This Trick Will Make Your Passwords Even More Secure

Рік тому

Peppering is a technique where you add or substract some characters from a stored password, so that the whole password is known only to you. This increases the security for your essential accounts and means that if your stored passwords are ever revealed (by hackers or because your little black book has been stolen) then the attackers don't know the complete password!
---
Let Me Explain T-shirt: teespring.com/gary-explains-l...
Twitter: / garyexplains
Instagram: / garyexplains
#garyexplains

КОМЕНТАРІ: 131

@BlueFlyer83 Місяць тому

Great advice! I watched another UKpostsr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.

@farouqstray1411 Місяць тому

Gary Explains well

@taher9358 Рік тому

Gary I wanna give you a hug for this one mate

@deepgsingh Рік тому

I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary

@OMGWTFLOLSMH 11 місяців тому

Simple but great tip. Thanks.

@maartentoors Рік тому

'Peppering' is a good mitigation (for those in the 'know'). Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide. Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters. This will (semi) force users to use sentences. A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented). All said, Gary, you're a great source for security knowledge.

@PrivateUsername Рік тому

Yep. Came here to say this. Length is the main contributor to password strength. Correct Horse Battery Staple, and all that jazz.

@maartentoors Рік тому

@@PrivateUsername What? How did you 'guess' my global-admin password??

@BillAnt 7 місяців тому

@@PrivateUsername- A password's strength is derived from its length and the number of bits used in each character. Ideally you would use all 8 bits in each character for a total of 255 combinations. In reality due to the limitations of the English keyboard, it only allows about 94 unique characters, including lower, upper, and special characters. As long as you're using random characters of at least 30 or more, it's impossible to crack it by brute force using current computing power which of course may change in the future.

@manny7886 2 місяці тому

Peppering, or double-blind, I add mine at the beginning instead of at the end.

@TravelEndleslie 7 місяців тому

This is great and helpful. You are a genius!

@GaryExplains 7 місяців тому

Glad it was helpful!

@BillAnt 7 місяців тому

Wouldn't call it "genius" but definitely clever. :) "Genius" would be discovering something extraordinary like capturing dark matter or E=MC2 ;)

@kered2248 Рік тому

Good stuff, thank you!

@dezmondwhitney1208 Рік тому

Simple and Effective. A really Helpful Explanation too. Great !

@justchilling5448 Місяць тому

Excellent information, thank you.

@murtadha96 Рік тому

This is brilliant! Thanks for sharing, I never thought about this

@rahilarious Рік тому

smart clever trick!!

@mick_hyde Рік тому

Good idea, I already do this. 👍

@send2gl 9 місяців тому

Interesting technique.

@user-sd6it2hs2m Рік тому

Thanks, great idea but you need to peppering all your passwords. If no, you may forget which have the pepper

@GaryExplains Рік тому

Not necessarily. You could just use a pepper for your main email account and maybe for your online banking. Everything else leave as it is. That way in the worse case you can change your passwords (since your email is secure), and still access your money.

@manny7886 2 місяці тому

I use BitWarden. In the note field, I make a note if it's peppered or not.

@khayla_matthews Рік тому

Brilliant.

@NexuJin Рік тому

I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering. So for example: ~

@MikeWood Рік тому

Using three or four words randomly or pseudo-randomly generated to form a sentence and then turning them into a mnemonic is an interesting idea -with the peppering on the end as the change up now and then.

@uidx-bob Рік тому

Chuck Norris doesn’t use passwords. He is the password.

@BillAnt 7 місяців тому

Chuck Norris doesn't need a password, he just breaks the login with a kick. ;D

@edwardjaycocks5497 Рік тому

give this a thumbs up, although I do know that this technique should be said ultimately in the end the length of your password is critical.

@olafschermann1592 Рік тому

Great and simple technique ❤

@phir9255 Рік тому

I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.

@Victor_Marius 10 місяців тому

Websites can change their domains or just the TLD and still use the same database making the pepper incorrect

@phir9255 10 місяців тому

@@Victor_Marius Good point but that happens very rarely

@zine_eddinex24 3 місяці тому

Thank you 😅

@Saurabh.P 11 місяців тому

I always use 3rd method.

@1MarkKeller Рік тому

*GARY!!!* GOOD MORNING PROFESSOR! GOOD MORNING FELLOW CLASSMATES! Stay safe out there everyone!

@GaryExplains Рік тому

Mark ‼️‼️‼️

@coweatsman 3 місяці тому

I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.

@catmom4265 Рік тому

GREAT idea .. I have a system of my own that is like this. I will incorporate this method with mine. Thanks Gary

@1MarkKeller Рік тому

BRILLIANT! I should do this ASAP.

@roku_nine Рік тому

Very informative!

@nycrsny3406 Рік тому

Pretty simple and makes a lot of sense!

@test40323 Рік тому

Clever but my swiss cheese brain will have trouble remembering the pattern 6 months from now. Awesome idea though.

@jonpinkley2844 Рік тому

Then write down your password manager master password and the algorithm you use for pepper, and store it in a safe place (and not in your computer). You store your confidential papers somewhere don't you?

@GustavoMsTrashCan Рік тому

My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)

@benfubbs2432 Рік тому

Someone can write a script to crack your password in about 2 seconds with this information. Delete this and change your passwords immediately. Other than hacking a technique used to get someone's password is called social engineering which basically involves tricking someone into giving out clues about their password. You've given out a huge clue and by the sounds of it you use that password for everything.

@GustavoMsTrashCan Рік тому

@@benfubbs2432 Oh, my! Haven't you heard? You can also crack someone else's password via A UKposts POST! Just like yours right now. :^)

@user-ic6ln4lm2x 11 місяців тому

I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know. But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do) Are you related to Veronica Explains?

@allanflippin2453 Рік тому

Gary, Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!

@john_unforsaken Рік тому

I would say had you found each website can be different. I would include a selection so you can choose what chars to include at any given time. This is what most password managers do.

@allanflippin2453 Рік тому

@@john_unforsaken I thought as much. And this implies that do-it-yourself password generation is not very practical :D

@GaryExplains Рік тому

Could you not just use a subset of special characters that works across most (all) sites?

@allanflippin2453 Рік тому

@@GaryExplains That is what I had hoped for. My question is whether others have already come up with a safe set of characters to use. Websites are not exactly forthcoming with their precise password acceptance rules :D

@JanJeronimus Рік тому

Perhaps you van get some inspiration from other password creating programs. There is not one general rule and e.g. on one site perhaps only numbers are allowed and on another site only characters from a to z. So you need to ask put questions like how many characters must the password be ( between .. and .. ) How many numbers, how many characters, upper and lower case, special characters ( and which) .

@eyeshezzy Рік тому

Barefoot Contessa fan too 😅

@prakash_77 Рік тому

In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.

@reefhound9902 Рік тому

Peppering will make password managers a nightmare to maintain because of this. They will save what you peppered so you will have to edit the database manually.

@prakash_77 Рік тому

@@reefhound9902 Not really, Chrome's password manager prompts you to save and saves only when you click on it. Now you would get prompts to update the password if you modify it when logging in, but that's the extent of it.

@manny7886 2 місяці тому

Just ignore the popups. A little inconvenience for a piece of mine, at least in my case.

@micanalnotienenombre Рік тому

Really interesting video. Same as many commenters, I was skeptical before watching this, but I can say I learned something today.

@byronwatkins2565 Рік тому

Can we control the server-side salting?

@Ken.- 11 місяців тому

Yes! Become the CEO!

@user-bx2qi2xk1z 3 місяці тому

Help for me

@PrabhatXLR8 Рік тому

I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords

@ToddMoore1 Рік тому

👍🏼Class is in session, thank you professor👍🏼

@chasonsnotes Рік тому

What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months

@reefhound9902 Рік тому

Changing passwords is useless in all but a few niche use cases, such as a shared-password case or insecure work environment. A password cracker is going to crack an 8 character password in less than a second, doesn't matter if it's been in use ten years or ten minutes. A password cracker will take billions of years (aka never) to crack a 20 character phrase using a full character set, doesn't matter if it's been in use ten years or ten minutes.

@dav1dw 3 місяці тому

Nothing beats is a bold statement. Similar to "xxxx killer" Also these "Nothing beats..." are outdated.

@Garythefireman66 Рік тому

Pass the pepper

@Ken.- 11 місяців тому

Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.

@Victor_Marius 10 місяців тому

True. Probably it would be more secure if you would have the salt in the program not the database. Use something like the username or the unique username/ handle or the email or the creation date or all of the above in any order you want and this way you save some database space.

@starkistuna Рік тому

another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard

@Victor_Marius 10 місяців тому

The settings path is called "Ease of Access"/Keyboard or just Windows Key + CTRL + O. Out of curiosity I checked this and you are wrong. A python keyboard module (called "pynput") or let's say a "keylogger" as Windows Security called it makes no distinction between a key press of a physical key and one virtual using the Windows 10 On-Screen Keyboard.

@reefhound9902 Рік тому

Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.

@GaryExplains Рік тому

So what about a 20 character password saved in the password manager and then you delete 4 characters?

@reefhound9902 Рік тому

@@GaryExplains The 16 character will be extremely secure but still less so than the 20 character. Why would you want to deliberately reduce the security? Is it much easier to delete 4 than add 4?

@reefhound9902 Рік тому

I suppose it might be marginally easier to delete last 4 than remember what 4 you added, if you don't use the same 4 everywhere. But when you hit submit the PWM is going to ask if you want to update password and you need to be sure not to, so that adds a bit of complexity back into it.

@GaryExplains Рік тому

If the password manager is asking to save the new password when you delete 4, it will also ask if you add 4.

@reefhound9902 Рік тому

@@GaryExplains Yes it will, which is why the peppering approach makes using a password manager more tedious.

@STONE6969 3 місяці тому

Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.

@dav1dw 3 місяці тому

Totally disagree

@STONE6969 3 місяці тому

@@dav1dw I do like this for 20 years, never had a problem.

@vasudevmenon2496 Рік тому

Might not be applicable to all. I tend to forget the entire password that's the reason i went with password manager.

@GaryExplains Рік тому

Yes, that is normally, I can't keep track of the hundreds of passwords I need. But it isn't hard to remember 4 letters. You use the same pepper for all passwords, you don't need to remember a different pepper for each password.

@vasudevmenon2496 Рік тому

@@GaryExplains yeah it is. Might give it a go for few sites and see how it goes

@Techier868 Рік тому

Gaaaaaarrrryyyyy!!!!! 👋🏽

@whothefoxcares Рік тому

L3t M3 3xplain

@dav1dw 3 місяці тому

I had already do peppering, but deleting characters in the saved password and adding my pepper is even better!

@davidrobertson415 Рік тому

You end up using the same password on multiple sites… not good!

@GaryExplains Рік тому

No, the password stored by the password manager should be unique per site, but the pepper is the same.

@davidrobertson415 Рік тому

@@GaryExplains Thanks for the clarification... I didn't pick that up in the video... My bad.

@MikeWood Рік тому

@@davidrobertson415 It thought this too.

@OMGWTFLOLSMH 11 місяців тому

No, you only end up using the same suffix on multiple sites.

@User-404 Рік тому

Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD

@chmun77 Рік тому

Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.

@benfubbs2432 Рік тому

The pepper could be to literally just add 1 to the end of all passwords, or your initials or your date of birth if someone can't remember that they should probably have a third party controlling their accounts anyway.

@AQDuck Рік тому

That's actually pretty smart, it's like public/private key IRL

@iamstartower Рік тому

easy... write it down backwards

@klapas1821 Рік тому

Extremely informative, thank you professor

@nick066hu Місяць тому

I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required. A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.

@robertsandy3794 Рік тому

This technique is all very well, however if the server is hacked and if the password database is not encrypted, then this method is of no use

@GaryExplains Рік тому

No, quite the contrary. But before I get into that, it would be quite rare today for a website to have a database that is not encrypted. But to your point, this is exactly why you should do it. If the database is stolen and your password is freely available then the hackers DON'T have your password, there are 4 letters missing, which a) they don't know are missing, b) they don't know the length of what is missing, c) only you know the letters. In other words the exact opposite of what you just wrote.

@robertsandy3794 Рік тому

@@GaryExplains If the server database is stolen, if it's not encrypted, how wouldn't the hacker know the password? Whether your password is password1234, it's the one on the server end, not the client end, or have I missed something? How many times have sloppy policies on servers been the cause of password theft?

@jefferycampbell9182 Рік тому

@@GaryExplains But when you create a password for the site, you need to have the whole password to create the login. So they will always know the correct password even if you tell your password manager a different one to save where you add the rest upon it autofilling, so the website gets hacked, they have your password right? I mean they need to know your complete password to log you in.

@johnkressel2178 Рік тому

I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me

@GaryExplains Рік тому

Yes, obviously there are lots of ways to generate a password, but you are sacrificing convenience for a long process of string concatenation, multiple hashing etc.

@ernstoud Рік тому

My password is 8 asterisks. Every website knows my password when I type it. Weird.

@fanban2926 Рік тому

???

@ernstoud Рік тому

BTW: paraphrasing Dilbert’s boss here to support Scott Adams. He is cancelled by the woke cult.

@chmun77 Рік тому

So do mine as well! What are the odds!

@NoEgg4u Місяць тому

CorrectHorseBatteryStapleq#W7

@spiderjump Рік тому

make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols. for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson. that would translate to mhsctMLhaawtgtPW#120925@961275!

@GaryExplains Рік тому

😂