The Dangers of Passwords (part 1)

Passwords are often the most vulnerable points of our internet security. 0:00 This is largely because login information requires the most user responsibility. 0:04 Often, sites and services will have strict requirements about password length and 0:08 character minimums. 0:13 This is a good example of the trade off between security and convenience, these 0:14 requirements do you in fact translate to additional effort for attackers. 0:19 So it is in your best interest to have stong passwords. 0:23 But a lot is demanded of us to generate and memorize complex passwords. 0:26 So much so that we may take shortcuts that eventually cost us. 0:31 We'll explore password strengths and weaknesses over two videos. 0:34 This first video will address some of the risks associated with 0:39 less than optimal passwords. 0:42 Let's first take a look at just how much the length of a password can 0:45 affect its strength. 0:48 Let's consider a PIN, for example, one used for your ATM card or 0:50 to unlock your phone. 0:53 There are ten possibilities for each digit used, zero through nine. 0:55 If your PIN was only one digit, the total number of possible PINs would be ten. 1:00 Let's make it a two digit PIN 10 x 10 = 100. 1:05 Now there are 100 possible combinations, and your PIN just got ten times stronger. 1:11 Typical PINs are four digits long, 10 x 10 x 10 x 10, 10,000. 1:16 There are 10,000 possible four digit PINs. 1:23 So what happens if you could add a lowercase letter, 1:26 any of the 26 letters available in the English alphabet at the end of your PIN? 1:29 10 x 10 x 10 x 10 times 26, 1:34 260,000, now we're talking. 1:38 260,000 different possibilities may seem like it would be more than adequate. 1:42 This would definitely be overwhelming for a human to try. 1:47 And typically, there are safeguards in place for multiple failed attempts anyway. 1:51 But nowadays, computers can try all the possibilities much faster than a person. 1:55 260,000 different PINs would fly by in the blink of an eye. 2:00 And not every service will have those same failed attempt safeguards. 2:05 Your best chance of security is to strengthen those passwords beyond a doubt. 2:09 This table is a logical extension of the previous exercise. 2:14 It shows how long it would take a modern computer to try 2:18 every possible valid input for the given constraints. 2:21 This is a bit of a simplification, and conditions would be 2:24 different if this was say a government agency with unlimited resources. 2:27 Compared to just a single laptop trying to break a password. 2:32 But it does serve a purpose. 2:35 Notice that increasing the number of characters extending the length 2:37 of a password has a much greater effect on its strength 2:41 than allowing additional possible characters. 2:44 While increasing both has a considerable compound effect. 2:47 This is great to keep in mind for when you're creating your own passwords. 2:50 The previous table showed how long it would take a modern computer to try every 2:55 possible password of a certain length and set of characters. 2:59 But password cracking, where attempts to guess or 3:02 force through password protection, is often smarter than that. 3:05 A password cracking tool may try the top 100 or 3:08 even top 10,000 most popular passwords first. 3:11 There's a very good chance it could save a lot of time. 3:15 If those failed, it could then default back to trying every possibility or 3:18 brute-forcing it. 3:22 Note the password, 0123456789, this is a 10-character password. 3:24 By our previous table, assuming all characters are valid, 3:30 this would take a brute force approach over 900 years for a modern computer. 3:34 But cracking tools would have this password broken in an instant. 3:39 The same is true for using a single dictionary word. 3:43 Tools will often consult prioritized lists of possibilities. 3:47 We've seen how length and available characters can affect password strength. 3:51 So now we want to make our own password plenty long, maybe 20 characters. 3:56 And we've learned how cracking tools are often smarter than a brute force approach, 4:00 by prioritizing common passwords and dictionary words. 4:04 So we'll make our 20 character password a randomized bunch of letters, numbers and 4:07 symbols. 4:12 We'll want to memorize this so we can use it whenever we need. 4:13 Having one extra strong password should be enough for all of our accounts, right? 4:17 Well, unfortunately as we learned in our very first video, 4:22 that services have breaches and personal passwords get leaked. 4:25 We'll want to have unique passwords for each service we use. 4:30 So to recap, passwords must be long, be unique, have never been used, 4:34 contain no personal info, and contain no dictionary words. 4:39 And we're also expected to memorize each one of them? 4:44 It's no wonder that some people sacrifice their password strength for some sanity. 4:47 Well, in the next video, we'll explore some tools that can offer some super 4:52 easy solutions without sacrificing much security at all. 4:56