Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Passwords are often the most vulnerable points of our internet security. This is largely due to it being the point with the most user responsibility. A lot is demanded of us to generate and memorize complex passwords, so we often take shortcuts that eventually cost us. This first video on the topic explores the risks of less-than-optimal passwords.
New Terms:
- Password Cracking -- Attempting to gain knowledge of a password through various techniques.
- Brute Force -- Attacking a secret-based login (like a password) by attempting every valid possible input.
- Dictionary Word -- A word that be found in a language dictionary. Password-cracking tools will often attempt these “combinations of characters” first before other, more randomized combinations.
Passwords are often the most vulnerable
points of our internet security.
0:00
This is largely because login information
requires the most user responsibility.
0:04
Often, sites and services will have strict
requirements about password length and
0:08
character minimums.
0:13
This is a good example of the trade off
between security and convenience, these
0:14
requirements do you in fact translate
to additional effort for attackers.
0:19
So it is in your best interest
to have stong passwords.
0:23
But a lot is demanded of us to generate
and memorize complex passwords.
0:26
So much so that we may take
shortcuts that eventually cost us.
0:31
We'll explore password strengths and
weaknesses over two videos.
0:34
This first video will address
some of the risks associated with
0:39
less than optimal passwords.
0:42
Let's first take a look at just how
much the length of a password can
0:45
affect its strength.
0:48
Let's consider a PIN, for example,
one used for your ATM card or
0:50
to unlock your phone.
0:53
There are ten possibilities for
each digit used, zero through nine.
0:55
If your PIN was only one digit, the total
number of possible PINs would be ten.
1:00
Let's make it a two
digit PIN 10 x 10 = 100.
1:05
Now there are 100 possible combinations,
and your PIN just got ten times stronger.
1:11
Typical PINs are four digits long,
10 x 10 x 10 x 10, 10,000.
1:16
There are 10,000 possible four digit PINs.
1:23
So what happens if you could
add a lowercase letter,
1:26
any of the 26 letters available in the
English alphabet at the end of your PIN?
1:29
10 x 10 x 10 x 10 times 26,
1:34
260,000, now we're talking.
1:38
260,000 different possibilities may seem
like it would be more than adequate.
1:42
This would definitely be overwhelming for
a human to try.
1:47
And typically, there are safeguards in
place for multiple failed attempts anyway.
1:51
But nowadays, computers can try all the
possibilities much faster than a person.
1:55
260,000 different PINs would
fly by in the blink of an eye.
2:00
And not every service will have those
same failed attempt safeguards.
2:05
Your best chance of security is to
strengthen those passwords beyond a doubt.
2:09
This table is a logical extension
of the previous exercise.
2:14
It shows how long it would
take a modern computer to try
2:18
every possible valid input for
the given constraints.
2:21
This is a bit of a simplification,
and conditions would be
2:24
different if this was say a government
agency with unlimited resources.
2:27
Compared to just a single laptop
trying to break a password.
2:32
But it does serve a purpose.
2:35
Notice that increasing the number
of characters extending the length
2:37
of a password has a much
greater effect on its strength
2:41
than allowing additional
possible characters.
2:44
While increasing both has
a considerable compound effect.
2:47
This is great to keep in mind for
when you're creating your own passwords.
2:50
The previous table showed how long it
would take a modern computer to try every
2:55
possible password of a certain length and
set of characters.
2:59
But password cracking,
where attempts to guess or
3:02
force through password protection,
is often smarter than that.
3:05
A password cracking tool
may try the top 100 or
3:08
even top 10,000 most
popular passwords first.
3:11
There's a very good chance
it could save a lot of time.
3:15
If those failed, it could then default
back to trying every possibility or
3:18
brute-forcing it.
3:22
Note the password, 0123456789,
this is a 10-character password.
3:24
By our previous table,
assuming all characters are valid,
3:30
this would take a brute force approach
over 900 years for a modern computer.
3:34
But cracking tools would have this
password broken in an instant.
3:39
The same is true for
using a single dictionary word.
3:43
Tools will often consult
prioritized lists of possibilities.
3:47
We've seen how length and available
characters can affect password strength.
3:51
So now we want to make our own password
plenty long, maybe 20 characters.
3:56
And we've learned how cracking tools are
often smarter than a brute force approach,
4:00
by prioritizing common passwords and
dictionary words.
4:04
So we'll make our 20 character password
a randomized bunch of letters, numbers and
4:07
symbols.
4:12
We'll want to memorize this so
we can use it whenever we need.
4:13
Having one extra strong password should
be enough for all of our accounts, right?
4:17
Well, unfortunately as we
learned in our very first video,
4:22
that services have breaches and
personal passwords get leaked.
4:25
We'll want to have unique passwords for
each service we use.
4:30
So to recap, passwords must be long,
be unique, have never been used,
4:34
contain no personal info, and
contain no dictionary words.
4:39
And we're also expected to
memorize each one of them?
4:44
It's no wonder that some people sacrifice
their password strength for some sanity.
4:47
Well, in the next video, we'll explore
some tools that can offer some super
4:52
easy solutions without
sacrificing much security at all.
4:56
You need to sign up for Treehouse in order to download course files.
Sign up