Computer Science 1
Computer Science 1
Embedded Files
Keeping things Secure:
Passwords
Keeping things Secure:
Passwords
Today's Goal
Today's Goal
Learn about password safety & storage
Opportunities to be aware of:
Dec 19th // Amazon Future Engineer Scholarship Due
Jan 7th // NSA Codebreaker Challenge Due
Completed
Encryption vs Encoding
Revisit Info Theory Concept
About Control Flow
Flux
Today
Passwords & Security
Upcoming
Quiz eventually
Passwords
Passwords
Keeping Yourself Safe
Keeping Yourself Safe
We talked a bit about "passwords" as a way to save games recently.
Keep in mind, these weren't real passwords, these were a way to save data, by having the player record the data (using special characters instead of bits) that would then recreate the game state based on what was entered.
An actual password is meant to keep something secure; it limits access to something.
Let's look a bit more at passwords.
1-5b-passwords.mp4Easy to Remember, Hard to Guess
Easy to Remember, Hard to Guess
"Any password that can be easily remembered is vulnerable to a dictionary attack."
— Bruce Schneier
The goal of any password should be to choose something that is difficult to guess, especially when some automated systems are capable of making millions of guesses per second. People use a number of techniques to increase the complexity of their passwords, such as mixing upper- and lowercase letters, substituting digits and punctuation for letters, appending extra characters or numbers, etc. Unfortunately, while these efforts might increase the effort required to guess them, it also increases the difficulty of remembering them.
A popular xkcd comic by Randall Munroe addressed the issue of how difficult it is to crack a password vs. how easy it is to remember by attempting to measure password strength in terms of "bits of entropy."
Unfortunately, as security expert Bruce Schneier notes in his article, "Choosing Secure Passwords," despite Munroe's logic, his suggested solution is actually quite vulnerable to attack due to its reliance upon common dictionary words that are easy to guess by brute force.
TASK, p1
TASK, p1
1. What's the purpose of a password?
2. How does a password differ from a 'password' used to save you game in retro video games?
Websites Don't Really Know your Password
Websites Don't Really Know your Password
Or at least they shouldn't...
Tom Scott says to run if they can send you your password because then that means they know your password. It is not to say that YouTube, or Instagram, or whatever other website has bad intentions. Rather, it is to realistically understand that someone with bad intentions won't be able to get into their system. If someone were to hack that website, or if they had an employee who wanted to snoop, they'd have access to your password and have to do basically no work to figure out what it really is.
Websites with better security will keep an encrypted (using a method we call 'hashing') version of your password that even they can't easily crack. So, if you go to a website, and they can send you your actual password, consider deleting that account- or at least use a trash password that is not similar to the passwords you use on other websites.
That being said... just because a website does properly store an encrypted, or 'hashed' version of your password- that doesn't mean its 100% safe.
crack-passwords-c.mp4Remember Algorithms, NOT Passwords
Remember Algorithms, NOT Passwords
In his article, "Passwords Are Not Broken, but How We Choose them Sure Is", Schneier suggests what he calls the "Schneier Scheme":
"My advice is to take a sentence and turn it into a password. Something like 'This little piggy went to market' might become tlpWENT2m. That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence - something personal."
— Bruce Schneier
The important thing to note about this approach is that rather than trying to remember an obscure collection of odd and difficult to guess letters, digits, and punctuation, one needs only to remember a personalized phrase or other mnemonic that will remind you how to easily reconstruct the password. Additionally, if you customize the key phrase to match the site or service, a single, simple set of rules can be created that will allow you to easily reconstruct the password anytime you visit the site
make-good-password-c.mp4TASK, p2
TASK, p2
3. How strong do you think your passwords are?
4. Check out Security.org's "How Secure is My Password". It looks like all the processing is being done on your computer itself, when I turned off my wifi, it would still tell me if the password was weak or strong; however, I didn't look at the code. Even though it looks reputable, I still wouldn't put in any real passwords since I haven't looked at the code, and even then, I might turn off my wifi before doing so just to be safe. Try out things that are similar to your passwords, just to get an approximation. What are your thoughts?
Page updated
Report abuse