Placeholder Image

Subtitles section Play video

  • I guess what we were asking today is have your passwords been pwned

  • One of the websites I used to keep secure online is have I been pwned right now, I love this websites. It's great.

  • Run by a guy called Troy hunt and whenever it is a big leak

  • Let's say a company gets hacked and always using these passwords get leave out in internet

  • Obviously people who are trying to crack passwords and break into your accounts

  • They're going to be looking at these things

  • But what he does, is he collects them and lets you know

  • You've got an email address that you use for most of your accounts

  • You put this in the website and if that email address ever appears in a leak

  • I assume probably tied to a password but not necessarily

  • It will let you know and that's a really good thing because no one's on top of all the leaks, right?

  • I certainly am not. And so maybe I have an email address. So I want to make sure hasn't been given away

  • So this is a great website, you know, we'll put a link to it. But actually this is not what we're talking about today

  • what we're talking about today is the Password API

  • it's also put online right which is another great asset.

  • This is where you could actually send in your password in a manner of speaking

  • and It'll tell you whether it's ever been leaked

  • Now that's important because if your password has ever been leaked before

  • by you or by someone else

  • Then it could be appearing in a long list of words that are being used for a dictionary attack

  • Right, and that just makes your password much more vulnerable

  • In general I would argue that if your password has been leaked before it's not really safe to use

  • There's some interesting questions here

  • Should you be putting your password into a box on the internet that says it will tell you if it's been hacked?

  • In general, no!

  • In general, be very careful about where you type in your password

  • Even if I make a website and I say you should definitely trust me because it's me.

  • Still don't trust me. All right

  • Just know what you know for a start. I might just be inept of programming and I've got a vulnerability

  • So this uses an interesting mechanism called k-anonymity

  • to make sure that you can send in your password and find out whether it's in this big database of passwords

  • and no one gets to find out what it was.

  • All right, which is using hashing, and it's really great

  • So we're going to talk about that now

  • so you can go on to haveibeenpwned.com/passwords

  • and you can type in your password there and you can look at the source code

  • That's probably okay. But actually it's got a REST API where you can actually visit specific URLs

  • and obtain information on whether your password is in that database

  • you can do this very often

  • you could do it for example for all the passwords in your collection in your password manager

  • and actually some password managers like 1Password actually do this automatically for you

  • and they check your password this way

  • I mean, that's a really good idea

  • If you type in a password that you think is great for a new website

  • Your password manager can say actually this one's already been leaked like previously

  • so don't use that one.

  • So, how does this work?

  • and how does it remain secure

  • because even if this website is fully trustworthy

  • It's not a good idea to be sending a hashed version of your password to this website, right?

  • this is the website that has all the lists of all the passwords

  • if yours shows up, suddenly your IP address is saying My passwords weak my passwords weak

  • and that's just not a good thing you want to have happen, right?

  • So how does it work?

  • Well, just like with all passwords. We hash it as a start to begin protecting it

  • So let's imagine I have my password which is you know Password1

  • this is where we link to the video where I said don't use that password

  • if there's any variation on the word password or have any of the numbers 1 2 3 4 in or doing it?

  • You need to delete those passwords. Maybe delete your account out of shame

  • This will be hashed using SHA-1 which for this purpose is okay, right?

  • You wouldn't necessarily permanently store your passwords in this format

  • But for this API is OK and that's going to produce 160 bit hash

  • Right, which might look something like FA2 241C... for 160 bits

  • 160 bits?

  • Yeah

  • Ok. Now the problem is if I send this off to the website, I've just given them my password

  • I mean not quite because

  • SHA-1 is hash but that could be broken. Especially if my password is not good, right

  • and also he's got a bunch of these passwords and hashes already computed in this database

  • So as soon as he sees that I've got the hash.

  • He reverse looks up the password.

  • That's a vulnerability, right?

  • I trust the guy but I still wouldn't want to do that, right?

  • And so this API used a system called K anonymity

  • what happens is instead of me giving them the whole hash

  • I give them just enough of the hash

  • But they can give me back anything that might match

  • and I am the one that actually finds that whether it does, right?

  • and that's a really neat trick.

  • So I will give them the first

  • one, two, three, four, five

  • characters of the hex of this password hash

  • so I will send the pwned password API FA224, for example

  • and it will send me back some number of passwords

  • that have been leaked in the past whose hashes begin with those five characters now, there'll be a lot of them

  • there's some 550 million passwords in this database which is a kind of scary and

  • It will return to you all the passwords but could match this and how many times they've been seen in leaked passwords, right? And

  • Usually you'll get about 4 or 500 back right? That's when you go through the list yourself at your end and say ok

  • Actually, my password is or it's not in there, right?

  • Because there's going to be a lot of possible hashes and possible passwords are start with these 5 characters

  • This is called k-anonymity the idea is that the website only knows we're one of about 500

  • People that could have this password. It doesn't even know actually if we have one of these passwords

  • Which is quite nice, right?

  • So I've written some code to do this and we'll have a look before you get a code out if you've hashed it with SHA-1

  • Is this just the way that this system works that it uses SHA-1 or is it I was just trying to work out because yes

  • Exactly it isn't the case for these passwords all originally hashed in SHA-1 like this database includes both the plaintext and the hashed versions

  • These are passwords that are previously been cracked right, as opposed to leaked in hashed form

  • so for example

  • Maybe my password has been leaked in like bcrypt form and no one ever broke it right in which case it's have no real concern

  • I mean it's better if it've never been leaked, but you know

  • So these are passwords that have been leaked and they ended up in plaintext either because they were already in plaintext

  • or because they've been cracked and they're now in plaintext. She's got some code. Ok, let's look at some code

  • So the first thing we can do is just pull this API directly very easy to do you simply go to a web address

  • Part of which is the beginning of your hash and then we try that. All right, so let's to give an example

  • So I'm gonna hit I'm gonna use curl right to obtain a website back

  • Just going to send an HTTP request and receive a response

  • Curl, it's just a software library that I'm using here to send off a request to a specific address and whatever website or day

  • Comes back. I received that onto the command line, so it's gonna be curl

  • HTTPS only works for HTTPS to make sure there's encryption involved. API dot pwned passwords

  • comm for such range forward slash and then the

  • Prefix of my hash which in this case was FA224. So FA224 that's going to come back

  • It's done it with a big long list of all the possible passwords that they have that start with that hash

  • Now it doesn't return the FA224

  • It just returns the other bits because it's a waste of time now some of these are being cracked or or seen maybe one time

  • This one's been seen 169 times. I have no idea what it is. I'd have to break the password to find out

  • Given it's been leaked 106 nine times. It's probably not very strong. Maybe it's Password1

  • Yeah, it could be you can try any of your password this way

  • all you have to do is take your password hash it right which is easy to do on the command line or I've written some

  • Python code and

  • Then we can fire off to this API the first few bits and then we get back a list

  • We look through the list to see if our full hash is in there. And if so, our password isn't broken

  • So I've written some Python code we'll do this exact thing, right?

  • So all it does is it uses a the cryptography library

  • which is a great library in Python to hash the password in SHA-1

  • It takes the first five characters of the hexadecimal representation and it sends them off to the password API

  • It comes back with let's say 500 of them. I split it all up

  • I look through and try find my password

  • And if I find it then it'll print that it's found right and obviously I should change it now, of course

  • I'm just typing this with random passwords, but you get the idea

  • So let's have a go - I've called it pwned.py And then let's use this one Password1 with a capital P

  • So it's been found the hash actually starts with 70CCD and it's been found a 111000 times

  • That isn't great what that means is that in different leaks. This password has occurred a hundred thousand times, right?

  • It's definitely in password list right it's a prime candidate. We already knew this is Password1, right?

  • Let's try something a little bit more difficult. So let's say Password1234

  • This is going to be in there. There's only 3000 times

  • Right, but it's still not very good

  • If your password appears any number of times just one

  • Then that means that theoretically someone that had access to this list and these are all publicly available these leaks could

  • Could put that in there big big long list of things and just try them as a matter

  • Of course on any new leak that turns up. It doesn't mean that you're definitely going to get hacked

  • It just means that there's a better chance right and it's not ideal

  • So why not have a look and see so I mean so we've used this password

  • But perhaps we should use something slightly stronger any ideas in the password cracking video. iloveyoukate was it? All right

  • Let's try that. So I love you Kate. All right, there we go

  • It was found 93 times, I think some people might have started using it I mean, please don't use that bad passwords

  • You know, it's very nice. But yeah

  • Yeah, I mean any password that appeared in that list is

  • going to be is breakable enough that it's definitely going to be in there, right? So that's a huge problem

  • You know if you if you start to get a slightly more difficult passwords

  • Like some of the ones that we were looking at maybe in the choosing your password video

  • So for example 4 words, so let's say why don't you do correct horse battery staple

  • That is definitely in there and I can tell you about even running it.

  • correcthorsebatterystaple was found. 114 times. No people. We don't use correcthorsebatterystaple

  • What about but using your tip of pushing a random character?

  • So if I take correct horse battery staple and let's say I put a star in the middle of here

  • So correcthorsebat*erystaple. All right, not probably pronounceable

  • All right, then we'll find it wasn't found in the dictionary. Right? Don't use it now because it will be in there now

  • But this is the idea

  • So to sort of make unexpected changes, but it's very easy to just pull this API right and just see you know

  • It's this new password. I'm trying already in there

  • Right and if it is don't use it, that's quite simple. If you're using a parcel management generating most your passwords at random

  • They're unlikely to be in there, but you never know and it just makes it that much weaker if they are

  • Okay

  • Shall I ask you how do you say that point own poem home? Pwned is it? I don't know

  • I mean if I'm wrong then I'm a noob

  • I thought you were leet

  • Definitely not

I guess what we were asking today is have your passwords been pwned

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it