How Do Passwords Get Stolen?
Vložit
- čas přidán 11. 07. 2016
- Many of us have heard of "password dumps," but how exactly do they happen? Are passwords usually stolen by a crack hacker team, or by simpler methods?
TunnelBear message: TunnelBear is the easy-to-use VPN app for mobile and desktop. Visit tunnelbear.com/linus to try it free and save 10% when you sign up for unlimited TunnelBear data.
Follow: / linustech
Join the community: linustechtips.com - Věda a technologie
technically, sensibly stored passwords are *hashed*, not *encrypted*. an encrypted password can be converted back into the plain text password, where hashing is only one-way, meaning that the password cannot be extrapolated from the hashed version stored on a server.
Any sensible person would salt the hashed passwords after that, otherwise you can easily work backwards to find out every password
You can still work backwards from hashing
No, you can't work backwards from hashing (given that you're using a secure algorithm). barnstormer322 is right. Salting is only so the same hashes don't appear for the same passwords in a database. If someone's password was "12345", and 5 people used it, all of the hashes would be the same. That's why hashes are salted.
Nonetheless, you really shouldn't be doing crypto yourself anyway. I recommend using a strong hashing algorithm like bcrypt.
zyx Exactly, that's why you can work backwords from hashing using some guesswork
Nothing is one way. The difference is that encryption uses a key to hide passwords. WIth said key you can turn them back *easy*. Hashing does not have a key, but uses a chain of mathematical functions that are *easy* to calculate in order, but very *hard* in reverse.
Hashed _and_ salted. Otherwise, rainbow tables or lookup tables can be used to reverse engineer the hashed passwords ;)
1:30 they use backslashes, that is how you can tell it is fake
Considering they keep saying "encryption" (encrypting passwords is insanely bad practice), I'm not surprised. They *really* missed the mark on this video.
Why can't everyone just be nice to one another?
I agree!
P.S. That wont happen!!
bc the Internet
If everyone was mean to each other, then it would cancel out making everyone happy. Lets try that for a change.
+Simon WoodburyForget there is very much a thing called a stupid question, if I blatantly knew your name was Simon and I asked, 'is your first name Chris?'. Then would this lead to a great discovery, no. It is a stupid question since I already knew your name.
+Simon WoodburyForget no stupid question, only stupid answer
"passwords get stolen when you stream them"
Lol
HoweverMagnetTime5$, would you say that's a secure password?
WAN
+86BuzzSaw it is really secure one
Shots fired XD
This is why I don't use the Internet at all.
Ever?
well you posted this...
Which is totally how you posted this comment
+Person 666 I guess someone doesn't use sarcasm at all either
Pretty sure he replied in a semi-sarcastic manner too so he probably did get the joke.
Looks like LTT wanted to get more info on how they got hacked.
: )
they got acess to his sim card he said it himself
+Rey Vargas that was for the website, the Twitter account was hacked using a backup password
No, through his sim they got access to both twitter and his email (which allowed them to change the destination of the domain)
He said himself the weak point through which he got attacked was his SIM card
How to make the best password ever:
Get a keyboard
And smash it
Hey Linus, love these videos heaps. Good job on getting 1m subs here. I can't help but notice how much you over simplified this video.
my password is iforgotmypassword
but I change it just now
Tip : if a website sends you your password if your click " password forgoten" . STAY AWAY ! Websites that practice good security DO NOT KNOW WHAT YOUR PASSWORD IS !
I am very certain that they mean the original password they used when registering and not the temporary password.
How is he dumb? That's a valid point. I signed up for a website and it emailed me my login information (with password) in plain text. I immediately changed it to something random, and looked for a way to delete my account, and emailed them.
423million i meant if they send you password in text, instead of asking for a reset or sending a temporary password. Websites like amazon or Facebook are designed in such a way that they don't know what your password is
This sort of blunder is actually depressingly common. Even with big companies that should really know better: www.troyhunt.com/content/images/2016/02/46624661SNAGHTML3928683.png
From: www.troyhunt.com/lessons-in-website-security-anti/
"Websites like amazon or Facebook are designed in such a way that they don't know what your password is"
Never trust that any company, no matter how big, is managing your passwords correctly. LinkedIn and Adobe couldn't be bothered to do it right; a lot of other companies probably aren't doing it right either.
Use random passwords and a password generator. Full stop. (Passwords really need to die as a form of authentication, long term.)
Your point at 3:14 is false. Any password, be it "welcome123", "iL1k3biGbuTt5z@" or a string of any length is the same amount of characters when properly hashed and salted.
Edit: since it seems you haven't done a video about this subject yet, I'd love to see something like "hashing vs encryption" and how most websites (*should*) store password.
The point is that a hash is usually cracked by hashing different combinations of characters and comparing with the original. As such a longer password will usually result in the password taking longer to crack, since it will take more tries to guess. It is certainly true that the hash length is constant, but the password may still be orders of magnitude harder to crack if it is longer.
that'd be a great video
But in reality most website still use md5 and therefore rainbow table are in action.
+goustune Rainbow tables only work if you don't use salt. Even with MD5, adding salt defeats rainbow tables. Not that it matters in the case of MD5 since it's so broken.
can't wait on that follow up video. password management is a very interesting topic for you guys to cover. keep up the good work!
Congrats on a million subs John and Dennis!
Linus seem yellow to anyone??
+Olvr haha!
Orange
Green
racist.
He's kind of green with flux on.
1 million suscribers ! Contratulations Linus and his friends ! :)
those passwords at 2:45 tho 😂
U right lol
I really like what Linus is trying to do here. Awareness !! Well done
Top tip: If a website emails you your password on account creation (or you clicked Forgot Password), it's probably not encrypted in their DB - so change it to something unique if it isn't already.
This is the most meta video you've made linus.
I read about a case (in Canada, I think) where a young hacker was held in contempt of court for refusing to tell the authorities his encrypted computer's password. Apparently it was something like 50 characters long and not even the FBI could get into it. I would think that this would violate something with pleading the fifth (not being forced to self incriminate) but I don't know if Canada has that.
"Linus, new TechQuickie video is about passwords and encryption. What sponsor should we use?"
"Hm.... SQUARESPACE! BUILD I-"
"No. Screw it, lets go with TunnelBear."
1 mil subs.. CONGRATS!
I been waiting for the tunnelbear advertisement all the video.
For a little over a year I have used a password manager, which I always use the maximum length the site will allow.
This scares me about my online habits and if I've inadvertently given up information...yikes!
passwords are often hashed and stored on a database for a website making them unreadable. But if the hashes gets stolen or leaked a "hacker" can just hash all the common passwords till the hash of your password matches one of the passwords on their commom password list. This is a dictionary attack but hackers can use broteforce aswell. So they dont decrypt anything, they hash words they think might be your password and see if the hash matches with your leaked password hash.
Wait! I know this! This is what happens when you use Aircrack-ng for WiFi hacking. Hahaha
Congratulations on 1 million subscribers :)
I have recently switched to useing Keepass to generate new passwored for all the new sites that i go on and slowly changeing all the other sites that i curently use. I think this is fantastic tool for anyone looking for a somewhat secure way to store your passwords localaly.
You forgot to say not to stream your password live on twich.
Hi guys i'm in seak of help : i live in france and have seen a qwerty keyboard on amazon but keyboards over here are azerty and i'm used to azerty so i was wondering that if i bougth the qwerty keyboard if i could change the positions of keycaps so take the QW keys out and replace them by AZ keys , of course i'dd then change the letters so it corresponds ?
Regardless of the choice of characters available, length is the most important factor in making a strong password. The smaller the number of allowed characters, the more important length becomes.
Having said that, using words for your password, while allowing you to remember long passwords more easily, also in effect reduces the length of the password (if the attacker is using a dictionary to generate the password attempts); if you're using words, make sure there are many of them.
An easy way to have multiple unique and secure passwords is to use Pass-Phrase. A pass phrase contains multiple words which can reach up to 30 characters or even more. Easy to remember, nearly impossible to crack using brute force because the possibilities are much higher than your usual 8 characters limits.
Next techquickie episode: How to look like you have jaundice.
Passwords often arent "encrypted", but instead hashed. This means that any password with any length gets transformed in a string like "f396czf7". You pracitically cant undo hashing, but you have to use a database of clear-hashed data-pairs.
I guess someone really wanted to suggest a topic for techquickie :D
Nice to see Linus not in drag for a change, lol!
These are part of the issue, but so are some websites. Issue there is HTTPS usage (obvious for most users though) security of the password database, software issues relating to functions like heartbleed, poodle, etc. Harder to do, but there is also session hijacking and MITM attacks that in right cases could be pulled off though are more complex.
I saw on Computer phile that if you deal with a website that has a password reset and it sends you the password then the database is not secure.
Then there are other things too like even if it is encrypted it could be intercepted or pulled from the hashed database then compared to rainbow tables, brute force attacks, etc.
Hey Linus what about apps like 1password? I switched to this a few months ago. And I'm pretty happy with it. It let you create completely random passwords as long as 20 characters long.
3:21 Once they have the hashed password I think it's just a matter of time before they get the real one, even if it's a very strong hash. I believe (correct me if I'm wrong) using a very strong hash is just to buy more time so the user has more time to change there password before the hacker cracks it. All they have to do is run every combination of characters through the hash until they get a match; a very simple strait forward brought force. But they will probably use a more sophisticated brought force hack that tries passwords with words first.
Good guy linus, gets hacked, shows people how to be careful
Congrats with 1 mill subs
For this issue i made my own password manager app that encrypts the file where the password is stored with AES encryption and a 32 long password etc
CONGRATS FOR 1000000 SUBS LINUS!!!!!!!!!!!
this video is painfully ironic... you would know all about this wouldn't you linus?
lol ikr
It would've been ironic if it were made before the hack.
What's wrong with learning from experience?
+Reaperrz I know lol I thought they actually were some real haxors
Brandon's Post-It note with his passwords under his desk during moving vlog....
I remember getting a text from Bank of America saying that an attempt to access my account was made from an unknown location, that my funds were frozen until I verified the new access point by visiting an in store location, or entering my SSN. I thought to myself, "I've got like $150 to my name, who would try to steal that?" Then I thought " usually SSN verification only ask for the last 4 digits." I pondered for a bit then realized " I don't even have Bank of America account...".
Techquikie congratulations on a million subs
You should've put something about how terribly some servers store their passwords, like plain text and MD5.
Maybe in the future websites will be able to activate your phone/computer's camera and use facial recognition software to log you onto a website.
This channels keeps sending me notifications even though it's turned off on my phone wtf!?!?!?
0:53 "[passwords] are supposed to be encrypted, right? Well yes"
Not quite (for reasons already mentioned in the comments), but a techquickie episode on hashing and cryptography as a whole would be really interesting.
I dont get it.
So if i click a link i can just get a random key logger attached to my computer and i cant do anything about it?
And whats tunnel bear why would i want to hide all my information ect.... And even then i doubt it actually "hides it" couldn't the my isp, government or fbi still see it if they wanted too?
superb but my passwords aren't stored online(I keep note of them and only use them when needed)
3:08
[picture of the Heartbleed logo visible]
Actually, you can get unencrypted/unhashed passwords using Heartbleed
EESTI!! :D
+Asentrix
Holy fuck you're weeb huh
I bet you're stupid (not because you're a weeb) OMFG
I know what Heartbleed is, how it works and how to exploit it.
It was discovered in 2014 (not 2010) and yes, it's (mostly) patched
Heartbleed lets you see memory, in many cases unencrypted
In the video he showed an image with the Heartbleed logo, following some stuff about *encrypted* passwords, while Heartbleed lets you see them *unencrypted*
Asentrix
Your Engrish is even worse
Why are you being so toxic anyways?
@rebane2001:
He's just an angry troll, probably from 4chan, around ~18-23 years old (just a wild guess), with some ties to the Anonymous network.
Stagskull It's only one of my channels :P
but the link thing can be caught if u have a functioning eye sight i mean they cant put the domain of steam for example so the site wont be steam's so why would i put my login info
for what non-illegal task would you use tunelbear?
Some clarity between the difference between encryption and hashing would have been nice. Any well made website will salt and hash your password rather than encrypt it. Encryption can be reversed with the decryption key, hashing cannot be reversed meaning a strong password would still be safe in the event of a database breach.
2:17 Wow you accidentally got a keylogger installed on your computer. I fell for a phishing attack once myself too, my antivirus flagged it and then I rechecked the page and realized I had accidentally downloaded and ran a malicious program.
I think it would be cool to see a video explaining why exactly GPUS are better than CPUS at cracking passwords/encryption. I know the general idea, which is that GPUs just do math differently than CPUs, but I'm not clear on the specifics.
CPUs can solve extremely complex problems quickly. GPUs can solve millions of tiny problems quickly.
Did you just roast poodlecorp? savage
gr8 grammar m8 and yes he did
oh shit i just saw that, edited!
Angelo Kalfas np XD
+Angelo Kalfas he got keylogged
+Silica No, it was a social engineering scam
The cool thing is, since CZcams is Google owned, when you type your Google account password associated with CZcams in the comments, it automatically protects it.
For example, my password is ********. Pretty smart
or the brute force trick where it uses every number and letter in till it founds the right password
Does it help if you use different account names on different sites?
Just to make this clear (because I hear that a lot): using 12345 as password is not less secure than a 10-digit-random password from the encryption side of things. They are equally hard to decrypt if properly saved (as hash). The point why you should not use it, is this said social engineering part. It's way too easy to guess. But as said, has nothing to do with the encryption
had a good 30 minute convo with a guy on steam back in 09ish when he was really really bent on getting my account, or him and a few friends on other accounts. pretending the link he wanted me to go through to "get my account verified" or whatever wasn't working or that i was busy doing something before he got boring by the 30 mins mark before kindly proceeding to tell him to fuck off and that he's not getting my account. he "LOL'd" and deleted me. I haven't gotten any attempts since. It's been kind of lonely
If you want to put a password that would be hard to obtain use 24 characters. That way even if the hacker wanted to steal all of the data from a server they wouldn't be able to go pass 13 characters because of rainbow tables
Tunnel Bear! You get your keyloggers now over AES-256 encrypted!
:D xD ROFL
Haha, linus calling the newbie hackers out!
Most good online services use the cryptographic hash function which is really hard to reverse so servers never store your password and in the case of an attack, the attacker wouldn't be able to do anything.
Minute 3,second 12:
That's Heartbleed :D A security fail of Heartbeat extension in some OpenSSL version... :3
2:24 These hackers are getting younger and younger
What exactly causes service interruptions for companies like comcast?
Linus: look at John Oliver's interview with Edward Snowden. Snowden discusses online security and passwords and reviews what not to do. Great resource, great cross reference for your viewers to see. This is of course about your follow-up video you mentioned.
Hey !! Great Video, Very interesting ,..
Did You Get a Tan ??
anybody know how to aes 256 encrypt your internet connection without extra costs from your isp?
also, the great firewall of china screwed over its people giving a clone of banking websites with their version of dpi is pretty bad.
Congratulations on 1m subs
You should do a video on AMD Hypertransport to explain it better
Switch on 2 step authentication. That way, if someone else has your password, they still can't get in unless they have something you have (like your phone) :)
Boi keyloggers? Why has no one found a work Around? can't you encrypt the bits from the board to PC?
What lights are you using? The light quality is not good
Congrats with 1 mill
I use the smash your face into the keyboard (a few times) technique of password creation
a friend of mine made a list of passwords that are most commonly used, and hacking is such a piece of cake for him, he even has the more difficult passwords that people use. my passwords consist of many characters l am not going to be specific about that though, but he almost cracked one of them in 5 minutes, and my passwords are good. unless you know my life story you would never figure out my passwords. l am probably giving too much information here.
I have learnt this the hard way way back in the past
has anyone heard of the mit team who can crack password and steal data thru the cables themselfs they generate frequencys that are easly hacked.if i remember right.someone here has to know about it
I use a double verification method on most sites i'm using, meaning that you'll need my phone to log in on most sites
Passwords get stolen when shown on stream.
I use the exact same email and password for everything I do, is this bad?
All I know is that the person who keylogs me is gonna get some good ass "body studying content"
man i saw a guy resetting a google account password with very basic information from a person's facebook, they wouldn't even need to put an actual "recent numbers called" real number or a "recently send mail to" real adress, he actually asked my email and phone number to put it in and i didn't even know the girl he was hacking yet he got access to her account
passwords aren't stored encrypted, there are stored hashed - they cannot be reverted to original state, so if you have password dump there is not that much that you can do with it (especially if they are salted)
Linus can you do an episode on dash cams pretty please?
Who color corrects techquickie? It has been consistently too green and yellow in the skin tones. Everyone looks sick haha.
Convenient video uploading timing
nice heartbleed cameo!
Please make Intel iGPU(Iris/ Iris Pro) As Quick As Possible and cover what it is, and does it really is a fully capable GPU, does it same/same power as AMD APU's GPU, any benefit over dGPU n AMD APU, will it have a day to surpass Nvidia/AMD, should Apple continue their Mac Intel with iGPU only?
Thank you!
First episode in almost 9 months.
i got a keylogger... I resseded my windows and now im on a new fresh install :D
Linus, you resolved your Twitter hack within 10 hours? Wow. How?
i MAY USE the same pass for every website
But not the same email...