00.095 Then if we require you to have a number, 01:00.095 --> 01:01.975 where is the number going to go? 01:01.975 --> 01:04.260 At the end. Which number do 01:04.260 --> 01:07.029 >> you likely use? The number 1. 01:07.029 --> 01:10.235 >> These things became predictable to an attacker. 01:10.235 --> 01:13.525 Complexity does not equal security. 01:13.525 --> 01:15.960 The bottom line is that NIST, 01:15.960 --> 01:17.835 has a new recommendation. 01:17.835 --> 01:20.180 That is to string 4-5 random words 01:20.180 --> 01:21.920 together to create a password. 01:21.920 --> 01:25.250 Since it's long, it's harder for attackers to crack, 01:25.250 --> 01:27.680 but it's easier for us to remember. 01:27.680 --> 01:29.840 Since you have a stronger password, 01:29.840 --> 01:32.120 NIST says not to change passwords 01:32.120 --> 01:35.850 every 60 days unless there has been a compromise. 01:36.010 --> 01:38.300 What makes passwords difficult 01:38.300 --> 01:39.470 >> to crack is the number of 01:39.470 --> 01:41.690 >> characters rather than the other tricks 01:41.690 --> 01:43.685 that we've used in the past. 01:43.685 --> 01:45.560 Now, there are lots of 01:45.560 --> 01:47.750 different types of attacks on passwords. 01:47.750 --> 01:50.600 Dictionary attacks try every character combination 01:50.600 --> 01:53.195 in the dictionary file the attacker is using. 01:53.195 --> 01:58.730 But they also add common passwords like P@sign SS, 01:58.730 --> 02:02.405 W0, RD, and so forth. 02:02.405 --> 02:04.610 Some of those dictionary files have 02:04.610 --> 02:06.890 started to add common phrases as well. 02:06.890 --> 02:08.570 That's why it's better to take for 02:08.570 --> 02:09.950 random words rather than 02:09.950 --> 02:11.570 a common phrase like to be or 02:11.570 --> 02:14.430 not to be or something like that. 02:14.560 --> 02:17.150 Now, brute force attacks 02:17.150 --> 02:19.684 involve trying every combination of characters. 02:19.684 --> 02:20.990 That's why using special 02:20.990 --> 02:23.365 characters doesn't really help you. 02:23.365 --> 02:26.000 The hybrid attack is a combination 02:26.000 --> 02:28.805 between dictionary and brute force. 02:28.805 --> 02:31.565 Birthday attacks, rainbow tables, 02:31.565 --> 02:33.110 and pass the hash are all 02:33.110 --> 02:34.580 >> based on the idea that if I can 02:34.580 --> 02:35.990 >> generate the hash or 02:35.990 --> 02:37.940 the value that represents your password, 02:37.940 --> 02:41.155 then I can gain access and get authorization. 02:41.155 --> 02:42.620 This will make more sense when we 02:42.620 --> 02:44.765 talk about cryptography. 02:44.765 --> 02:47.750 A replay attack just means that I'm able to 02:47.750 --> 02:48.680 capture something on the 02:48.680 --> 02:50.779 >> network and retransmit it later. 02:50.779 --> 02:53.120 >> We keep this in mind because even if 02:53.120 --> 02:56.290 your password is encrypted, it may not matter. 02:56.290 --> 02:59.945 The bottom line is that if a replay attack can happen, 02:59.945 --> 03:03.090 and it doesn't matter that your password is encrypted. 03:03.110 --> 03:06.770 With passwords today, we've got to be aware of the fact 03:06.770 --> 03:08.120 that we need to make them longer 03:08.120 --> 03:10.205 and less difficult to remember. 03:10.205 --> 03:12.170 We got to get with the times, 03:12.170 --> 03:16.230 have better password policies and protect them better.