The Dangers of Passwords (part 1)5:00 with Greg Stromire
Passwords are often the most vulnerable points of our internet security. This is largely due to it being the point with the most user responsibility. A lot is demanded of us to generate and memorize complex passwords, so we often take shortcuts that eventually cost us. This first video on the topic explores the risks of less-than-optimal passwords.
- Password Cracking -- Attempting to gain knowledge of a password through various techniques.
- Brute Force -- Attacking a secret-based login (like a password) by attempting every valid possible input.
- Dictionary Word -- A word that be found in a language dictionary. Password-cracking tools will often attempt these “combinations of characters” first before other, more randomized combinations.
Passwords are often the most vulnerable points of our internet security. 0:00 This is largely because login information requires the most user responsibility. 0:04 Often, sites and services will have strict requirements about password length and 0:08 character minimums. 0:13 This is a good example of the trade off between security and convenience, these 0:14 requirements do you in fact translate to additional effort for attackers. 0:19 So it is in your best interest to have stong passwords. 0:23 But a lot is demanded of us to generate and memorize complex passwords. 0:26 So much so that we may take shortcuts that eventually cost us. 0:31 We'll explore password strengths and weaknesses over two videos. 0:34 This first video will address some of the risks associated with 0:39 less than optimal passwords. 0:42 Let's first take a look at just how much the length of a password can 0:45 affect its strength. 0:48 Let's consider a PIN, for example, one used for your ATM card or 0:50 to unlock your phone. 0:53 There are ten possibilities for each digit used, zero through nine. 0:55 If your PIN was only one digit, the total number of possible PINs would be ten. 1:00 Let's make it a two digit PIN 10 x 10 = 100. 1:05 Now there are 100 possible combinations, and your PIN just got ten times stronger. 1:11 Typical PINs are four digits long, 10 x 10 x 10 x 10, 10,000. 1:16 There are 10,000 possible four digit PINs. 1:23 So what happens if you could add a lowercase letter, 1:26 any of the 26 letters available in the English alphabet at the end of your PIN? 1:29 10 x 10 x 10 x 10 times 26, 1:34 260,000, now we're talking. 1:38 260,000 different possibilities may seem like it would be more than adequate. 1:42 This would definitely be overwhelming for a human to try. 1:47 And typically, there are safeguards in place for multiple failed attempts anyway. 1:51 But nowadays, computers can try all the possibilities much faster than a person. 1:55 260,000 different PINs would fly by in the blink of an eye. 2:00 And not every service will have those same failed attempt safeguards. 2:05 Your best chance of security is to strengthen those passwords beyond a doubt. 2:09 This table is a logical extension of the previous exercise. 2:14 It shows how long it would take a modern computer to try 2:18 every possible valid input for the given constraints. 2:21 This is a bit of a simplification, and conditions would be 2:24 different if this was say a government agency with unlimited resources. 2:27 Compared to just a single laptop trying to break a password. 2:32 But it does serve a purpose. 2:35 Notice that increasing the number of characters extending the length 2:37 of a password has a much greater effect on its strength 2:41 than allowing additional possible characters. 2:44 While increasing both has a considerable compound effect. 2:47 This is great to keep in mind for when you're creating your own passwords. 2:50 The previous table showed how long it would take a modern computer to try every 2:55 possible password of a certain length and set of characters. 2:59 But password cracking, where attempts to guess or 3:02 force through password protection, is often smarter than that. 3:05 A password cracking tool may try the top 100 or 3:08 even top 10,000 most popular passwords first. 3:11 There's a very good chance it could save a lot of time. 3:15 If those failed, it could then default back to trying every possibility or 3:18 brute-forcing it. 3:22 Note the password, 0123456789, this is a 10-character password. 3:24 By our previous table, assuming all characters are valid, 3:30 this would take a brute force approach over 900 years for a modern computer. 3:34 But cracking tools would have this password broken in an instant. 3:39 The same is true for using a single dictionary word. 3:43 Tools will often consult prioritized lists of possibilities. 3:47 We've seen how length and available characters can affect password strength. 3:51 So now we want to make our own password plenty long, maybe 20 characters. 3:56 And we've learned how cracking tools are often smarter than a brute force approach, 4:00 by prioritizing common passwords and dictionary words. 4:04 So we'll make our 20 character password a randomized bunch of letters, numbers and 4:07 symbols. 4:12 We'll want to memorize this so we can use it whenever we need. 4:13 Having one extra strong password should be enough for all of our accounts, right? 4:17 Well, unfortunately as we learned in our very first video, 4:22 that services have breaches and personal passwords get leaked. 4:25 We'll want to have unique passwords for each service we use. 4:30 So to recap, passwords must be long, be unique, have never been used, 4:34 contain no personal info, and contain no dictionary words. 4:39 And we're also expected to memorize each one of them? 4:44 It's no wonder that some people sacrifice their password strength for some sanity. 4:47 Well, in the next video, we'll explore some tools that can offer some super 4:52 easy solutions without sacrificing much security at all. 4:56
You need to sign up for Treehouse in order to download course files.Sign up