Your Passwords Are Useless! - The Hated One
video description
Look at how hard it is to get devs to start using PASSWORD HASHING to store user passwords. Imagine trying to get them all to implement the FIDO protocols. Also stuff like encrypted files on your computer literally can't use this, because a file cannot generate a challenge to test the user's response on that an attacker cannot predict, rendering it impossible to implement. You CAN use the pubkey to encrypt the data (or more accurately encrypt a randomly generated key to use in a symmetric cipher, but that is not the FIDO protocol.
Date: 2022-03-20
Related videos
Comments and reviews: 8
Nikola
Usb public keys can be interspersed the same way password phishing works, man in the middle attack makes your legit key unlock the login trough a forwarding website.
If the real website supports it there will be a double login on 2 devices, maybe will need to unlock it twice once for the hacker the second time for you.
If the website doesn-t supportmultiple mac logins then the attacker will log in and the bot will steal all content from that account or execute the desired procedure, while you get stuck on a loading screen or filling up a fake questionnaire or something that creative. Maybe some day when the GSM provides make their key on the chip work with cellular verification (Double key verification ) + random question that gets sent to one device and u answer on a other we will be closer.
reply
Usb public keys can be interspersed the same way password phishing works, man in the middle attack makes your legit key unlock the login trough a forwarding website.
If the real website supports it there will be a double login on 2 devices, maybe will need to unlock it twice once for the hacker the second time for you.
If the website doesn-t supportmultiple mac logins then the attacker will log in and the bot will steal all content from that account or execute the desired procedure, while you get stuck on a loading screen or filling up a fake questionnaire or something that creative. Maybe some day when the GSM provides make their key on the chip work with cellular verification (Double key verification ) + random question that gets sent to one device and u answer on a other we will be closer.
reply
Bob
I was one of the ones who experienced Kevin Mitnick's first major mass hacking attempt when I was working for DEC in the 80's. At the time a few of my colleagues were found to have had their password compromised. Mine was not, mainly I suspect because since the 70's I have ALWAYS used a minimum of 13 characters (upper & lower case mixed plus numbers then later also symbols) and nowadays it's over 14 pseudo random characters. Back in the day, my account faced almost 500 unsuccessful attempts. Only one other person in the office came close and that was the system manager who'd faced 1000 plus!
It pays to be cautious!
A password plus biometrics is the safest OR a two factor check using different media and private key cryptography.
reply
I was one of the ones who experienced Kevin Mitnick's first major mass hacking attempt when I was working for DEC in the 80's. At the time a few of my colleagues were found to have had their password compromised. Mine was not, mainly I suspect because since the 70's I have ALWAYS used a minimum of 13 characters (upper & lower case mixed plus numbers then later also symbols) and nowadays it's over 14 pseudo random characters. Back in the day, my account faced almost 500 unsuccessful attempts. Only one other person in the office came close and that was the system manager who'd faced 1000 plus!
It pays to be cautious!
A password plus biometrics is the safest OR a two factor check using different media and private key cryptography.
reply
Sadsandwich85
Make your own encryption rules and you will be fine. Say the password phrase is -I love poo sandwiches- use different letters, numbers and symbols to represent the letters in this phrase. Say the letter -I- is represented by -=4-. - And -L- is represented by -%--, and -O- is represented by =-Y7-! - just with those 3 letters (ILO) you already have -=4-. %-Y7-! - So right there thats 3 letters written in your own code, someone cant get the password without knowing your made up code. So sure someone with enough know how could get through using some algorithm but it will not be worth the trouble. Oh yeah i forgot, change your password once bi weekly or monthly.
reply
Make your own encryption rules and you will be fine. Say the password phrase is -I love poo sandwiches- use different letters, numbers and symbols to represent the letters in this phrase. Say the letter -I- is represented by -=4-. - And -L- is represented by -%--, and -O- is represented by =-Y7-! - just with those 3 letters (ILO) you already have -=4-. %-Y7-! - So right there thats 3 letters written in your own code, someone cant get the password without knowing your made up code. So sure someone with enough know how could get through using some algorithm but it will not be worth the trouble. Oh yeah i forgot, change your password once bi weekly or monthly.
reply
Meemkoo
3: 23
Ok so i dont want to be that guy in the comments but when your password is created the company does a one way hash on the password so that when you enter it in to sign in it hashes that THEN compares that to the original hash. At least thats what a good company will do. If your wondering what a hash is its just taking the password and dong fancy math to convert it to a string of letters and numbers. The trick with the hash is that it cant be reversed eisaly. So unless the company is hacked at the moment you create your password OR you have been hacked when you enter your password then you should be fine.
reply
3: 23
Ok so i dont want to be that guy in the comments but when your password is created the company does a one way hash on the password so that when you enter it in to sign in it hashes that THEN compares that to the original hash. At least thats what a good company will do. If your wondering what a hash is its just taking the password and dong fancy math to convert it to a string of letters and numbers. The trick with the hash is that it cant be reversed eisaly. So unless the company is hacked at the moment you create your password OR you have been hacked when you enter your password then you should be fine.
reply
Surfing
Take a look at that video closely. How often do you think you can push down on a USB key before you damage that USB port? I've supported more computers than I can shake a stick at where the USB port was damaged and they were not using any type of USB FIDO key. You lose it and it's nearly impossible to recover some sites. Someone steals it from your or police get a court order and take it from you. They magically know your access. Passwords in my head alone they'll need to get to a point where they can read minds before they can take my passwords.
reply
Take a look at that video closely. How often do you think you can push down on a USB key before you damage that USB port? I've supported more computers than I can shake a stick at where the USB port was damaged and they were not using any type of USB FIDO key. You lose it and it's nearly impossible to recover some sites. Someone steals it from your or police get a court order and take it from you. They magically know your access. Passwords in my head alone they'll need to get to a point where they can read minds before they can take my passwords.
reply
TheCrusaderBin
It is also important to be able to be anonymous though. In fact, accountless is the best way as much as you can get there. Otherwise, throwaway accounts with passwords and password storage program is way better than having a key that proves all that you did and when you did it. It is missing the point. It can be used as 2 factor only in places where you WANT to be recognized. And as little as possible - that is the key. Any date you did not precisely want to provide, is essentially stealing. Or ransom, if service refuses to be permitted.
reply
It is also important to be able to be anonymous though. In fact, accountless is the best way as much as you can get there. Otherwise, throwaway accounts with passwords and password storage program is way better than having a key that proves all that you did and when you did it. It is missing the point. It can be used as 2 factor only in places where you WANT to be recognized. And as little as possible - that is the key. Any date you did not precisely want to provide, is essentially stealing. Or ransom, if service refuses to be permitted.
reply
Paul
You are totally right. I almost never use a password more than once (when I 'register'. The next time I need it, I have already forgotten it. Of course I try to use the same password for multiple sites (and another one for 'finance' related sites. Sadly the systems always dispute my choice of password, making me vary it (and then of course forget it. The system is completely useless.
reply
You are totally right. I almost never use a password more than once (when I 'register'. The next time I need it, I have already forgotten it. Of course I try to use the same password for multiple sites (and another one for 'finance' related sites. Sadly the systems always dispute my choice of password, making me vary it (and then of course forget it. The system is completely useless.
reply
jimandjackandhank
Those biometric fido keys just guarantee to the NSA that it is TRULY you that they are gathering metadata on. Which will prove in court that it was really you that did or said something. i think everyone should just ditch all technology, ditch all social media, go back to using snail mail, and drive to the store to buy your shit quit being so lazy
reply
Those biometric fido keys just guarantee to the NSA that it is TRULY you that they are gathering metadata on. Which will prove in court that it was really you that did or said something. i think everyone should just ditch all technology, ditch all social media, go back to using snail mail, and drive to the store to buy your shit quit being so lazy
reply
Add a review, comment
Other channel videos
