1 00:00:00,970 --> 00:00:06,100 Well, we said from the beginning that passwords are problems and everybody's got them right. 2 00:00:06,490 --> 00:00:11,770 Well, let's take a look at a few tips for better passwords, including let's start with one of my favorite 3 00:00:11,770 --> 00:00:19,930 tips from Casey thanks to the gang over the CD for this great password complexity cartoon. 4 00:00:20,290 --> 00:00:26,860 You can see even a pretty complex password like this, an uncommon basswood like troubador, and then 5 00:00:26,920 --> 00:00:36,040 a few common substitutions, like some capitalization as zero for the O for for the AI and then even 6 00:00:36,040 --> 00:00:39,100 some punctuation and a number ampersand three. 7 00:00:39,100 --> 00:00:45,340 In this case, that would take about three days to brute force if you were doing just a thousand guesses 8 00:00:45,610 --> 00:00:46,340 per second. 9 00:00:46,660 --> 00:00:52,390 Of course, we can run lots more guesses per second than that on a standard computer so that rates this 10 00:00:52,390 --> 00:00:54,040 as an easy to guess. 11 00:00:54,490 --> 00:00:58,330 But you can see it is really hard to remember that as a person. 12 00:00:59,260 --> 00:01:08,260 However, if we took just four random common words, correct, horse battery staple, those don't have 13 00:01:08,260 --> 00:01:13,270 any uppercase lowercase, no punctuation, no hard to remember substitutions. 14 00:01:13,270 --> 00:01:14,200 It's just correct. 15 00:01:14,380 --> 00:01:16,000 Horse battery staple. 16 00:01:16,880 --> 00:01:22,080 That would take around 550 years for a computer to guess. 17 00:01:22,430 --> 00:01:27,530 So you've already memorized this password and it's significantly harder for a computer to guess that 18 00:01:27,530 --> 00:01:32,360 one, of course, don't use that password because I'm sure that's in a password database now, too. 19 00:01:33,140 --> 00:01:36,260 Well, let's talk about some tips that will help you keep your passwords safer. 20 00:01:36,540 --> 00:01:42,140 Think simple for you to remember, but hard for a computer to guess. 21 00:01:42,140 --> 00:01:47,510 And a passphrase is a much better way to go than just taking a dictionary word, even an uncommon one 22 00:01:47,720 --> 00:01:49,600 and doing some of those substitutions we saw. 23 00:01:49,610 --> 00:01:52,250 We can crack through those really fast. 24 00:01:52,520 --> 00:01:55,560 But here's some tips for keeping your passwords safe. 25 00:01:55,970 --> 00:02:01,870 First of all, don't give out your password when it comes to social engineering. 26 00:02:01,880 --> 00:02:06,440 We saw phishing, we saw pretexting call up and say this is Microsoft support. 27 00:02:06,650 --> 00:02:08,110 We see a problem with your computer. 28 00:02:08,120 --> 00:02:08,900 Let me help you. 29 00:02:08,900 --> 00:02:10,990 Or looks like your accounts been hacked into. 30 00:02:11,000 --> 00:02:13,580 Don't give out your password. 31 00:02:13,580 --> 00:02:17,570 Ever log in directly to your computer, change your password. 32 00:02:17,570 --> 00:02:20,060 If you feel like somebody might have had access to it. 33 00:02:20,690 --> 00:02:26,300 Don't be afraid to burn those passwords, change those passwords on a pretty regular rotation. 34 00:02:26,300 --> 00:02:28,160 But about once every six months is OK. 35 00:02:28,160 --> 00:02:33,380 If you're using good passwords like we'll talk about here, that includes don't write those passwords 36 00:02:33,380 --> 00:02:33,890 down, right? 37 00:02:33,890 --> 00:02:38,660 When you give out a password or when you write it down and take it to your monitor, that's an easy 38 00:02:38,660 --> 00:02:40,220 way for social engineering to work. 39 00:02:40,910 --> 00:02:42,290 We talked about snacking. 40 00:02:42,290 --> 00:02:46,910 Remember, if we just leave that posted on the monitor because it's such a hard password, we can't 41 00:02:46,910 --> 00:02:48,150 remember it anymore. 42 00:02:48,560 --> 00:02:53,570 Then we run into the risk of somebody just walking by our desk and having all of our passwords. 43 00:02:53,990 --> 00:03:02,000 But you can choose a simple to remember password, like the first letters of a phrase I graduated from 44 00:03:02,000 --> 00:03:08,780 high school in and some number at the age of and you use IGF H. 45 00:03:08,780 --> 00:03:10,760 S the first letter of each of those phrases. 46 00:03:11,000 --> 00:03:15,860 You can actually use a pass phrase and a lot of websites that allow you to do a really long password 47 00:03:15,860 --> 00:03:16,580 or pass phrase. 48 00:03:16,580 --> 00:03:17,540 That's a good idea. 49 00:03:18,080 --> 00:03:22,880 You can use the first letters of all the words in a song that you like for a particular site. 50 00:03:22,900 --> 00:03:27,020 So let's say that I wanted to use Mary had a little lamb. 51 00:03:27,020 --> 00:03:35,900 Its fleece was white as snow mh l l i f w w a and then I did one substitution there dollar sign and 52 00:03:35,900 --> 00:03:40,580 then seven and maybe the number doubled so seven and then 14. 53 00:03:41,150 --> 00:03:44,300 That is a very difficult to guess password. 54 00:03:44,300 --> 00:03:48,650 But Mary had a little lamb, its fleece was white as snow. 55 00:03:49,010 --> 00:03:50,060 It's pretty easy to remember. 56 00:03:50,060 --> 00:03:52,760 And then maybe the number seven you'd have to remember as well. 57 00:03:52,760 --> 00:03:57,770 So if you wanted to do a password for this or even if you wrote this down on a Post-it and kept it in 58 00:03:57,770 --> 00:04:02,780 your wallet or your purse, someplace where you don't leave your wallet out someplace, you don't leave 59 00:04:02,780 --> 00:04:08,810 your purse out, just put it someplace that you don't give other people access to very much, or even 60 00:04:08,810 --> 00:04:12,680 storing that one on your computer might not be the worst thing if it's just the hint cheap. 61 00:04:12,680 --> 00:04:13,220 Seven. 62 00:04:13,460 --> 00:04:14,710 Oh, Mary had a little lamb. 63 00:04:14,900 --> 00:04:18,410 You just have to remember not to hum your password when you're typing it in, it's your keyboard. 64 00:04:18,590 --> 00:04:21,620 Somebody will figure out what your password was. 65 00:04:22,370 --> 00:04:23,420 When it comes to hacking. 66 00:04:23,660 --> 00:04:27,140 We've seen that passwords get hacked from websites, right? 67 00:04:27,440 --> 00:04:33,290 We got all of those passwords from a Windows seven box just by dumping the hash values of the password 68 00:04:33,290 --> 00:04:33,770 files. 69 00:04:34,160 --> 00:04:39,290 At some point, just about every Web site that you are a member of or you have an account on is going 70 00:04:39,290 --> 00:04:39,980 to be hacked. 71 00:04:40,220 --> 00:04:42,320 So don't use just one password. 72 00:04:42,320 --> 00:04:48,230 If you use one password for one type of thing or one site, use a different password for a different 73 00:04:48,230 --> 00:04:54,830 type of site or different different Web page, but always have a really tough password for your email, 74 00:04:54,830 --> 00:04:59,750 have a different password for banking, have different passwords for different websites. 75 00:04:59,750 --> 00:05:06,260 It's a smart thing because if one site gets hacked, then the first thing people are going to try is 76 00:05:06,500 --> 00:05:08,690 using that username and password and the site's. 77 00:05:10,040 --> 00:05:16,190 We saw sniffing could expose your password out over the network, if you log into a site that's not 78 00:05:16,190 --> 00:05:23,390 secure, always use https to enter your passwords, make sure you're on a secure connection before you 79 00:05:23,390 --> 00:05:25,450 log to Facebook to your Web site. 80 00:05:25,880 --> 00:05:31,850 If you have a WordPress site, you want to make sure that you get a secure certificate so that you can 81 00:05:31,850 --> 00:05:34,490 enter your password only using https. 82 00:05:34,490 --> 00:05:39,480 Otherwise, anyone on the same network as you can see it in plain text when it comes to cracking. 83 00:05:40,310 --> 00:05:46,520 This is for Web administrators especially, but web admins should always salt password hashes. 84 00:05:47,210 --> 00:05:52,490 That's a technical term, but it just means adding a couple of random characters to the front of a password 85 00:05:52,490 --> 00:05:56,860 hash and hashing it with those extra characters added in there. 86 00:05:57,380 --> 00:06:03,980 That way, when and if a password database is dumped from a Web server, at least the attacker won't 87 00:06:03,980 --> 00:06:09,380 be able to look those hashes up immediately online because we'll have added some extra characters before 88 00:06:09,380 --> 00:06:11,040 those and change them up a little bit. 89 00:06:11,690 --> 00:06:17,510 A good tip for passwords overall is to use multifactor authentication to factor authentication where 90 00:06:17,750 --> 00:06:24,110 maybe before you log into your Gmail from a new computer, it will send you a text and ask if you want 91 00:06:24,110 --> 00:06:25,190 to allow that. 92 00:06:25,400 --> 00:06:26,860 That's a great thing to do. 93 00:06:26,870 --> 00:06:31,640 Do that for your social media accounts, for your email account, for your bank accounts, anything 94 00:06:31,640 --> 00:06:36,560 that you don't log into from a whole lot of different computers or anything that you want to keep really 95 00:06:36,560 --> 00:06:37,220 safe. 96 00:06:37,220 --> 00:06:41,280 To factor authentication or multifactor authentication is a really smart thing. 97 00:06:41,300 --> 00:06:44,540 That's why in business will have a key card that gets us in. 98 00:06:44,540 --> 00:06:49,700 But we'll also have to know a pin for certain areas or know a password for other things. 99 00:06:50,450 --> 00:06:54,500 You can consider a password manager if you have a whole lot of passwords to remember. 100 00:06:54,830 --> 00:07:00,810 Password manager can store passwords in encrypted form and it can even randomize passwords. 101 00:07:00,810 --> 00:07:08,330 So it gives really long, random hard passwords for your banking website or for your email account. 102 00:07:08,990 --> 00:07:13,280 Password manager can help you manage all of those passwords that we have in modern life. 103 00:07:14,450 --> 00:07:18,020 I'll leave you with one last, most important tip that I give my students. 104 00:07:18,230 --> 00:07:23,170 Make your email password your hardest password to crack. 105 00:07:23,570 --> 00:07:26,690 That means if you only have one password as good as this one. 106 00:07:26,690 --> 00:07:27,740 Mary had a little lamb. 107 00:07:27,740 --> 00:07:29,150 Its fleece was white as snow. 108 00:07:29,330 --> 00:07:30,650 You might want to pick a different song. 109 00:07:30,650 --> 00:07:34,370 Of course it should be on your email account. 110 00:07:34,810 --> 00:07:36,310 Now, why is that? 111 00:07:36,320 --> 00:07:42,080 Well, because your email account is usually the one location that all your other passwords get reset 112 00:07:42,080 --> 00:07:42,430 to. 113 00:07:42,440 --> 00:07:48,500 So if you forget your banking password, you enter your email address and say, I forgot my password, 114 00:07:48,920 --> 00:07:55,340 and then your bank sends you a link to your email account that you can click through and change your 115 00:07:55,340 --> 00:07:56,090 password. 116 00:07:57,720 --> 00:08:03,450 So if somebody gets into your email account, they can just do a search for a receipt or do a search 117 00:08:03,450 --> 00:08:07,350 for a statement and they will find all of your purchases. 118 00:08:07,770 --> 00:08:12,780 That's all the websites that you buy things from all of your passwords to all of your banking accounts, 119 00:08:12,780 --> 00:08:15,810 or they'll find all of your accounts, credit card accounts, things like that. 120 00:08:16,080 --> 00:08:21,540 Once they have your email password, they can go to each of those sites and say, I forgot my password 121 00:08:21,540 --> 00:08:22,770 and it can reset back. 122 00:08:22,780 --> 00:08:26,450 So protect your email account above just about everything else. 123 00:08:26,460 --> 00:08:31,230 It's even more important than your bank account passwords because your bank account passwords usually 124 00:08:31,230 --> 00:08:32,840 get reset to your email account. 125 00:08:33,150 --> 00:08:34,970 So I hope all of these are useful tips. 126 00:08:34,980 --> 00:08:40,800 I hope you've seen that it's really important to protect your passwords and to use good password security, 127 00:08:40,800 --> 00:08:46,380 especially if you're a Web administrator or if you are in charge of a network or Web site. 128 00:08:46,380 --> 00:08:51,960 You want to make sure that you enable secure sockets or secure connections to your website. 129 00:08:52,630 --> 00:08:57,510 Hope you've enjoyed this section of go out there and change all your passwords and make them better.