Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Video transcript: Guide to understanding password attacks and how to protect against them

This is a transcript for a video linked here: Guide to understanding password attacks and how to protect against them.

Video transcript - Guide to understanding password attacks and how to protect against them

00:00:00.560 --> 00:00:06.720

hello welcome to this quick guide to password

security and how you can avoid your password

00:00:06.720 --> 00:00:11.120

being stolen i'm going to look at the

importance of passwords and ways in which

00:00:11.120 --> 00:00:15.920

hackers and crackers try and steal them and

then what you can do to protect against them

00:00:17.840 --> 00:00:22.080

i'm going to focus on some of the tricks that

hackers use and how you can protect against

00:00:22.080 --> 00:00:26.720

those particular tricks in a future video

i'll cover more of the technical detail of

00:00:26.720 --> 00:00:32.400

how passwords are stored and how crackers

break them so please consider subscribing

00:00:33.040 --> 00:00:37.920

and click on the notification icon to

find out more about those in future

00:00:41.360 --> 00:00:46.240

why user names and passwords so important

now the most common way of implementing

00:00:46.240 --> 00:00:53.920

is known as the aaa security framework the aaa

framework provides ways of protecting computers

00:00:53.920 --> 00:00:58.880

and their data on them the key

elements are authentication

00:01:01.040 --> 00:01:08.880

authorization and accounting in the csp guide

this is extended to include identity and auditing

00:01:09.920 --> 00:01:13.840

this i'm going to concentrate on the

the first one which is authentication

00:01:17.520 --> 00:01:24.240

the authentication criteria there's commonly

two steps identity and then authentication

00:01:24.880 --> 00:01:32.160

identity is who you are and it's often based

around a unique username authentication is

00:01:32.160 --> 00:01:37.600

proven that you are who you claim to be this

is based on something that only you should know

00:01:37.600 --> 00:01:42.240

which in this case is the password there are

alternatives which i'll cover in future videos

00:01:43.040 --> 00:01:47.520

an example you're already familiar with would

be withdrawing money from an atm or cash machine

00:01:48.320 --> 00:01:52.320

in that case the card is used instead

of your username to show your identity

00:01:52.960 --> 00:01:55.040

and the pin number is in place of the password

00:01:58.560 --> 00:02:04.000

i'm going to look at what crackers do i'm using

the term crackers rather than hackers here it's

00:02:04.000 --> 00:02:08.560

the more appropriate term in this circumstance

although hackers is often used as well

00:02:10.080 --> 00:02:13.360

there are lots of different techniques

but i'm going to look at a few

00:02:13.360 --> 00:02:19.360

along with suggestions of how to protect

against them this includes password guessing

00:02:20.560 --> 00:02:27.040

personalized attacks or spider-in shoulder

surfing fishing and social engineering

00:02:28.160 --> 00:02:33.040

malware and key loggers dictionary

attacks and brute force attacks

00:02:35.440 --> 00:02:40.240

there's some very common passwords or default

passwords which are very easy to guess

00:02:40.240 --> 00:02:42.240

and these were i call stupid passwords

00:02:44.400 --> 00:02:51.760

things like one two three four five six the

word password and various variants on those

00:02:51.760 --> 00:02:58.720

and these are amongst the top passwords that

are used and it's very easy for them to try

00:02:59.280 --> 00:03:05.040

a few different permutations of these also

don't forget to change default passwords

00:03:06.800 --> 00:03:11.120

as these are commonly available

for anybody to look up

00:03:13.200 --> 00:03:18.800

there's a few examples there if any of

your passwords appear on this list or

00:03:18.800 --> 00:03:23.680

are similar to any of these then change

them now these are really bad passwords

00:03:24.320 --> 00:03:27.680

and it's just asking for trouble

if these are what you're using

00:03:30.880 --> 00:03:35.280

the next one i'm going to look at is personalized

attacks these are also known by other terms such

00:03:35.280 --> 00:03:41.040

as targeted attacks or spidering this is

where the cracker first does some research

00:03:41.680 --> 00:03:47.200

into the user of the account they're wanting

to break into and this may give them something

00:03:47.200 --> 00:03:53.840

that would help them to guess at the password for

example typically users often use their pet's name

00:03:55.360 --> 00:04:00.960

or details about your family such

as your partner's maiden name or

00:04:01.600 --> 00:04:08.320

your child's date of birth maybe something

about yourself such as where you were born

00:04:08.960 --> 00:04:14.960

or where you last went on vacation this is

another one that's fairly easy to defend against

00:04:14.960 --> 00:04:27.840

just don't use anything personal in your password

make sure your password cannot be linked to you

00:04:28.960 --> 00:04:31.120

did you see the username

and password i typed above

00:04:32.400 --> 00:04:38.000

this was obviously a simple default password it

was seen from the point of view of someone stood

00:04:38.000 --> 00:04:44.880

over my shoulder in a technique known as shoulder

surfing i normally touch type in which case not

00:04:44.880 --> 00:04:51.840

quite so easy but if you watch multiple times you

can sometimes still pick up what the password is

00:04:54.960 --> 00:04:58.480

the main protection against this

type of attack is to be vigilant

00:04:58.480 --> 00:05:03.440

look around before entering your password

and try and hide what keys you press

00:05:03.440 --> 00:05:09.840

similar to how you hide your pin when using

an atm or using your card in the supermarket

00:05:14.880 --> 00:05:19.200

i've put phishing and social engineering together

these are both ways to trick a user into providing

00:05:19.200 --> 00:05:27.040

their details phishing is typically an email

which asks the user to click a link the link

00:05:27.040 --> 00:05:32.160

may look genuine but often includes different

letters or something extra in the domain name

00:05:32.880 --> 00:05:37.280

after clicking on the link you're

provided with a genuine looking website

00:05:37.280 --> 00:05:42.800

which may ask for your username and password when

you type in the username and password the data is

00:05:42.800 --> 00:05:50.160

sent to the hacker who's then stolen your password

social engineering can also involve a phone call

00:05:50.160 --> 00:05:56.240

pretending to be say your IT department asking

you what your password is so they can protect it

00:05:56.240 --> 00:06:02.080

or some other excuse the defense for this

is to be aware of these and be vigilant

00:06:02.080 --> 00:06:06.240

instead of clicking on the link type

the known website into a browser

00:06:06.240 --> 00:06:10.080

and never reveal your password over

the phone or to anyone else that asks

00:06:14.240 --> 00:06:19.840

malware which can include software loggers

is software installed onto your computer

00:06:20.480 --> 00:06:23.600

this can capture the keystrokes

that you enter into your computer

00:06:25.040 --> 00:06:29.760

these are also available as physical devices

which go between the keyboard and the usb port

00:06:29.760 --> 00:06:36.640

although that needs physical access to install and

retrieve to protect against software threats then

00:06:36.640 --> 00:06:41.520

only install software that you trust and ensure

any relevant software updates are installed

00:06:42.160 --> 00:06:49.120

including where your computer has a

antivirus make sure that's up to date as well

00:06:55.360 --> 00:06:58.320

the next thing i'm going to look

at is how passwords can be cracked

00:06:59.200 --> 00:07:01.840

this assumes that your password

has been stored on a server

00:07:02.880 --> 00:07:09.280

which uses encryption or more often

password hashing but it has been compromised

00:07:10.720 --> 00:07:15.440

this is important and it means that they can find

your password and then use that to log in both

00:07:15.440 --> 00:07:21.040

that and a different system the most important

thing you can do to protect against this is to

00:07:21.040 --> 00:07:26.400

use different passwords on different systems so if

they find one they don't get access to any others

00:07:27.840 --> 00:07:31.120

now let's look at two different

attacks that can be used

00:07:31.120 --> 00:07:35.440

against passwords and how well your

choice of password can protect you

00:07:38.720 --> 00:07:42.640

the first is dictionary attacks and as the

name suggests these are based around words in

00:07:42.640 --> 00:07:48.720

a dictionary but note it's not just enough to swap

a character for a digit as shown in these examples

00:07:49.280 --> 00:07:51.760

these can be factored into these types of attacks

00:07:52.880 --> 00:07:56.640

more changes you made to the word

then the harder it is to attack

00:07:56.640 --> 00:08:01.280

with enough computing power then dictionary

attacks cover many possible permutations

00:08:03.440 --> 00:08:07.360

the way to protect yourself is not

to choose a word from a dictionary

00:08:07.920 --> 00:08:13.840

or to use multiple unrelated words

for example cat fruit walking

00:08:17.760 --> 00:08:23.600

the other way is a brute force attack which is

where the computer tries every single character

00:08:23.600 --> 00:08:29.920

combination to break the password the security of

this is based on the number of letters and digits

00:08:29.920 --> 00:08:34.960

in a password if you use only six characters

then it's possible to correct the password in

00:08:34.960 --> 00:08:41.440

perhaps a few seconds eight characters it's

going to take a few hours but increase that to 10

00:08:41.440 --> 00:08:45.360

here into months or 12 characters

and you're into thousands of years

00:08:46.240 --> 00:08:50.240

these are only approximate it gives you an

idea of how adding additional characters

00:08:50.240 --> 00:08:53.840

can significantly increase

the security of your password

00:08:57.600 --> 00:09:00.720

so it's clear we need to use a

different password for each system

00:09:00.720 --> 00:09:04.720

and for each of those we need to set

the password to be 12 characters long

00:09:04.720 --> 00:09:11.520

using random numbers letters and perhaps

special characters there's just one problem

00:09:11.520 --> 00:09:16.160

our memories are not very good at remembering

those passwords as a result people often

00:09:16.160 --> 00:09:22.400

write them down perhaps post-it nets on your

computer screen that is introducing a big risk

00:09:25.200 --> 00:09:31.680

so the solution to that is to use password

managers and this is effectively a software safe

00:09:32.240 --> 00:09:38.480

which stores your passwords so you can get to them

but encrypt them so that only you can access them

00:09:39.760 --> 00:09:42.960

you may already be using one of

these they're often included in a

00:09:42.960 --> 00:09:48.640

web browser or a mobile phone but you can also

get some that are separate pieces of software

00:09:48.640 --> 00:09:54.640

that you control using a password manager you

should ensure that the information is protected

00:09:54.640 --> 00:09:57.680

as otherwise someone can then

access all your passwords

00:09:59.760 --> 00:10:05.120

set a secure password which at least 12 characters

long and perhaps based on multiple words

00:10:06.320 --> 00:10:11.840

it's important that you remember that password as

if you do forget it you'll not be able to access

00:10:11.840 --> 00:10:17.280

any of your passwords and you'll be locked out to

your your accounts but it's only one password that

00:10:17.280 --> 00:10:23.680

you need to remember so you can make this more

complicated and just remember this one password

00:10:24.720 --> 00:10:31.840

let's say using multiple words is a

good way of making that password longer

00:10:33.920 --> 00:10:38.240

an even better way to secure account

is using multi-factor authentication

00:10:38.240 --> 00:10:43.680

also known as two-factor authentication many

banks have already implemented this and across

00:10:43.680 --> 00:10:50.560

europe many online credit card payments now also

add multi-factor authentication this supplements

00:10:50.560 --> 00:10:56.160

the password-based authentication which is based

on something you know with also needing to be

00:10:56.160 --> 00:11:04.560

in possession of a second factor to prove who you

are this is often a mobile phone using either sms

00:11:04.560 --> 00:11:09.520

stroke text messaging or an app which can

be installed on your phone although there

00:11:09.520 --> 00:11:16.960

are other methods i'll be covering this in more

detail in a future video but for now now enabling

00:11:16.960 --> 00:11:21.680

multi-factor authentication is one of the best

things you can do to protect an account that you

00:11:21.680 --> 00:11:29.120

want to keep secure so if it's an option then i

do recommend that for your more valuable accounts

00:11:33.120 --> 00:11:38.000

hopefully this has given you a better insight

into password security and how you can protect

00:11:38.000 --> 00:11:43.920

your password if so please give the video

a like is there anything i've missed out if

00:11:43.920 --> 00:11:48.800

so please leave a comment below and join in the

discussion on how we can all make security better

00:11:49.920 --> 00:11:54.640

i plan to add more videos in future including

multi-factor authentication as well as an

00:11:54.640 --> 00:11:59.680

introduction to some of the tools that crackers

use please subscribe to my channel and click the

00:11:59.680 --> 00:12:06.400

notification icon so that you can find out

about my future videos thanks for watching

Previous Application Security Testing
Application Security Testing