Passwords

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> In our next section,
00:00
let's talk a little bit about passwords.
00:00
But before we go into some of the security concerns,
00:00
I just want to address one thing.
00:00
We were wrong about passwords and
00:00
it's time that we accepted that and move forward.
00:00
The National Institute of Standards and
00:00
Technology, or NIST,
00:00
previously provided guidance on how to create
00:00
strong passwords that they now say was wrong.
00:00
They used to recommend that people
00:00
create complex passwords
00:00
of at least eight alphanumeric characters,
00:00
including upper and lowercase letters
00:00
and special characters.
00:00
They also said to change passwords every 60 days.
00:00
Well, it turns out that we've made passwords
00:00
easier for an attacker to compromise,
00:00
but harder for us to remember.
00:00
For example, if we require you to
00:00
have an uppercase character in your password,
00:00
where are you likely to put it?
00:00
At the beginning. Hackers know this.
00:00
Then if we require you to have a number,
00:00
where is the number going to go?
00:00
At the end. Which number do
00:00
>> you likely use? The number 1.
00:00
>> These things became predictable to an attacker.
00:00
Complexity does not equal security.
00:00
The bottom line is that NIST,
00:00
has a new recommendation.
00:00
That is to string 4-5 random words
00:00
together to create a password.
00:00
Since it's long, it's harder for attackers to crack,
00:00
but it's easier for us to remember.
00:00
Since you have a stronger password,
00:00
NIST says not to change passwords
00:00
every 60 days unless there has been a compromise.
00:00
What makes passwords difficult
00:00
>> to crack is the number of
00:00
>> characters rather than the other tricks
00:00
that we've used in the past.
00:00
Now, there are lots of
00:00
different types of attacks on passwords.
00:00
Dictionary attacks try every character combination
00:00
in the dictionary file the attacker is using.
00:00
But they also add common passwords like P@sign SS,
00:00
W0, RD, and so forth.
00:00
Some of those dictionary files have
00:00
started to add common phrases as well.
00:00
That's why it's better to take for
00:00
random words rather than
00:00
a common phrase like to be or
00:00
not to be or something like that.
00:00
Now, brute force attacks
00:00
involve trying every combination of characters.
00:00
That's why using special
00:00
characters doesn't really help you.
00:00
The hybrid attack is a combination
00:00
between dictionary and brute force.
00:00
Birthday attacks, rainbow tables,
00:00
and pass the hash are all
00:00
>> based on the idea that if I can
00:00
>> generate the hash or
00:00
the value that represents your password,
00:00
then I can gain access and get authorization.
00:00
This will make more sense when we
00:00
talk about cryptography.
00:00
A replay attack just means that I'm able to
00:00
capture something on the
00:00
>> network and retransmit it later.
00:00
>> We keep this in mind because even if
00:00
your password is encrypted, it may not matter.
00:00
The bottom line is that if a replay attack can happen,
00:00
and it doesn't matter that your password is encrypted.
00:00
With passwords today, we've got to be aware of the fact
00:00
that we need to make them longer
00:00
and less difficult to remember.
00:00
We got to get with the times,
00:00
have better password policies and protect them better.
Up Next