Welcome to tech Stuff, a production of I Heart Radios How Stuff Works. Hey there, and welcome to tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with How Stuff Works in my Heart Radio, and I love all things tech. I decided to deliver it that way because Tary was going to lipstick it with me otherwise.
I am here to give you a classic episode of tech Stuff, and I thought for a while that I should re enact the entire thing and do all the voices for me and for Chris, but Sary reminded me that I also want to get home today, so instead, we're just gonna play this classic episode for you. It is called tech Stuff looks at Password Security, and it
dates from September nineteen, two thousand twelve. Enjoy Security has been in the news a lot lately as of the time we're recording this in lead August two thousand twelve, UM, and part of that is because, as we have touched on an a handful of times since some of the big, more widely publicized cases have been making the news that you know, hackers have been breaking into different accounts at
major corporations online, stealing people's information. It's unclear whether people's credit card numbers were stolen or if we have your home address or we know the name of your dog.
There was a whole story of Matt Honan getting his entire digital life hacked because of a vulnerability between the systems of Amazon and Apple, which clearly taken a loan, clearly were not obvious as problems, but when put together, post problems because they were the people who were doing the hacking game to the system and put them against one another to create a bigger picture that allowed them
to get the information. Well, uh, you know, people have been saying that you need secure password please, and there are news reports about this too. People are still using password as password or obvious terms one, two, three, four. That's the kind of thing an idiot puts on his luggage. Hey, so, uh yeah, I mean those kinds of things are still in practice, and of course you need to use more secure passwords, but it's it's it goes deeper than that.
There's more information out there now about how even using stronger passwords alone isn't necessarily going to keep hackers from being able to get into your account. So think about what you're doing. There's there's several several things that you have to consider. One of those is the idea of linking accounts together, because that means that should one account become vulnerable, then those other linked accounts could also be vulnerable.
That was the case with Matt Honan, right. So one of the many problems of his yes UM because more identifiable problems because once they got to access to his Google account, then they were able to reset stuff all
over the place. And then it turned out that all they really wanted was to access his Twitter account, which is I guess in a way he's fortunate, but it's still pretty crazy everything that they managed to do in order to do that, and they caused quite a bit of damage along the way to mattahone in anyway not to mention to the the the public perception of security UM on the back end. So that's one thing is linking lots of accounts together holds a very specific danger.
I mean, for one thing like Facebook Connect or really any open i D approach, right, if that system is not secure, you have a single point that you can target that will give you access to lots of stuff. Now that's so sad because for us, the consumer that's so helpful. Yeah, having one account that you can log into and from there you can authenticate with multiple other services. You don't have to form after form after form. Uh, you know, it's it is a very valuable service now.
And I'm not saying that that Facebook Connect or Open Idea or any of that is that they are not secure. They're putting they're putting lots of protections in place to try and keep user information as safe as possible. It's not. Yeah, it's not so much that it's inherently wrong, as that if something does happen, it can cause serious problems. Right. So that's one issue. Another issue is the way that we create passwords as users for those of us who
are using either very common words or even names. Um, even if we think we're being clever by adding a few numbers to it, that's not really that secure. And if it becomes even more insecure if we're using those passwords at multiple accounts. So I think, uh, we we were. We both read an article from Ours Technical by Dan Gooden called why passwords have never been weaker and crackers
have never been stronger. It's actually it's a fascinating read, and I do recommend you check it out if you find this episode interesting, where even if you don't, it's a good thing to know. And uh, it's it's typically our technical typically get into more technical detail than than articles on how stuff works dot com. But if you're if you're really serious about it, there there's a lot of important information in there, and we can give you kind of the layman approach to what is going on here.
But part of that is that I remember reading, and it may not have been in this article, I do remember reading a statistic that the average user has something like six and a half passwords. That's in there. Okay, so they use six and a half past and you know, of course this is an average. We're not saying someone out there's just putting, you know what, I was gonna type in my whole password, which is typically password, and I'm just gonna type in pass for this one. No,
that's not what it means sword, it's the average. So but that means that, you know, you think the average person has around twenty five accounts across the web, but they're using on average six and a half passwords, so each password is being used for around three times on average. I mean that's again an average. You might have just one password that used twenty times and the other three
used the other five. Well, I don't want to use the same password on Google, and yeah, who's so I'll use one for one and the other one for the other, and then I'll use the Google one again for pest or whatever one for Facebook because they are those are disconnected enough where it's not gonna know. That's still a problem unless you think that I am a super genius, because I can say this, no, I I reused passwords from time to time too. I'm guilty of it, just
as much as the planet. I was awful for a long time. Passwords among Yeah there were that was pretty much mine too. I had about three passwords that I used for almost everything. That is no longer the case. People, I don't do that anymore. Well, I told you I didn't mean you erase all those accounts anyway. So that's that's another user behavior, and we'll get more into that in a minute. But then the third piece is how safe are those passwords within the databases of the companies
that hold those passwords. So if you are a cracker, you know a hacker who is specifically trying to crack into security systems, and you have identified a potential target to try and get at their password database, then uh, if it's if it's one where the user base of that service or company also typically has accounts at other places. You've managed to not just get the passwords for that one account, but knowing that people tend to reuse their passwords,
you might actually have access to multiple services. Now, there are ways that companies can protect against this, not just by building a good security system that's hard to crack, but also by uh encrypting those passwords in the database that if you get that database, yes you've got a whole bunch of data, but it does not translate directly to the passwords because it's been put through a hashing algorithm. Yeah, and there's there are several sort of standard hashing algorithms.
So basically it's a it's a little like email encryption too. So you have, let's just pick pass the four letter word pass um, you put it through the hashing algorithm, and on the other side of that, it the letters and numbers that make up the encrypted information look nothing like that. And it might be that your four letter password has just become a thirty two letter encrypted string
of characters. Yeah, so somebody seeing that written down, say on a piece of paper, is not going to have any idea what that is, and they're not really going to have any way to decipher it. And theoretically it's pretty well, uh, pretty well protected, right theoretically, But here's the problem is that not first of all, not every company has historically encrypted all those passwords. And there have been cases where crackers have gotten access to a password
database that was stored in plain text. That means that the password that you type in appears in that database as you typed it, so there's no hidden you know, code or anything. You've got those passwords, Well, that's very valuable to a cracker for more than just the fact that they now have access to your account. What's also valuable is that they now have a list of words that people use as passwords. So, uh, there's a there's a type of attack we should talk about, the brute
force attack. A brute force attack is when a cracker tries to get access to a system by filling out the essentially filling out the password field multiple times until they get a positive result. And um, one way of doing a brute force attack. A very common way is to do what's called a dictionary at at where you take. You create a virtual dictionary of words that you use
as the basis for passwords. Knowing that a lot of people will pick a common dictionary word as the basis of their password hard wark, antelope, ant eater, you know, and it just goes all the way through to pick animals for some reason. But something else that they'll do as part of this dictionary attack what they'll start adding
changing symbols. So let's say your your password is hardwark, but you're being clever and changing the a's symbols at symbols and uh, you know, let's see you pick a word with with ease in it and you change them to threes. They try those two, Yeah, because those are very common approaches. And yes, you know, keeping in mind that most of us are using passwords that are easy for us to remember, and the more random ish or seemingly random these passwords get, the harder it is for
us to recall them. So, knowing that's a weakness, the racker can say, all right, well, let's go with all these words, and let's go with the various variations we would expect people to use with these words. And even if you've done stuff like just added a couple of numbers at the end, that's not always a tough thing either. They can start going through all of these different variations
adding various numbers at the end. If they know how many characters your password is, that already has given them a huge advantage. And the reason why this is possible is because we've got processors out there that can do these these calculations in parallel. You know, if you were to do them all one after the other, it may take you centuries to get through all the possibilities of a particular password, depending on how many characters there are
within that password. Hey guys, it's Jonathan from two thousand nineteen. I just hacked into this classic episode because the password protection was laughable. It was just palette one to three. So I'm gonna mess around with some stuff. But let's take a quick break while I do that. In Hollywood, Hollywood computers can do an executive brute force attack in about twelve seconds. Yeah, well, sometimes that can happen here too,
but that's generally not the way it works. Well, that's that's one of the interesting things about this article is you learn from reading that UH an attack like this doesn't take very long at all, that at most, assuming that you're not following really really strong password particles. UM. Yeah, it turns out that it's like, because of this parallel processing, you've got a processor that's working on multiple UH approaches
to this logan attempt. So we can go through all these different variations, even when there are billions and billions, as Karl Sagan would say, variations of passwords, the processor can go through so many so quickly. You know, each each thread in that parallel processing is movie got an incredible rate, and you've got multiple threads all going UH. There are crackers who use graphics processing units GPUs to do this. They because the GPUs are designed to be
parallel processors. Yeah. Even even though they're designed primarily to handle graphics instructions and display them on your your monitor, GPUs can be UH pressed into service, let's say, by a program by a software that that can specifically UM send instructions to it. So what people do, UM, there are open source programs that you can use to UH
assign password cracking to your GPU. UM sad to say, and and one of the uh, the interesting stories that are One of the interesting bits that I read from this article too was uh that people have grown increasingly intelligent about the way they save cracked passwords. So they're
saving up dictionary attack type information. And so if you use you know, password one, is your password on one site, um, and they want to hack in to your account at the House of online Grapefruit, they might try they and they've got your information. They could try it there too, to see if you've used your password on more than
one site. So that makes it increasingly dangerous for you to use the same password in multiple locations because there is a growing database of password information that that people are saving and not just throwing away once an attack is completely That database also means that they can look at things like frequencies like how frequently are people using the specific word or variations of this word as a password. And the more people who use it, the more you're like,
all right, well let's bump this up the list. It's more of a likely candidate for a password. So, you know, we like to think that the passwords we choose are unique, but that's if we're basing it off a name or a word. That's not the case. Are lots of people out there using lots of passwords, and there's a good chance that someone out there is using the same quote unquote unique password. You are. Just remember your unique just like everybody else. You know, when everybody is special, no
one is. It's incredible. Um. The so yeah, the the the database can tell the cracker all right, Well, not only am I using a dictionary attack, but I'm using a curated dictionary attack in a way, because these are the known passwords that are floating out there in the world, and these are the ones that are really popular that
lots of people use. So we'll go through all the variations of these first, and you just you tweak your cracking program to do that so that you can get the the largest number of results in the least amount
of time. And another thing you can do is once you've figured out these passwords that are very popular, that helps you determine other things, like there are only so many hashing algorithms that are really popular out there in the world of computer security, right, so if you know which hashing algorithm there the particular company is using, and you are able to get let's say you get access
to their encrypted password database. So now you've got a list of passwords that are encrypted, so you cannot just look at them and know what the passwords are. If you are able to determine which security protocol they're using, and you have this massive database of um of of of passwords that are really popular, you can run those passwords through the same encryption algorithm to look at the hashes that come out and then start matching them up
with the stuff that was in the database. So you're still cracking the passwords, you're just going about in a different way as far as this brute force attack is concerned. It's still a brute force attack. It's just doing it in a kind of an odd roundabout way because you've got the you've got the hash of the password, you've got the security protocol that's being used. Now you're trying to yes the original word that created that hashed password. Once you're able to do that, that account is no
longer secure. And if that again, if you're using that same password elsewhere, those accounts aren't secure. Um, So you might be asking yourself, hey, if there are crackers out there who have these really advanced tools that can either figure out a password or uh, you know, kind of worked on a list so that the passwords I use are vulnerable. How do I how do I protect myself?
And there are a few things you can do. One is use a unique password for every service that you log into, which is incredibly difficult if you're doing it on your own, which is why I would suggest getting a password manager program. And there are a lot of them out there. There are some that are free, there's some that you pay for. Um, there's some that are in the cloud. There are some that are based on your system. Yeah. Uh, you use a password manager, right,
I do as well. UM, I'll go ahead and say which one I use. I use dash Lane, which I tried out for the first time this year and I like it well enough. Um. It saves passwords and if you want, it will generate a password for you, so you don't have to just come up with a string of things. It'll it'll do it for you and save it to your account. You create a master password that is a strong password, meaning that there are upper and lower case letters. There's also numbers in there. Uh, and
all you have to do is remember that one. Which that sounds tricky, but I'll give you a hint on how to do something like that. If you want to try it yourself, you create a master password. Uh. Then when you log into your dash Ling account in my case, you then have access to all the other passwords that are that that dash Lane generates. So I actually went in to all my accounts and use the dash Lane password generator program, and it creates a ten character long
strong password that's unique. So none of my accounts used the same ones anymore. They're all ten characters long. They are a mix of various characters and uh. When you get to about nine characters, and if it's a truly you know at least a seemingly random series of characters and numbers. Uh. The difficulty of cracking that password escalates dramatically, So I might go from a matter of days, two
weeks or months. And the harder you make it to crack, the more likely your information will be safe so or that it will just be difficult for anyone to guess. Um. So that's the purpose of creating these strong passwords and the purpose for the password managers, because strong passwords are hard to remember. Um, So all I have to do is remember my one master password here's the hint I
was gonna make. So if you want to make a strong password, like a master strong password, uh, it's best that you come up with a phrase that you will not forget and it it's great if the phrase also has a proper noun somewhere after the first word, so that you have some capitals in there as well. And you need a number, like a four digit number is best. So for example, you might say Dad's first car was a nineteen fifty six Volkswagen Bug. M all right, So
then your password. You take the first letter off of each of those words and the number and you put them together and that becomes your password. So the first letter would be upper case D for Dad's then first car, so it's upper case D, lower case F, lower case C, lower case W, lower case A. Then you have the one X and then percase v U percase B for Volkswagen Bug. That could be your master password. And when you look at it as just a string of letters
and numbers, it looks meaningless. You know, there's no there's no phrase that's evident right there immediately unless you happen to have already known it. So don't tell people you're oh, I gotta change my password. Yeah, but no, don't tell people what your phrases, but make it a phrase that is easy to remember. And uh and that could be
your master password, and don't use it again. Just use it for your master password and then use the password generator or a password generator if you don't want to trust one thing with it. But it's it's easier to use a password managers on board password generator because it
can save it directly to your account. Otherwise you're gonna have to transfer that that password to whatever your manager is UM and then that way you've got a vault of passwords that are encrypted that are ten characters, hopefully at least ten characters nine or ten characters at the very least, and are strong. It's funny. It's it's rather than coming up with a mnemonic device to remember your password,
you start with them mnemonic device and from it from it. Yeah, I think that that's way easier because that is I've used a password generator before that creates a random string of characters and then tells you it's easy to remember this. Just remember echo bravos seven delta delta bro. You know, I'm like, this is that where are you from where that is easy? How is how is remembering a random selection of echoes and Bravos and etcetera and numbers easier
than say, just remembering e e blah blah. You know, like that's not easier to me. But this other method where you create a pmneumonic device first and then convert that into a strong password makes way more sense to me. And uh again because you know the output of it is a seemingly random string of letters and numbers. Uh, it's not something that's easy for a computer to guess. Hi, guys, it's Jeamvan twenty nineteen. Chris called me up and he
yelled at me. So I've updated the password. And while I'm doing that, we're just, uh, we're gonna take another quick break. Well, um, I use one password by agile bits um, which is a you can get as a desktop application for Windows or Mac. UM also works on
iOS and Android. UM and uh, you know it has a browser plug in too on the desktop, so that you uh, say, you visit a site where you have a um an account, maybe a shopping site, maybe a banking site or something like that for example, so you have your log in and password, you have to log in and has a little button and you press the button in it, you know, says what is your overall passwords?
He is your master password in there, and then as soon as you uh log in, you'll be given an opportunity to log into the site and it submits the information for you. Yeah, this is important if you're using a someone else's computer and you are using a browser to navigate to something. And you know, again, if you've created these these strong passwords, remembering each one is going
to be really hard. And if you and it's not like you're going to go and install your you know, you don't want to install the desktop program on someone else's computer. I mean, that's not your job, it's their computer.
Especially like let's say that you're at a library or something and you want to log in and check email, but you've used one of these strong password vaults using something that has a web browser interface in it, so that you can log into the service and access those passwords and then log out and those passwords are no longer there. That's important. Yeah, yeah, and uh, it does
give you a one password. Also gives you the opportunity to when you're creating a password, UM, to make it as longer as short as you need to really so, or include symbols, or not to include symbols. So one of the important tips that this article that that Jonathan and I read points out is that eight digit or eight character uh passwords are easier to crack than longer ones.
So if you're you're presented with a a website, you're you're filling out the information for the account, it says, oh, well, your password needs to be six characters are longer. Don't pick a six character password? Is the is the simple thing for that, whether it's your own or one that uh, one of many, many very capable password generators. Um, yeah, it was. As Jonathan said, these are the two that we picked, but there are lots of them out that
they're great. There are a lot of them and they all like you can read reviews of them and uh, and you know, these are companies that their reputation is completely built upon how reliable they are and that and how upfront and transparent they are in the sense of they're not using data themselves to get access to stuff. In fact, most of these companies have the information encrypted so that they don't have any idea what passwords you
are using. Because it's just like we were talking about with the the password databases, where all they are encrypted passwords, same sort of thing. They have no way of knowing what you chose as your various passwords. They just provide the hard the world the software that that lets you
do it. So yeah, if you can, if you can choose a password manager that allow you to create longer passwords and to save them automatically in the in your database, that's a good thing, especially if your database is encrypted wherever it is, whether it's on the cloud or on your your hard drive or your phone. UM, you know those that's important to know. UM. Also one of the interesting things, and this is one of those things that companies do that make your security less uh more open.
Let's say to to being cracked is people who for their accounts have their email address UM as their user name. Because these are this is sort of the equivalent of of linking accounts. So you know, anybody, Let's say somebody hacks into UM an account like they did with that large shopping provider, the one that had all the uh loyalty programs or cards. Uh. If they if they say, well, all they got was people's email addresses. Well, that's an
important part of the equation. So maybe they'll start using that email address that they got from those loyalty cards in accounts with Amazon and Facebook, Google and all these other places. They may start figuring out where your accounts are. If they can figure out, you know, using that user name and they identify one of the passwords, then the dominoes start to fall. So uh, using multiple user names and especially not your email address, you can arrange that.
That's very helpful as well. Um, you wouldn't necessarily think it right off the shelf, but when you think that these these people are putting together databases of this information, it makes it clear that varying as much information as possible is a good idea. Also, changing your passwords regularly. Let's say you do have a banking site. Um, you have a fifteen character password. It's got four different symbols in a upper and lower case letters and numbers. That's
pretty secure. You should probably change it every few months, just to be on the safe side. This is your financial information we're talking about. It's a good idea to swap it out, and you know, another night sings. A lot of those password managers will even have a you know, you can set a reminder on many of them that you know they'll they'll keep a track of when you established a particular password and let you know when it's
time you should change it up. And again, if you're using one of these that has a password generator is part of it, then all it takes is logging in and uh often it'll go ahead and fill out the forms that you need already and then you just press a little button to generate a new password. It will save the new password to your account. So I mean it's something that takes five seconds once you've set up the first time. And uh, you know, five seconds of
effort to keep crackers at bay is not a bad idea. Uh. And keep in mind also that as GPUs become more sophisticated, um as software gets more sophisticated, as as these algorithms get more sophisticated, it's gonna get harder and harder to protect the password. You know, you can play the game of adding more care actors, which does uh increase the difficulties significantly to get the positive hit. So uh, you know, we we can stay ahead just by adding longer and
longer passwords as we go along. But you know, that's a game that ultimately we're gonna have to sit there and say we need to find a new way to protect stuff, because that's the problem is that you know, you're, you're, you're just playing a game of cat and mouse at that point. And you know, we talked about quantum computers a few times. One of the potential things the quantum computer could be very good at is cracking codes. Because a quantum computer is is also really well equipped for
parallel processing. Um. So that's something else to think about. Is that now? Granted, right now, quantum computers are still largely theoretical. There are a few working examples, but they're horriously difficult to design and even more difficult to maintain because you know, the slightest alteration and they there the whole coherence problem becomes apparent. Yeah, either it is or it isn't torn maybe somewhere in between. Um. Yeah, and uh.
I also read another article on on Ours Technica by the same author actually, where they had discovered that in versions of Windows seven and eight, um, it's possible to get hold of people's security questions. Uh. Now, uh, that sounds I think it's easy to come off with a negative that seems like it's a negative against Microsoft, and I guess in a way it is. But it assumes
first that the person has the person's computer. You would actually have to have their computer to get it, and you'd also have to know how to retrieve that information. But that goes back to our discussion of Matt Honan too, because if you know a lot of these security words that you set up to talk to people on the phone about your accounts or you set them up online. You know, what's the name of your first pet? You know, and you put in your first dog's name, and then
you use that in multiple places. Then want that was what enabled them to get hold of that information. If this person got hold of your computer was able to pull that out from the log in help, they could use that on your accounts too. So it might be
a little good to use some reverse social engineering. And when someone asks you what who what you're uh the name of your first dog was or first pet was, you put your favorite UH form of salad dressing in there instead something something unusual that they wouldn't be able to pick. So that which by the way obvious, is a blast when you have to call as you've forgotten your passwords stuff, and you call in and then they're like, so,
what's your favorite pets name? Paul Newman's Thousand Island dressing. Yeah,
that's right. Well I'll tell you that this is and anybody who's frustrated by this conversation and will tell you that using these super secure passwords and obviously a fustutory material here is a pain in the neck because you know, if you don't have to have your password manager with you when you're on a friends computer logging in to check your mail and it's got some kind of thirty two character weird password and you don't remember it, and you're going, man, I know no one's ever going to
crack into this computer. It's a friends computer. I'm fairly saying, well, yeah, you probably are fairly safe. But it's probably worth a frustration then, more so than it will be having to put out all the fires of all the account information
that you could be giving up otherwise. And it's not so much worrying about your friends computer as it is worrying about that database that's on the other end of this password system, because uh, the more passwords a company accumulates as more and more people use its service, the more attractive it is as a target to crackers. And they're doing you know, that's that's what they do. They look at systems and try and find ways of penetrating it.
So it's you know, they're not they're not worried about getting your your buddy bills computer. They're looking at you know, like Mega core that has all those passwords in it. That's what they want. So you know, using that easy password, while it's convenient, is also ultimately a dangerous thing. And you know, I gotta I gotta admit, like, for the very long time, I had pretty poor password protection. I mean I just I was just I did not. I was not very good about it at all. Even as
we were telling people change your passwords. Still wasn't doing as as good a job as I should have. Don't back up your hard drive regularly? Oh yes, I do, I do good. I got well the Mac hard drive, my my PC hard drive. I do not back up as regularly as I should, which really I need to start doing that. But the thing in the neck. But but cloud services have made that really a lot better too, now, you know cloud hell of course, has its own set
of problems, which we've talked about in previous podcasts. But everything technological has its own set of problems. You just have to decide which ones are the most acceptable setup problems for you. So, but I have I have switched. I mean, I am now, I am wholeheartedly in this. Let's protect our passwords, especially after seeing what happened to Honan. I mean, you and I are in the public eye.
We're not celebrities by any stretch of the imagination. But it's not that far um, it's not it's not all the realm of possibility that someone at some point could say, you know what would be funny? Well, and and it just really takes somebody getting a hold of your name. That's why they tell people to shred when you have a junk mail or something with your name on it, to shred that information. Because I've got one of those two. You never know when somebody's gonna go and you know,
say Jonathan Strickline. I think there's a bunch of people named that, actually there are so one of them got booked in North Atlanta for something a couple of weeks ago, but wasn't me. I want to ask how you know that I'm on the lamb because I've got a Google alert said to my name. All right, that wraps up another classic episode. I think we've all learned a valuable lesson. I know I have. I know I learned that Chris remembers my phone number for example. Well, I hope you
guys enjoyed it. If you have any suggestions for future episodes of tech Stuff, reach out to me. The address is tech stuff at how stuff works dot com, or pop on over to our website that's tech stuff podcast dot com. You'll find links to our presence on social media. You'll find an archive of all of our past episodes. You'll find a link to our online store where you can buy tech Stuff merch. Get some tech stuff swag handed out like it's Christmas. Please, because every purchase you
make goes to help the show. We greatly appreciate it, and I will talk to you again really soon. YEA text Stuff is a production of I Heart Radio's How Stuff Works. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.