Tip:
Highlight text to annotate it
X
The episode of the Modern Rogue produced in partnership with our friends over at LastPass.
Thanks, LastPass!
I had a friend who was really good at guessing his roommate's EverQuest password.
[light laughter]
What did--what did your friend, who's definitely not you, do?
It wasn't me.
He would guess his password, log into his account, strip him of everything!
And he was playing like eight hours a day, every day.
You have a bad friend!
Sneak into a super dangerous area,
and then just log out.
And so when he logged back in, he's like, "I'm naked
and I'm somewhere I have no business being."
Does your friend still have the friend?
No.
It wasn't me.
What are you, Shaggy?
[laughter]
[Brian's voice echos in the distance] ♪ MODERN ROGUE! ♪
[robot voice] Brian and Jason finally change their passwords.
Are you good about password security?
I'm the best.
I combine, uh, my cat's name with my daughter's name!
Oh! Yeah, that--that's really good.
Fools them all.
Yeah, put an exclamation point at the end?
Oh yeah, well because you've got to put a symbol.
And I make sure to capitalize--
--The first letter?
Yes, well, yes.
That's good.
That's--that's yeah.
Nobody's ever going to get that.
It's great!
That's good.
So recently they walked back the standards and best practices recommended by the
National Institutes of Standards and Technology.
Okay now wait a minute.
I thought these were supposed to be the reasons that passwords are super complicated, like,
"Hey, dumb people.
You guys don't know how to password, so we're going to make all of these dumb rules and
we won't accept anything that--unless it has all these rules."
That's exactly what it was, but people weren't using it correctly.
They would say stuff like, "Okay, you have to use a symbol, and make it look all variable,
and have some uppercase and lowercase, and a mix of numbers and letters."
They recommended that you not do that anymore, and it wasn't because that's a bad idea,
it was because people would do that and then when they would change their password,
they would do just a sleight variation.
So here's the thing, is, on paper this is a very sensible way to craft a password.
It allows for the most vectors to make it as complicated as possible, because a hacker
is going to know that a human will very likely rely on dictionary words, and then it will
limit the search to those to begin with, right?
But, if a hacker is told in advance, "Okay, there's going to be uppercase and lowercase,
and symbols, and letters, and it's going to be 17 digits long."
In that case the hacker would say, "More trouble than it's worth" and move on, except for the
fact that they can rely on certain human tendencies.
Yes, for example, let's say you had a really strong password, legit and secure.
Well what happens after three months?
Well, they used to always say, "Time to change your password!"
Exactly, they were saying something like you had to change it every 90 days, but you would
take that password and use pretty much the identical one, but change one thing in there.
I mean, I might have changed "bologna" to "bologna1" once.
Exactly!
And not only does that defeat the purpose of changing it every 90 days, that actually
makes that password weaker because you're setting up a pattern.
That's right!
They could say, "Oh, this guy loves using his childhood street address.
That seems to be in every password that he's ever done, making all of them weaker.
That's the part that surprised me, is that when I was younger I thought that having a
clever algorithm was the catch-all solution for everything, because it looks like a giant
jumble on there.
For example, one thing people will do, is they'll do a string of characters on the keyboard,
because they'll go [scatting] and it looks random to them, but they don't realize, this is a
very predictable pattern that you're establishing.
Exactly, and you had mentioned not using your street address or something like that. >> Oh sure, yeah.
That's another tip that they use, is don't put something in there
that people can find out by looking at your Facebook page.
Okay, so you mentioned that the best practices have been changed.
What are the biggest changes that we're seeing?
Longer, of course.
It used to be like, 12 digits or 12 characters within your password.
Now they're saying 15.
The longer the better.
There's a fantastic XKCD comic, where he talks about how lousy that idea of having a good,
you know, symbols and letters and words, eight letter password is inferior to essentially
writing a sentence, or taking seven dictionary words and putting them in a row.
And the fact that each of those words represents a symbol, an idea in your mind, the moment
you read it you're going to have it memorized.
>> Yeah.
Okay, so best practices are changing, why?
Because people are still human and sloppy, and doing a lot of things that are going to
get them compromised.
So even telling people that the right way to do it is this way, they're going to use
the shortcuts like maybe relying on the same core passwords
and making derivations to the beginning and end.
Yes, and that's inherently dangerous.
So think about this nightmare scenario, right?
Let's say that you fall victim to some phishing on Facebook, right?
And somebody gets your password for Facebook, and then they check that password and one
of the first things they do is to find other places where it works.
>> Yeah!
For example, let's say that you guess a password.
You find a paste as they're called, a list of passwords that are compromised.
You're going to try that password on another website, and maybe that website says,
"Oh you changed that password six months ago."
Maybe just add one, add an exclamation point,
add this, add that. >> Exactly, exactly.
And if they get it into your email, then they can sit there and reset everything!
Terrifying, terrifying.
I am legit horrified about the idea of compromised email.
You know what?
It's always the human aspect of people that compromises.
It's very rarely the technology.
For example, all the way back in World War II, you remember that the Enigma machine was
this unbreakable cipher. But it turns out it was the human aspect that the Allies figured,
"You know what I bet they finish all their messages with?
'Heil Hitler.'"
And that was the core that allowed them to help break that engine.
Yeah, so don't ever finish a password with "Heil Hitler."
[uncomfortable laughter] That's for--for a number of reasons.
I'm glad we--I'm glad we finally got that out.
Yeah.
By now everyone should be terrified that they have a super-obvious, easy to figure out,
completely compromised password, which by the way they totally do.
Yes, let's talk best practices.
It is commonly accepted that you should use two factor authentication and a password manager
like LastPass.
Okay, yep, timeout.
This is the part where we tell everybody that we are doing this video in partnership with
our friends over at LastPass.
They reached out to us and I could not be more excited, because I've used LastPass for
like three or four years now.
It is brilliant.
When you use a password manager, it takes the fear out of everything.
You have one locked door, behind which everything else exists.
You use best practices with long, insane groups of characters that I would never think to
do, but it auto-generates it for you and keeps track of all of those.
In all of my research, all of the authorities on password management and security and so forth,
all sorts of stuff said, "Use a password manager, and that password manager should be LastPass."
Tell me about your experience with LastPass.
So when you first sign up, you designate one super-secure password that is going to be
yours and LastPass, and it'll use two factor authentication which we'll talk about in a moment.
But, because they're generating the passwords, they make them super-secure, very difficult to crack.
They've got a number of plug-ins that work on mobile devices, on desktop devices.
It stores your vault of passwords in the cloud, so it automatically syncs up.
And when it comes to a point, no matter what website you're on, and you need to generate
a password, you can use your own password generation skills, or you can do like I do
and say, "LastPass, why don't you take this over?"
And it will generate very long, super-secure passwords that are very difficult to crack,
and the most important part is they're the ones managing it.
No matter how smart you are, you're still a human being and you have to acknowledge
you're going to make dumb human being mistakes.
This takes all of that out.
Generally accepted, everybody should be using a password manager, we like LastPass.
Talk to me about two factor authentication.
Okay, yeah.
That's really one of the second musts, and it's only come along in the last couple of years.
That's something you are, something you have, or something you know.
Okay, so something you know, I assume that's a password, right?
>> Right.
So that's something only you would know.
Something you have would be another vector like a cellphone.
Something you are would be what, like a biometric? >> Biometrics, yeah.
Fingerprint, retinal scan, saliva, something like that.
Wow, you're getting very specific here.
Yeah, it's the second lock on the door.
So the idea being that even if one lock is compromised, it's very unlikely that any two
locks would be compromised at the same time.
If somebody has your password, it's unlikely that they've also spoofed and stolen your cellphone.
If they have your cellphone, it's unlikely that they've also ripped out your eyeballs
and have retina scans.
Exactly.
And it seemed like such a hassle, it seemed like this company's just trying to get my phone number.
Two factor authentication is not nearly the hassle I originally thought it was.
You've got fingerprint scanners built into the iPhone, the new one's supposed to have
facial recognition technology, there are phones that have retinal scanners and all that stuff.
To be honest, if you're not doing two factor authentication, you are hugely exposed.
That is the one thing I want everybody to take away.
Yeah, it's really quick and now it's good hygiene.
It's really just a common practice that everybody needs to embrace.
A lot of people will log into Facebook or Gmail, or something like that, and a prompt
will come up and say, "Hey, let's sign you up for two factor authentication."
And a lot of people will say, "Skip!"
Yeah. Sounds like trouble, sounds like trouble. >> Nope.
Yeah, nope, nope.
Yeah you should do that, that's like someone saying, "Hey, we want to put a second lock
on your door to protect you." >> You're like, "No!
Why would I do two locks?!
My goodness!"
"I'm just going to leave it open!"
Keep in mind that every time you get one of those emails that says, "Hey, did you forget your password?
You seemed to try to log in from San Francisco."
That is a hacker trying to see if your door is unlocked, and if you have double-locks
you're going to be double-safe.
Exactly.
All right, speaking of the two factors, the most important factor, the password.
If you're not going to use a password manager, or let's say selecting a password for your
password manager, what are the best practices?
The longer the better.
Long.
That's really one of the best ones, because the hacking software is getting better and
better at just ripping through and running infinite variations.
And we should point out that everything that came before still applies.
It's still better to have symbols, it's still better to have capital letters and lowercase letters,
it's still better to have spaces and have it be as long as possible,
and if you must make it simpler, at least make it longer.
Yeah, keep it at least 15 characters.
Which sounds insane, you're like, "I don't know any 15 character string of text, and
numbers, and whatnot."
But, you do know a sentence, or a gestalt moment that means something to you that you
can translate into a secure password, that will mean nothing to anyone in the outside world.
That will have numbers and letters and symbols and capital, and all of that stuff that will
easily be pegged in your mind.
Yeah, and when you're putting the capital letters in there, most people want to put
them at the beginning, don't do that.
Put it in the middle, or if you're using a symbol, don't put an exclamation point at
the end, don't replace an s with a dollar sign, don't replace an s with a five.
Those are all common substitutions and hackers know immediately to go for that.
And let's say that they find your old password, like we were talking about where if it says,
"password01!" if that doesn't work, the first thing they're going to try is "password02!"
Oh, I thought they were going to just give up.
I mean, how are you going to beat that?
[sad trombone]
>> Brian: This is Forbes, 2016's worst passwords.
25 passwords on the board!
Okay.
For all the money in the world, name one.
Okay, uh, "password"
Show me passw... well, I mean the name of the article is passwords.
Uh, yeah no it's definitely number two, and has remained number two.
What else you got?
"12345"
Show me "12345!"
>> Brian: Yes. Also "123456," "12345678," "1234567,"
and "1234567890" because he was just that clever.
So at this point you've got nine on the board.
You've got nine points.
Can I get... "qwerty?"
Show me "qwerty!"
Uh, you know what?
I'm going to give you both "qwerty" and "qwertyuiop."
Okay, uh what, uh "cowboys."
Cowboys?
Yeah.
[wrong buzzer]
No? Okay. I was going with like sports and football. >> Sure, sure.
All right, uh, "password123"
[wrong buzzer]
No?! >> Yeah.
No, that's whatever.
You've got one more, you got one more.
"birthday"
Birthday?
I don't know, I don't know.
It would be the actual birthday, it's not going to be in there.
No it's not birthday.
Here are some of the weird words that show up in some of these top lists.
You of course have "qwerty" and number collections, like number seven on this list is "football."
There's another one "baseball," "welcome," "abc123," "dragon" which we talked about.
Dragon! I don't understand that.
Everybody loves "dragon!"
This is number seven on the list.
I--I, really?
Yeah.
Game of Thrones, number seven.
Seven Kingdoms?
Starts with a letter "d."
Dragon?
Yes!
Dragon is universally in these top 10 lists, over and over and over.
What? Really?! >> Yes, yes, yes.
"password1"
Show me, "password1!"
Oooh, wait. What?!
No. >> What?
No this is bullsh--.
Bullsh-- list.
F--- this list!
I've seen this a lot, "princess."
Princess?
"Princess" and "god" I see in a whole bunch of those.
Huh.
"Solo," password with a zero for an "o."
Oh, sure. Okay, yep, yep, yep.
And "starwars" or derivations of Star Wars, like "UseT4Luke."
[under his breath] I've never done that before.
[laughter]
I've never used a Star Wars related password, I don't know what you're talking about.
Let's talk about making good passwords, how can you test whether or not you're a good
password maker?
There are websites that will test how powerful your password is, how secure it is.
Showdown time.
Which of us has learned the most about making a proper password?
Me!
You go first. >> Okay.
You know what, it hides your password.
Let's do our actual passwords.
Oh!
Ooooh!
For something that matters!
Like, financial thing. >> Okay.
Just, all we're doing is revealing which of us is the best.
You know what, I'm going to start with a low-security password, that I have maybe used somewhere.
>> Okay.
>> Brian: My lowest security password is 40 percent.
What about yours?
Not good.
Not good, not good.
So like a low-security one?
Uh, yeah.
Just--just get started.
>> Jason: Okay, okay.
>> Brian: 33 percent?
Yeah... >> Is it "starwars?"
No, I've retired that one, long ago.
Your email password.
My email password?
Oh boy, okay.
>> Brian: 65 percent.
Yeah? >> Yeah.
I can beat that.
Okay, all right. All right, all right.
Holy cow!
97!
97 percent?!
Suck it, Brushwood.
Holy cow!
Yes sir.
Uh okay, this is the big test.
If you have one, use it, if you don't have one, use one you at one point used.
Okay.
A financial password.
Okay, okay.
♪ smooth bass and airy keys fill the silence ♪
[just a ridiculous gasp]
100 percent!
[singing] I am very proud of my password making skills.
All right, go for it.
Okay.
That's a great song, by the way.
>> Jason: Uh, a financial password, okay, okay, okay.
[in a defeated tone] 61 percent.
[expressing schadenfreude] >> Brian: Uh, oh! [Jason vocalizes sad trombone again]
I'm going home and changing everything.
I'm changing everything!
I don't blame you, man!
All of the things.
This is freaking terrifying. All right.
-- CC BY BIZARRE MAGIC -- [branding furnace hissing]
[wind and thunder loom ominously]