Google Ads
This is a transcript for a video linked here: Guide to understanding password attacks and how to protect against them.
00:00:00.560 --> 00:00:06.720 hello welcome to this quick guide to password security and how you can avoid your password 00:00:06.720 --> 00:00:11.120 being stolen i'm going to look at the importance of passwords and ways in which 00:00:11.120 --> 00:00:15.920 hackers and crackers try and steal them and then what you can do to protect against them 00:00:17.840 --> 00:00:22.080 i'm going to focus on some of the tricks that hackers use and how you can protect against 00:00:22.080 --> 00:00:26.720 those particular tricks in a future video i'll cover more of the technical detail of 00:00:26.720 --> 00:00:32.400 how passwords are stored and how crackers break them so please consider subscribing 00:00:33.040 --> 00:00:37.920 and click on the notification icon to find out more about those in future 00:00:41.360 --> 00:00:46.240 why user names and passwords so important now the most common way of implementing 00:00:46.240 --> 00:00:53.920 is known as the aaa security framework the aaa framework provides ways of protecting computers 00:00:53.920 --> 00:00:58.880 and their data on them the key elements are authentication 00:01:01.040 --> 00:01:08.880 authorization and accounting in the csp guide this is extended to include identity and auditing 00:01:09.920 --> 00:01:13.840 this i'm going to concentrate on the the first one which is authentication 00:01:17.520 --> 00:01:24.240 the authentication criteria there's commonly two steps identity and then authentication 00:01:24.880 --> 00:01:32.160 identity is who you are and it's often based around a unique username authentication is 00:01:32.160 --> 00:01:37.600 proven that you are who you claim to be this is based on something that only you should know 00:01:37.600 --> 00:01:42.240 which in this case is the password there are alternatives which i'll cover in future videos 00:01:43.040 --> 00:01:47.520 an example you're already familiar with would be withdrawing money from an atm or cash machine 00:01:48.320 --> 00:01:52.320 in that case the card is used instead of your username to show your identity 00:01:52.960 --> 00:01:55.040 and the pin number is in place of the password 00:01:58.560 --> 00:02:04.000 i'm going to look at what crackers do i'm using the term crackers rather than hackers here it's 00:02:04.000 --> 00:02:08.560 the more appropriate term in this circumstance although hackers is often used as well 00:02:10.080 --> 00:02:13.360 there are lots of different techniques but i'm going to look at a few 00:02:13.360 --> 00:02:19.360 along with suggestions of how to protect against them this includes password guessing 00:02:20.560 --> 00:02:27.040 personalized attacks or spider-in shoulder surfing fishing and social engineering 00:02:28.160 --> 00:02:33.040 malware and key loggers dictionary attacks and brute force attacks 00:02:35.440 --> 00:02:40.240 there's some very common passwords or default passwords which are very easy to guess 00:02:40.240 --> 00:02:42.240 and these were i call stupid passwords 00:02:44.400 --> 00:02:51.760 things like one two three four five six the word password and various variants on those 00:02:51.760 --> 00:02:58.720 and these are amongst the top passwords that are used and it's very easy for them to try 00:02:59.280 --> 00:03:05.040 a few different permutations of these also don't forget to change default passwords 00:03:06.800 --> 00:03:11.120 as these are commonly available for anybody to look up 00:03:13.200 --> 00:03:18.800 there's a few examples there if any of your passwords appear on this list or 00:03:18.800 --> 00:03:23.680 are similar to any of these then change them now these are really bad passwords 00:03:24.320 --> 00:03:27.680 and it's just asking for trouble if these are what you're using 00:03:30.880 --> 00:03:35.280 the next one i'm going to look at is personalized attacks these are also known by other terms such 00:03:35.280 --> 00:03:41.040 as targeted attacks or spidering this is where the cracker first does some research 00:03:41.680 --> 00:03:47.200 into the user of the account they're wanting to break into and this may give them something 00:03:47.200 --> 00:03:53.840 that would help them to guess at the password for example typically users often use their pet's name 00:03:55.360 --> 00:04:00.960 or details about your family such as your partner's maiden name or 00:04:01.600 --> 00:04:08.320 your child's date of birth maybe something about yourself such as where you were born 00:04:08.960 --> 00:04:14.960 or where you last went on vacation this is another one that's fairly easy to defend against 00:04:14.960 --> 00:04:27.840 just don't use anything personal in your password make sure your password cannot be linked to you 00:04:28.960 --> 00:04:31.120 did you see the username and password i typed above 00:04:32.400 --> 00:04:38.000 this was obviously a simple default password it was seen from the point of view of someone stood 00:04:38.000 --> 00:04:44.880 over my shoulder in a technique known as shoulder surfing i normally touch type in which case not 00:04:44.880 --> 00:04:51.840 quite so easy but if you watch multiple times you can sometimes still pick up what the password is 00:04:54.960 --> 00:04:58.480 the main protection against this type of attack is to be vigilant 00:04:58.480 --> 00:05:03.440 look around before entering your password and try and hide what keys you press 00:05:03.440 --> 00:05:09.840 similar to how you hide your pin when using an atm or using your card in the supermarket 00:05:14.880 --> 00:05:19.200 i've put phishing and social engineering together these are both ways to trick a user into providing 00:05:19.200 --> 00:05:27.040 their details phishing is typically an email which asks the user to click a link the link 00:05:27.040 --> 00:05:32.160 may look genuine but often includes different letters or something extra in the domain name 00:05:32.880 --> 00:05:37.280 after clicking on the link you're provided with a genuine looking website 00:05:37.280 --> 00:05:42.800 which may ask for your username and password when you type in the username and password the data is 00:05:42.800 --> 00:05:50.160 sent to the hacker who's then stolen your password social engineering can also involve a phone call 00:05:50.160 --> 00:05:56.240 pretending to be say your IT department asking you what your password is so they can protect it 00:05:56.240 --> 00:06:02.080 or some other excuse the defense for this is to be aware of these and be vigilant 00:06:02.080 --> 00:06:06.240 instead of clicking on the link type the known website into a browser 00:06:06.240 --> 00:06:10.080 and never reveal your password over the phone or to anyone else that asks 00:06:14.240 --> 00:06:19.840 malware which can include software loggers is software installed onto your computer 00:06:20.480 --> 00:06:23.600 this can capture the keystrokes that you enter into your computer 00:06:25.040 --> 00:06:29.760 these are also available as physical devices which go between the keyboard and the usb port 00:06:29.760 --> 00:06:36.640 although that needs physical access to install and retrieve to protect against software threats then 00:06:36.640 --> 00:06:41.520 only install software that you trust and ensure any relevant software updates are installed 00:06:42.160 --> 00:06:49.120 including where your computer has a antivirus make sure that's up to date as well 00:06:55.360 --> 00:06:58.320 the next thing i'm going to look at is how passwords can be cracked 00:06:59.200 --> 00:07:01.840 this assumes that your password has been stored on a server 00:07:02.880 --> 00:07:09.280 which uses encryption or more often password hashing but it has been compromised 00:07:10.720 --> 00:07:15.440 this is important and it means that they can find your password and then use that to log in both 00:07:15.440 --> 00:07:21.040 that and a different system the most important thing you can do to protect against this is to 00:07:21.040 --> 00:07:26.400 use different passwords on different systems so if they find one they don't get access to any others 00:07:27.840 --> 00:07:31.120 now let's look at two different attacks that can be used 00:07:31.120 --> 00:07:35.440 against passwords and how well your choice of password can protect you 00:07:38.720 --> 00:07:42.640 the first is dictionary attacks and as the name suggests these are based around words in 00:07:42.640 --> 00:07:48.720 a dictionary but note it's not just enough to swap a character for a digit as shown in these examples 00:07:49.280 --> 00:07:51.760 these can be factored into these types of attacks 00:07:52.880 --> 00:07:56.640 more changes you made to the word then the harder it is to attack 00:07:56.640 --> 00:08:01.280 with enough computing power then dictionary attacks cover many possible permutations 00:08:03.440 --> 00:08:07.360 the way to protect yourself is not to choose a word from a dictionary 00:08:07.920 --> 00:08:13.840 or to use multiple unrelated words for example cat fruit walking 00:08:17.760 --> 00:08:23.600 the other way is a brute force attack which is where the computer tries every single character 00:08:23.600 --> 00:08:29.920 combination to break the password the security of this is based on the number of letters and digits 00:08:29.920 --> 00:08:34.960 in a password if you use only six characters then it's possible to correct the password in 00:08:34.960 --> 00:08:41.440 perhaps a few seconds eight characters it's going to take a few hours but increase that to 10 00:08:41.440 --> 00:08:45.360 here into months or 12 characters and you're into thousands of years 00:08:46.240 --> 00:08:50.240 these are only approximate it gives you an idea of how adding additional characters 00:08:50.240 --> 00:08:53.840 can significantly increase the security of your password 00:08:57.600 --> 00:09:00.720 so it's clear we need to use a different password for each system 00:09:00.720 --> 00:09:04.720 and for each of those we need to set the password to be 12 characters long 00:09:04.720 --> 00:09:11.520 using random numbers letters and perhaps special characters there's just one problem 00:09:11.520 --> 00:09:16.160 our memories are not very good at remembering those passwords as a result people often 00:09:16.160 --> 00:09:22.400 write them down perhaps post-it nets on your computer screen that is introducing a big risk 00:09:25.200 --> 00:09:31.680 so the solution to that is to use password managers and this is effectively a software safe 00:09:32.240 --> 00:09:38.480 which stores your passwords so you can get to them but encrypt them so that only you can access them 00:09:39.760 --> 00:09:42.960 you may already be using one of these they're often included in a 00:09:42.960 --> 00:09:48.640 web browser or a mobile phone but you can also get some that are separate pieces of software 00:09:48.640 --> 00:09:54.640 that you control using a password manager you should ensure that the information is protected 00:09:54.640 --> 00:09:57.680 as otherwise someone can then access all your passwords 00:09:59.760 --> 00:10:05.120 set a secure password which at least 12 characters long and perhaps based on multiple words 00:10:06.320 --> 00:10:11.840 it's important that you remember that password as if you do forget it you'll not be able to access 00:10:11.840 --> 00:10:17.280 any of your passwords and you'll be locked out to your your accounts but it's only one password that 00:10:17.280 --> 00:10:23.680 you need to remember so you can make this more complicated and just remember this one password 00:10:24.720 --> 00:10:31.840 let's say using multiple words is a good way of making that password longer 00:10:33.920 --> 00:10:38.240 an even better way to secure account is using multi-factor authentication 00:10:38.240 --> 00:10:43.680 also known as two-factor authentication many banks have already implemented this and across 00:10:43.680 --> 00:10:50.560 europe many online credit card payments now also add multi-factor authentication this supplements 00:10:50.560 --> 00:10:56.160 the password-based authentication which is based on something you know with also needing to be 00:10:56.160 --> 00:11:04.560 in possession of a second factor to prove who you are this is often a mobile phone using either sms 00:11:04.560 --> 00:11:09.520 stroke text messaging or an app which can be installed on your phone although there 00:11:09.520 --> 00:11:16.960 are other methods i'll be covering this in more detail in a future video but for now now enabling 00:11:16.960 --> 00:11:21.680 multi-factor authentication is one of the best things you can do to protect an account that you 00:11:21.680 --> 00:11:29.120 want to keep secure so if it's an option then i do recommend that for your more valuable accounts 00:11:33.120 --> 00:11:38.000 hopefully this has given you a better insight into password security and how you can protect 00:11:38.000 --> 00:11:43.920 your password if so please give the video a like is there anything i've missed out if 00:11:43.920 --> 00:11:48.800 so please leave a comment below and join in the discussion on how we can all make security better 00:11:49.920 --> 00:11:54.640 i plan to add more videos in future including multi-factor authentication as well as an 00:11:54.640 --> 00:11:59.680 introduction to some of the tools that crackers use please subscribe to my channel and click the 00:11:59.680 --> 00:12:06.400 notification icon so that you can find out about my future videos thanks for watching
