1
00:00:00,970 --> 00:00:06,100
Well, we said from the beginning that passwords are problems and everybody's got them right.

2
00:00:06,490 --> 00:00:11,770
Well, let's take a look at a few tips for better passwords, including let's start with one of my favorite

3
00:00:11,770 --> 00:00:19,930
tips from Casey thanks to the gang over the CD for this great password complexity cartoon.

4
00:00:20,290 --> 00:00:26,860
You can see even a pretty complex password like this, an uncommon basswood like troubador, and then

5
00:00:26,920 --> 00:00:36,040
a few common substitutions, like some capitalization as zero for the O for for the AI and then even

6
00:00:36,040 --> 00:00:39,100
some punctuation and a number ampersand three.

7
00:00:39,100 --> 00:00:45,340
In this case, that would take about three days to brute force if you were doing just a thousand guesses

8
00:00:45,610 --> 00:00:46,340
per second.

9
00:00:46,660 --> 00:00:52,390
Of course, we can run lots more guesses per second than that on a standard computer so that rates this

10
00:00:52,390 --> 00:00:54,040
as an easy to guess.

11
00:00:54,490 --> 00:00:58,330
But you can see it is really hard to remember that as a person.

12
00:00:59,260 --> 00:01:08,260
However, if we took just four random common words, correct, horse battery staple, those don't have

13
00:01:08,260 --> 00:01:13,270
any uppercase lowercase, no punctuation, no hard to remember substitutions.

14
00:01:13,270 --> 00:01:14,200
It's just correct.

15
00:01:14,380 --> 00:01:16,000
Horse battery staple.

16
00:01:16,880 --> 00:01:22,080
That would take around 550 years for a computer to guess.

17
00:01:22,430 --> 00:01:27,530
So you've already memorized this password and it's significantly harder for a computer to guess that

18
00:01:27,530 --> 00:01:32,360
one, of course, don't use that password because I'm sure that's in a password database now, too.

19
00:01:33,140 --> 00:01:36,260
Well, let's talk about some tips that will help you keep your passwords safer.

20
00:01:36,540 --> 00:01:42,140
Think simple for you to remember, but hard for a computer to guess.

21
00:01:42,140 --> 00:01:47,510
And a passphrase is a much better way to go than just taking a dictionary word, even an uncommon one

22
00:01:47,720 --> 00:01:49,600
and doing some of those substitutions we saw.

23
00:01:49,610 --> 00:01:52,250
We can crack through those really fast.

24
00:01:52,520 --> 00:01:55,560
But here's some tips for keeping your passwords safe.

25
00:01:55,970 --> 00:02:01,870
First of all, don't give out your password when it comes to social engineering.

26
00:02:01,880 --> 00:02:06,440
We saw phishing, we saw pretexting call up and say this is Microsoft support.

27
00:02:06,650 --> 00:02:08,110
We see a problem with your computer.

28
00:02:08,120 --> 00:02:08,900
Let me help you.

29
00:02:08,900 --> 00:02:10,990
Or looks like your accounts been hacked into.

30
00:02:11,000 --> 00:02:13,580
Don't give out your password.

31
00:02:13,580 --> 00:02:17,570
Ever log in directly to your computer, change your password.

32
00:02:17,570 --> 00:02:20,060
If you feel like somebody might have had access to it.

33
00:02:20,690 --> 00:02:26,300
Don't be afraid to burn those passwords, change those passwords on a pretty regular rotation.

34
00:02:26,300 --> 00:02:28,160
But about once every six months is OK.

35
00:02:28,160 --> 00:02:33,380
If you're using good passwords like we'll talk about here, that includes don't write those passwords

36
00:02:33,380 --> 00:02:33,890
down, right?

37
00:02:33,890 --> 00:02:38,660
When you give out a password or when you write it down and take it to your monitor, that's an easy

38
00:02:38,660 --> 00:02:40,220
way for social engineering to work.

39
00:02:40,910 --> 00:02:42,290
We talked about snacking.

40
00:02:42,290 --> 00:02:46,910
Remember, if we just leave that posted on the monitor because it's such a hard password, we can't

41
00:02:46,910 --> 00:02:48,150
remember it anymore.

42
00:02:48,560 --> 00:02:53,570
Then we run into the risk of somebody just walking by our desk and having all of our passwords.

43
00:02:53,990 --> 00:03:02,000
But you can choose a simple to remember password, like the first letters of a phrase I graduated from

44
00:03:02,000 --> 00:03:08,780
high school in and some number at the age of and you use IGF H.

45
00:03:08,780 --> 00:03:10,760
S the first letter of each of those phrases.

46
00:03:11,000 --> 00:03:15,860
You can actually use a pass phrase and a lot of websites that allow you to do a really long password

47
00:03:15,860 --> 00:03:16,580
or pass phrase.

48
00:03:16,580 --> 00:03:17,540
That's a good idea.

49
00:03:18,080 --> 00:03:22,880
You can use the first letters of all the words in a song that you like for a particular site.

50
00:03:22,900 --> 00:03:27,020
So let's say that I wanted to use Mary had a little lamb.

51
00:03:27,020 --> 00:03:35,900
Its fleece was white as snow mh l l i f w w a and then I did one substitution there dollar sign and

52
00:03:35,900 --> 00:03:40,580
then seven and maybe the number doubled so seven and then 14.

53
00:03:41,150 --> 00:03:44,300
That is a very difficult to guess password.

54
00:03:44,300 --> 00:03:48,650
But Mary had a little lamb, its fleece was white as snow.

55
00:03:49,010 --> 00:03:50,060
It's pretty easy to remember.

56
00:03:50,060 --> 00:03:52,760
And then maybe the number seven you'd have to remember as well.

57
00:03:52,760 --> 00:03:57,770
So if you wanted to do a password for this or even if you wrote this down on a Post-it and kept it in

58
00:03:57,770 --> 00:04:02,780
your wallet or your purse, someplace where you don't leave your wallet out someplace, you don't leave

59
00:04:02,780 --> 00:04:08,810
your purse out, just put it someplace that you don't give other people access to very much, or even

60
00:04:08,810 --> 00:04:12,680
storing that one on your computer might not be the worst thing if it's just the hint cheap.

61
00:04:12,680 --> 00:04:13,220
Seven.

62
00:04:13,460 --> 00:04:14,710
Oh, Mary had a little lamb.

63
00:04:14,900 --> 00:04:18,410
You just have to remember not to hum your password when you're typing it in, it's your keyboard.

64
00:04:18,590 --> 00:04:21,620
Somebody will figure out what your password was.

65
00:04:22,370 --> 00:04:23,420
When it comes to hacking.

66
00:04:23,660 --> 00:04:27,140
We've seen that passwords get hacked from websites, right?

67
00:04:27,440 --> 00:04:33,290
We got all of those passwords from a Windows seven box just by dumping the hash values of the password

68
00:04:33,290 --> 00:04:33,770
files.

69
00:04:34,160 --> 00:04:39,290
At some point, just about every Web site that you are a member of or you have an account on is going

70
00:04:39,290 --> 00:04:39,980
to be hacked.

71
00:04:40,220 --> 00:04:42,320
So don't use just one password.

72
00:04:42,320 --> 00:04:48,230
If you use one password for one type of thing or one site, use a different password for a different

73
00:04:48,230 --> 00:04:54,830
type of site or different different Web page, but always have a really tough password for your email,

74
00:04:54,830 --> 00:04:59,750
have a different password for banking, have different passwords for different websites.

75
00:04:59,750 --> 00:05:06,260
It's a smart thing because if one site gets hacked, then the first thing people are going to try is

76
00:05:06,500 --> 00:05:08,690
using that username and password and the site's.

77
00:05:10,040 --> 00:05:16,190
We saw sniffing could expose your password out over the network, if you log into a site that's not

78
00:05:16,190 --> 00:05:23,390
secure, always use https to enter your passwords, make sure you're on a secure connection before you

79
00:05:23,390 --> 00:05:25,450
log to Facebook to your Web site.

80
00:05:25,880 --> 00:05:31,850
If you have a WordPress site, you want to make sure that you get a secure certificate so that you can

81
00:05:31,850 --> 00:05:34,490
enter your password only using https.

82
00:05:34,490 --> 00:05:39,480
Otherwise, anyone on the same network as you can see it in plain text when it comes to cracking.

83
00:05:40,310 --> 00:05:46,520
This is for Web administrators especially, but web admins should always salt password hashes.

84
00:05:47,210 --> 00:05:52,490
That's a technical term, but it just means adding a couple of random characters to the front of a password

85
00:05:52,490 --> 00:05:56,860
hash and hashing it with those extra characters added in there.

86
00:05:57,380 --> 00:06:03,980
That way, when and if a password database is dumped from a Web server, at least the attacker won't

87
00:06:03,980 --> 00:06:09,380
be able to look those hashes up immediately online because we'll have added some extra characters before

88
00:06:09,380 --> 00:06:11,040
those and change them up a little bit.

89
00:06:11,690 --> 00:06:17,510
A good tip for passwords overall is to use multifactor authentication to factor authentication where

90
00:06:17,750 --> 00:06:24,110
maybe before you log into your Gmail from a new computer, it will send you a text and ask if you want

91
00:06:24,110 --> 00:06:25,190
to allow that.

92
00:06:25,400 --> 00:06:26,860
That's a great thing to do.

93
00:06:26,870 --> 00:06:31,640
Do that for your social media accounts, for your email account, for your bank accounts, anything

94
00:06:31,640 --> 00:06:36,560
that you don't log into from a whole lot of different computers or anything that you want to keep really

95
00:06:36,560 --> 00:06:37,220
safe.

96
00:06:37,220 --> 00:06:41,280
To factor authentication or multifactor authentication is a really smart thing.

97
00:06:41,300 --> 00:06:44,540
That's why in business will have a key card that gets us in.

98
00:06:44,540 --> 00:06:49,700
But we'll also have to know a pin for certain areas or know a password for other things.

99
00:06:50,450 --> 00:06:54,500
You can consider a password manager if you have a whole lot of passwords to remember.

100
00:06:54,830 --> 00:07:00,810
Password manager can store passwords in encrypted form and it can even randomize passwords.

101
00:07:00,810 --> 00:07:08,330
So it gives really long, random hard passwords for your banking website or for your email account.

102
00:07:08,990 --> 00:07:13,280
Password manager can help you manage all of those passwords that we have in modern life.

103
00:07:14,450 --> 00:07:18,020
I'll leave you with one last, most important tip that I give my students.

104
00:07:18,230 --> 00:07:23,170
Make your email password your hardest password to crack.

105
00:07:23,570 --> 00:07:26,690
That means if you only have one password as good as this one.

106
00:07:26,690 --> 00:07:27,740
Mary had a little lamb.

107
00:07:27,740 --> 00:07:29,150
Its fleece was white as snow.

108
00:07:29,330 --> 00:07:30,650
You might want to pick a different song.

109
00:07:30,650 --> 00:07:34,370
Of course it should be on your email account.

110
00:07:34,810 --> 00:07:36,310
Now, why is that?

111
00:07:36,320 --> 00:07:42,080
Well, because your email account is usually the one location that all your other passwords get reset

112
00:07:42,080 --> 00:07:42,430
to.

113
00:07:42,440 --> 00:07:48,500
So if you forget your banking password, you enter your email address and say, I forgot my password,

114
00:07:48,920 --> 00:07:55,340
and then your bank sends you a link to your email account that you can click through and change your

115
00:07:55,340 --> 00:07:56,090
password.

116
00:07:57,720 --> 00:08:03,450
So if somebody gets into your email account, they can just do a search for a receipt or do a search

117
00:08:03,450 --> 00:08:07,350
for a statement and they will find all of your purchases.

118
00:08:07,770 --> 00:08:12,780
That's all the websites that you buy things from all of your passwords to all of your banking accounts,

119
00:08:12,780 --> 00:08:15,810
or they'll find all of your accounts, credit card accounts, things like that.

120
00:08:16,080 --> 00:08:21,540
Once they have your email password, they can go to each of those sites and say, I forgot my password

121
00:08:21,540 --> 00:08:22,770
and it can reset back.

122
00:08:22,780 --> 00:08:26,450
So protect your email account above just about everything else.

123
00:08:26,460 --> 00:08:31,230
It's even more important than your bank account passwords because your bank account passwords usually

124
00:08:31,230 --> 00:08:32,840
get reset to your email account.

125
00:08:33,150 --> 00:08:34,970
So I hope all of these are useful tips.

126
00:08:34,980 --> 00:08:40,800
I hope you've seen that it's really important to protect your passwords and to use good password security,

127
00:08:40,800 --> 00:08:46,380
especially if you're a Web administrator or if you are in charge of a network or Web site.

128
00:08:46,380 --> 00:08:51,960
You want to make sure that you enable secure sockets or secure connections to your website.

129
00:08:52,630 --> 00:08:57,510
Hope you've enjoyed this section of go out there and change all your passwords and make them better.