WEBVTT

0
00:00.210 --> 00:00.850
All right, guys.

1
00:00.900 --> 00:08.340
So now that we've covered creating user passwords, encrypting our database, as well as hashing passwords,

2
00:08.730 --> 00:14.550
we've kind of reached a level of security that most websites are at.

3
00:14.790 --> 00:19.170
Now, there's a lot more security that we're going to learn about a little bit later on.

4
00:19.710 --> 00:25.860
But you're actually at a point where you already know quite a lot about authentication and keeping user

5
00:25.860 --> 00:31.950
passwords secure, and definitely a lot more than a lot of people who actually run websites.

6
00:32.220 --> 00:35.720
And I know that some of you guys are keen to get a job.

7
00:35.730 --> 00:41.520
And if that is you, then I want you to go onto a website called plaintextoffenders.com. I'll

8
00:41.520 --> 00:43.280
link to it in the course resources.

9
00:43.560 --> 00:50.880
But here what you'll find is emails that come from various companies where the users requested to reset

10
00:50.880 --> 00:57.400
their password and they're sending the user a plain text version of their password.

11
00:57.690 --> 01:03.840
Now, at this point, we know to be able to even get the user's password in plain text, it means that

12
01:03.840 --> 01:07.830
they're doing some horrible things with securing the passwords.

13
01:08.040 --> 01:13.920
Either it's encrypted and there's an encryption key somewhere that they're storing or it's simply just

14
01:13.920 --> 01:18.520
stored on their database as plain text, which is the worst possible type of security.

15
01:18.840 --> 01:27.030
So given that you already know a lot better than the people who run getlinuxjobs.com or world

16
01:27.030 --> 01:34.890
sim.com or Telecom Egypt, then you could actually just email these people and tell them that I'm

17
01:34.890 --> 01:39.650
a web developer and I know about authentication and securing users passwords.

18
01:39.660 --> 01:41.940
You obviously seem like you might need some help.

19
01:42.210 --> 01:43.640
Would you like me to work for you?

20
01:44.010 --> 01:45.990
I recommend giving that a go too

21
01:46.020 --> 01:50.790
if you're keen on getting a job. If you're not looking for a job, then have a look at these websites.

22
01:50.910 --> 01:55.410
And if you're signed up to any of them, be sure to delete your account because it's definitely not

23
01:55.410 --> 01:55.910
secure.

24
01:56.070 --> 02:03.120
And this is why a lot of companies and a lot of websites get hacked because they don't continue beyond

25
02:03.120 --> 02:03.690
this point.

26
02:04.050 --> 02:09.510
So that means it's a really good time to talk to you about how passwords are hacked,

27
02:09.690 --> 02:13.530
so a sort of hacking Passwords 101 class if you will.

28
02:13.830 --> 02:16.740
Now, most of the time, I use my programming powers for good.

29
02:17.070 --> 02:23.100
But in this case, I want to talk to you about how passwords might be hacked so that once we understand

30
02:23.190 --> 02:29.700
how the other side approaches this problem, then we can learn more about security and make our website

31
02:29.710 --> 02:30.780
safer for users.

32
02:31.200 --> 02:36.230
And by the way, I have no idea why hackers are always portrayed in a balaclava.

33
02:36.240 --> 02:38.760
It's not like they're going to burgle anybody.

34
02:39.030 --> 02:44.580
I mean, especially this guy, he must be incredibly warm sitting next to all these computers, wearing

35
02:44.580 --> 02:46.470
so much clothing on his face.

36
02:47.130 --> 02:48.220
But I digress.

37
02:48.600 --> 02:55.320
So as a company, this is probably one of the things that you least look forward to. The day when you

38
02:55.320 --> 02:59.160
wake up and you get a call and you've been hacked.

39
02:59.460 --> 03:06.300
And this has happened really recently to a lot of big companies like Adobe Creative Cloud got hacked

40
03:06.300 --> 03:09.510
in 2013, LinkedIn got hacked in 2012.

41
03:09.810 --> 03:14.150
And there's loads of accounts where their passwords get leaked.

42
03:14.430 --> 03:21.320
Lots of unhappy users who reuse their passwords and are feeling extremely vulnerable.

43
03:21.690 --> 03:27.360
And you can see that even to this day, people can purchase these hacked accounts where people might

44
03:27.360 --> 03:34.200
not have realized that their LinkedIn email and their passwords are linked and people are potentially

45
03:34.200 --> 03:40.580
buying that data up and using it to hack into their PayPal accounts or other similar payment portals.

46
03:40.860 --> 03:48.450
So even if you don't learn anything from this lesson, I recommend just going to this website. I'll link

47
03:48.450 --> 03:52.110
to it in the course resources just for educational purposes.

48
03:52.380 --> 03:57.540
But put in your email address and make sure that if you do have any passwords that show up, change

49
03:57.540 --> 03:59.360
all the places where you use that password.

50
03:59.520 --> 04:05.670
But why is it that all of these big companies are getting hacked and leaking their users passwords?

51
04:05.790 --> 04:09.120
Are they not at least encrypting or hashing their passwords?

52
04:09.690 --> 04:10.740
Well, they are.

53
04:11.040 --> 04:12.150
But consider this.

54
04:12.150 --> 04:17.850
So you're a hacker and you've managed to get into the LinkedIn user database.

55
04:18.300 --> 04:21.390
And just for simplicity's sake, let's say it looks like this.

56
04:21.390 --> 04:23.340
You've got a username and you've got a hash.

57
04:23.700 --> 04:29.730
And thankfully, they didn't store their users' passwords in plain text, so you can't access their passwords

58
04:29.730 --> 04:30.330
straight away.

59
04:30.900 --> 04:39.600
However, if you look at this table a little bit more closely, you will realize that three of the hashes

60
04:39.630 --> 04:41.880
are completely identical.

61
04:42.420 --> 04:44.400
Now, why might that be?

62
04:44.790 --> 04:52.700
Well, remember that the same password always turns into the same hash no matter how often you try it.

63
04:52.710 --> 04:59.240
And that's a core part of the hash function that we rely on in order to validate our users as well.

64
05:00.030 --> 05:06.870
That means a hacker would look at this table and realize that Angela, Tony, and Emily all have the same

65
05:06.870 --> 05:13.190
password, and what they can do is they can start to construct what we call a hash table.

66
05:13.500 --> 05:20.100
So you would take some of the most commonly used passwords and you would use the same hash function

67
05:20.400 --> 05:23.290
to create the hash value for each of those.

68
05:23.610 --> 05:27.810
And these are some of the most common passwords that people love to use.

69
05:27.810 --> 05:32.280
123456, qwerty, password, 111111.

70
05:32.290 --> 05:41.100
And so you generate this hash table and then all you have to do is just look up the hash of the user

71
05:41.340 --> 05:45.120
and compare it against the hash you have in your table.

72
05:45.480 --> 05:51.660
So you search by the hash value and you land upon the password, which is qwerty.

73
05:52.080 --> 05:59.140
So now you've figured out that three out of four users in this table all have the same password and it's

74
05:59.490 --> 05:59.850
qwerty.

75
06:00.150 --> 06:06.600
So what if they didn't use one of the most common passwords and instead they use something else, say

76
06:06.810 --> 06:09.450
their date of birth or their pet's name?

77
06:09.750 --> 06:13.940
Well, let's see how we would make a hash table if we were a hacker.

78
06:14.460 --> 06:18.330
You would probably start with all the words from a dictionary,

79
06:18.510 --> 06:21.650
and this is where the term dictionary attack comes from.

80
06:21.930 --> 06:29.040
You create hashes from all the possible words in a dictionary, and that will only be about 150,000 hashes

81
06:29.040 --> 06:30.210
that you would need to create.

82
06:30.450 --> 06:36.170
And then you add to that hash table all the numbers from a telephone book and all the combination of

83
06:36.180 --> 06:37.950
characters up to six places.

84
06:38.220 --> 06:45.840
And then you add all of these together and you end up with something close to 19.8 billion

85
06:45.840 --> 06:50.040
combinations, which admittedly sounds like a large number,

86
06:50.040 --> 06:50.330
right?

87
06:50.340 --> 06:54.300
How long would it take your computer to calculate that

88
06:54.300 --> 06:55.170
many hashes?

89
06:55.380 --> 06:56.520
So what do we do?

90
06:56.550 --> 06:58.080
Well, let's go shopping.

91
06:58.500 --> 07:06.990
Let's go and buy some of the latest GPUs or graphics cards which are capable of parallel processing and

92
07:06.990 --> 07:14.070
therefore are particularly suited to not only Bitcoin mining, but also generating hashes.

93
07:14.340 --> 07:23.090
With one of the latest GPS, you can calculate about 20 billion MD5 hashes per second.

94
07:23.460 --> 07:31.170
So that means with our hash table of 19.8 billion combinations, it'll only take one

95
07:31.170 --> 07:36.210
of these GPUs 0.9 seconds, which is nothing.

96
07:36.600 --> 07:41.520
It's not a lot of time to invest in order to hash so many people's passwords.

97
07:41.820 --> 07:48.730
And to make it even worse, large hash tables have been built for the most common passwords.

98
07:49.050 --> 07:55.920
So because we've had so much data from previous hacks such as the Adobe one or the LinkedIn one or TalkTalk

99
07:55.920 --> 08:00.630
or Equifax, we know what the most common passwords are that people use.

100
08:00.840 --> 08:07.770
And every year companies like Splash Data will compile what are the most common passwords, say the

101
08:07.770 --> 08:08.910
top 25.

102
08:09.240 --> 08:12.990
And this is where all of those values that went into our table came from.

103
08:13.200 --> 08:15.800
But you can actually go one step further.

104
08:16.140 --> 08:23.790
There are pre-built hash tables that people have created for the top 10,000 most common passwords.

105
08:24.180 --> 08:28.620
And you can see that MD5 is one of the quickest hashes to calculate.

106
08:28.860 --> 08:34.470
And this is why it's very, very common to find MD5 hash tables.

107
08:34.590 --> 08:38.100
And you can even use Google as a basic hash table.

108
08:38.430 --> 08:42.150
You can paste in the hash that you found from the hacked database.

109
08:42.150 --> 08:47.500
You perform a simple Google search and you come up with the original password.

110
08:48.240 --> 08:53.580
Now, if at this point you're extremely scared and you're wondering, well, what exactly can you do

111
08:53.580 --> 08:54.270
about this?

112
08:54.330 --> 09:01.680
Well, consider that in our user table, there was one hash that was extremely difficult to find and

113
09:01.680 --> 09:06.940
it didn't match up with any of the hashes in this little simple hash table we built.

114
09:07.140 --> 09:14.490
So what if we put that into Google to search on a larger scale and see if it matches any of the hashes

115
09:14.730 --> 09:17.340
in the hash tables that people have generated?

116
09:17.880 --> 09:20.210
And it doesn't. It doesn't match anything.

117
09:20.490 --> 09:27.690
And the reason is because when John created his password, he had a very, very strong password with

118
09:27.690 --> 09:34.980
uppercase letters, lowercase letters, numbers, symbols, but most importantly, a long password.

119
09:35.220 --> 09:42.510
When you think about hashing as a mathematical formula, you'll realize that as the number of characters

120
09:42.540 --> 09:50.130
of your password increases, the computation time that it takes to crack it increases exponentially.

121
09:50.290 --> 09:57.300
So it doesn't matter if your account on LinkedIn or Adobe  Creative Cloud or Ashley Madison was cracked,

122
09:57.570 --> 09:59.520
as long as you had a

123
09:59.820 --> 10:06.300
strong password, they wouldn't be able to work it out from a hash table. So as an example, there's

124
10:06.300 --> 10:12.330
a website called Password Checker and you can put in your password and it'll tell you not only the strength,

125
10:12.600 --> 10:18.960
but also how long it will take various types of machines to be able to crack that password.

126
10:19.170 --> 10:24.660
So let's say that I create a six-character password composed of a random set of characters,

127
10:24.660 --> 10:27.810
right? 123456.

128
10:28.320 --> 10:35.460
And you can see that even for a standard desktop PC, it only takes about three seconds to perform a

129
10:35.460 --> 10:38.510
brute force attack to crack that password.

130
10:39.090 --> 10:43.500
But let's see what happens if I add another six more characters.

131
10:43.920 --> 10:47.220
1, 2, 3, 4, 5, 6.

132
10:48.440 --> 10:57.500
Now, it takes 31 years for a standard desktop PC to be able to crack it and even a fast GPU takes two

133
10:57.500 --> 10:59.270
years to crack my password.

134
10:59.600 --> 11:07.400
So even though all of the websites encourage you to add a capital letter, lowercase letter, some numbers

135
11:07.400 --> 11:14.660
and some random characters, if you only have six characters in your password, so a short password,

136
11:14.990 --> 11:17.670
it still doesn't take very long to crack.

137
11:18.020 --> 11:25.910
So the most important thing of creating a strong password that is almost uncrackable is just to increase

138
11:25.910 --> 11:32.460
the number of characters. And also to prevent yourself from being a victim of a dictionary attack,

139
11:32.750 --> 11:39.710
just make sure that you don't use a dictionary word or a place name or something that is in a directory

140
11:39.710 --> 11:41.480
somewhere like a telephone number.

141
11:41.930 --> 11:42.290
All right.

142
11:42.290 --> 11:46.180
So at least after this lesson, you'll know how to keep yourself more secure.

143
11:46.580 --> 11:52.130
But in the next lesson, we're going to address these vulnerabilities that occur because of weak hashing

144
11:52.130 --> 11:52.760
algorithms,

145
11:52.970 --> 11:58.790
and we're going to learn how we can combat hackers who try to attack our database using a dictionary

146
11:58.790 --> 12:00.950
attack or by creating a hash table.

147
12:01.250 --> 12:04.300
So for all of that and more, I'll see you on the next lesson.

148
12:04.460 --> 12:09.050
But as a quick bonus, if you ever want to trick your friends into thinking that you're some sort of

149
12:09.050 --> 12:14.480
a hacker, at least according to Hollywood, I recommend checking out a website called hackertyper

150
12:14.480 --> 12:21.280
.net where you can just mash the keyboard and you end up with something that looks extremely realistic.

151
12:21.290 --> 12:26.840
But a word of warning: try not to do this on an airplane or in a government building unless you want to

152
12:26.840 --> 12:28.380
actually get investigated.