August 23, 2019 • 37 mins
Why should password security be a top concern? What can you do to make your passwords safe? What constitutes a strong password? Join Chris and Jonathan as they give you the tips and tricks you'll need to keep your passwords secure.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to tech Stuff, a production of I Heart Radios
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer with
How Stuff Works in my Heart Radio, and I love
all things tech. I decided to deliver it that way
because Tary was going to lipstick it with me otherwise.
(00:26):
I am here to give you a classic episode of
tech Stuff, and I thought for a while that I
should re enact the entire thing and do all the
voices for me and for Chris, but Sary reminded me
that I also want to get home today, so instead,
we're just gonna play this classic episode for you. It
is called tech Stuff looks at Password Security, and it
dates from September nineteen, two thousand twelve. Enjoy Security has
(00:51):
been in the news a lot lately as of the
time we're recording this in lead August two thousand twelve, UM,
and part of that is because, as we have touched
on an a handful of times since some of the big,
more widely publicized cases have been making the news that
you know, hackers have been breaking into different accounts at
(01:12):
major corporations online, stealing people's information. It's unclear whether people's
credit card numbers were stolen or if we have your
home address or we know the name of your dog.
There was a whole story of Matt Honan getting his
entire digital life hacked because of a vulnerability between the
systems of Amazon and Apple, which clearly taken a loan,
(01:35):
clearly were not obvious as problems, but when put together,
post problems because they were the people who were doing
the hacking game to the system and put them against
one another to create a bigger picture that allowed them
to get the information. Well, uh, you know, people have
been saying that you need secure password please, and there
are news reports about this too. People are still using
(01:58):
password as password or obvious terms one, two, three, four.
That's the kind of thing an idiot puts on his luggage. Hey, so,
uh yeah, I mean those kinds of things are still
in practice, and of course you need to use more
secure passwords, but it's it's it goes deeper than that.
(02:20):
There's more information out there now about how even using
stronger passwords alone isn't necessarily going to keep hackers from
being able to get into your account. So think about
what you're doing. There's there's several several things that you
have to consider. One of those is the idea of
(02:42):
linking accounts together, because that means that should one account
become vulnerable, then those other linked accounts could also be vulnerable.
That was the case with Matt Honan, right. So one
of the many problems of his yes UM because more
identifiable problems because once they got to access to his
Google account, then they were able to reset stuff all
(03:03):
over the place. And then it turned out that all
they really wanted was to access his Twitter account, which
is I guess in a way he's fortunate, but it's
still pretty crazy everything that they managed to do in
order to do that, and they caused quite a bit
of damage along the way to mattahone in anyway not
to mention to the the the public perception of security
(03:23):
UM on the back end. So that's one thing is
linking lots of accounts together holds a very specific danger.
I mean, for one thing like Facebook Connect or really
any open i D approach, right, if that system is
not secure, you have a single point that you can
target that will give you access to lots of stuff.
(03:45):
Now that's so sad because for us, the consumer that's
so helpful. Yeah, having one account that you can log
into and from there you can authenticate with multiple other services.
You don't have to form after form after form. Uh,
you know, it's it is a very valuable service now.
And I'm not saying that that Facebook Connect or Open
(04:08):
Idea or any of that is that they are not secure.
They're putting they're putting lots of protections in place to
try and keep user information as safe as possible. It's not. Yeah,
it's not so much that it's inherently wrong, as that
if something does happen, it can cause serious problems. Right.
So that's one issue. Another issue is the way that
(04:29):
we create passwords as users for those of us who
are using either very common words or even names. Um,
even if we think we're being clever by adding a
few numbers to it, that's not really that secure. And
if it becomes even more insecure if we're using those
(04:50):
passwords at multiple accounts. So I think, uh, we we were.
We both read an article from Ours Technical by Dan
Gooden called why passwords have never been weaker and crackers
have never been stronger. It's actually it's a fascinating read,
and I do recommend you check it out if you
find this episode interesting, where even if you don't, it's
(05:12):
a good thing to know. And uh, it's it's typically
our technical typically get into more technical detail than than
articles on how stuff works dot com. But if you're
if you're really serious about it, there there's a lot
of important information in there, and we can give you
kind of the layman approach to what is going on here.
But part of that is that I remember reading, and
it may not have been in this article, I do
(05:33):
remember reading a statistic that the average user has something
like six and a half passwords. That's in there. Okay,
so they use six and a half past and you know,
of course this is an average. We're not saying someone
out there's just putting, you know what, I was gonna
type in my whole password, which is typically password, and
I'm just gonna type in pass for this one. No,
that's not what it means sword, it's the average. So
(05:53):
but that means that, you know, you think the average
person has around twenty five accounts across the web, but
they're using on average six and a half passwords, so
each password is being used for around three times on average.
I mean that's again an average. You might have just
one password that used twenty times and the other three
used the other five. Well, I don't want to use
the same password on Google, and yeah, who's so I'll
(06:17):
use one for one and the other one for the other,
and then I'll use the Google one again for pest
or whatever one for Facebook because they are those are
disconnected enough where it's not gonna know. That's still a
problem unless you think that I am a super genius,
because I can say this, no, I I reused passwords
from time to time too. I'm guilty of it, just
(06:37):
as much as the planet. I was awful for a
long time. Passwords among Yeah there were that was pretty
much mine too. I had about three passwords that I
used for almost everything. That is no longer the case. People,
I don't do that anymore. Well, I told you I
didn't mean you erase all those accounts anyway. So that's
that's another user behavior, and we'll get more into that
(06:58):
in a minute. But then the third piece is how
safe are those passwords within the databases of the companies
that hold those passwords. So if you are a cracker,
you know a hacker who is specifically trying to crack
into security systems, and you have identified a potential target
(07:21):
to try and get at their password database, then uh,
if it's if it's one where the user base of
that service or company also typically has accounts at other places.
You've managed to not just get the passwords for that
one account, but knowing that people tend to reuse their passwords,
(07:42):
you might actually have access to multiple services. Now, there
are ways that companies can protect against this, not just
by building a good security system that's hard to crack,
but also by uh encrypting those passwords in the database
that if you get that database, yes you've got a
(08:03):
whole bunch of data, but it does not translate directly
to the passwords because it's been put through a hashing algorithm. Yeah,
and there's there are several sort of standard hashing algorithms.
So basically it's a it's a little like email encryption too.
So you have, let's just pick pass the four letter
word pass um, you put it through the hashing algorithm,
(08:26):
and on the other side of that, it the letters
and numbers that make up the encrypted information look nothing
like that. And it might be that your four letter
password has just become a thirty two letter encrypted string
of characters. Yeah, so somebody seeing that written down, say
on a piece of paper, is not going to have
any idea what that is, and they're not really going
(08:47):
to have any way to decipher it. And theoretically it's
pretty well, uh, pretty well protected, right theoretically, But here's
the problem is that not first of all, not every
company has historically encrypted all those passwords. And there have
been cases where crackers have gotten access to a password
(09:07):
database that was stored in plain text. That means that
the password that you type in appears in that database
as you typed it, so there's no hidden you know,
code or anything. You've got those passwords, Well, that's very
valuable to a cracker for more than just the fact
that they now have access to your account. What's also
valuable is that they now have a list of words
(09:30):
that people use as passwords. So, uh, there's a there's
a type of attack we should talk about, the brute
force attack. A brute force attack is when a cracker
tries to get access to a system by filling out
the essentially filling out the password field multiple times until
(09:51):
they get a positive result. And um, one way of
doing a brute force attack. A very common way is
to do what's called a dictionary at at where you take.
You create a virtual dictionary of words that you use
as the basis for passwords. Knowing that a lot of
people will pick a common dictionary word as the basis
(10:13):
of their password hard wark, antelope, ant eater, you know,
and it just goes all the way through to pick
animals for some reason. But something else that they'll do
as part of this dictionary attack what they'll start adding
changing symbols. So let's say your your password is hardwark,
but you're being clever and changing the a's symbols at
(10:33):
symbols and uh, you know, let's see you pick a
word with with ease in it and you change them
to threes. They try those two, Yeah, because those are
very common approaches. And yes, you know, keeping in mind
that most of us are using passwords that are easy
for us to remember, and the more random ish or
seemingly random these passwords get, the harder it is for
(10:56):
us to recall them. So, knowing that's a weakness, the
racker can say, all right, well, let's go with all
these words, and let's go with the various variations we
would expect people to use with these words. And even
if you've done stuff like just added a couple of
numbers at the end, that's not always a tough thing either.
They can start going through all of these different variations
(11:17):
adding various numbers at the end. If they know how
many characters your password is, that already has given them
a huge advantage. And the reason why this is possible
is because we've got processors out there that can do
these these calculations in parallel. You know, if you were
to do them all one after the other, it may
take you centuries to get through all the possibilities of
(11:39):
a particular password, depending on how many characters there are
within that password. Hey guys, it's Jonathan from two thousand nineteen.
I just hacked into this classic episode because the password
protection was laughable. It was just palette one to three.
So I'm gonna mess around with some stuff. But let's
take a quick break while I do that. In Hollywood,
(12:07):
Hollywood computers can do an executive brute force attack in
about twelve seconds. Yeah, well, sometimes that can happen here too,
but that's generally not the way it works. Well, that's
that's one of the interesting things about this article is
you learn from reading that UH an attack like this
doesn't take very long at all, that at most, assuming
(12:27):
that you're not following really really strong password particles. UM. Yeah,
it turns out that it's like, because of this parallel processing,
you've got a processor that's working on multiple UH approaches
to this logan attempt. So we can go through all
these different variations, even when there are billions and billions,
(12:49):
as Karl Sagan would say, variations of passwords, the processor
can go through so many so quickly. You know, each
each thread in that parallel processing is movie got an
incredible rate, and you've got multiple threads all going UH.
There are crackers who use graphics processing units GPUs to
do this. They because the GPUs are designed to be
(13:10):
parallel processors. Yeah. Even even though they're designed primarily to
handle graphics instructions and display them on your your monitor,
GPUs can be UH pressed into service, let's say, by
a program by a software that that can specifically UM
send instructions to it. So what people do, UM, there
(13:33):
are open source programs that you can use to UH
assign password cracking to your GPU. UM sad to say,
and and one of the uh, the interesting stories that
are One of the interesting bits that I read from
this article too was uh that people have grown increasingly
intelligent about the way they save cracked passwords. So they're
(13:57):
saving up dictionary attack type information. And so if you
use you know, password one, is your password on one site, um,
and they want to hack in to your account at
the House of online Grapefruit, they might try they and
they've got your information. They could try it there too,
(14:18):
to see if you've used your password on more than
one site. So that makes it increasingly dangerous for you
to use the same password in multiple locations because there
is a growing database of password information that that people
are saving and not just throwing away once an attack
is completely That database also means that they can look
at things like frequencies like how frequently are people using
(14:40):
the specific word or variations of this word as a password.
And the more people who use it, the more you're like,
all right, well let's bump this up the list. It's
more of a likely candidate for a password. So, you know,
we like to think that the passwords we choose are unique,
but that's if we're basing it off a name or
a word. That's not the case. Are lots of people
(15:01):
out there using lots of passwords, and there's a good
chance that someone out there is using the same quote
unquote unique password. You are. Just remember your unique just
like everybody else. You know, when everybody is special, no
one is. It's incredible. Um. The so yeah, the the
(15:21):
the database can tell the cracker all right, Well, not
only am I using a dictionary attack, but I'm using
a curated dictionary attack in a way, because these are
the known passwords that are floating out there in the world,
and these are the ones that are really popular that
lots of people use. So we'll go through all the
variations of these first, and you just you tweak your
(15:42):
cracking program to do that so that you can get
the the largest number of results in the least amount
of time. And another thing you can do is once
you've figured out these passwords that are very popular, that
helps you determine other things, like there are only so
many hashing algorithms that are really popular out there in
the world of computer security, right, so if you know
(16:05):
which hashing algorithm there the particular company is using, and
you are able to get let's say you get access
to their encrypted password database. So now you've got a
list of passwords that are encrypted, so you cannot just
look at them and know what the passwords are. If
you are able to determine which security protocol they're using,
(16:25):
and you have this massive database of um of of
of passwords that are really popular, you can run those
passwords through the same encryption algorithm to look at the
hashes that come out and then start matching them up
with the stuff that was in the database. So you're
still cracking the passwords, you're just going about in a
different way as far as this brute force attack is concerned.
(16:47):
It's still a brute force attack. It's just doing it
in a kind of an odd roundabout way because you've
got the you've got the hash of the password, you've
got the security protocol that's being used. Now you're trying
to yes the original word that created that hashed password.
Once you're able to do that, that account is no
longer secure. And if that again, if you're using that
(17:09):
same password elsewhere, those accounts aren't secure. Um, So you
might be asking yourself, hey, if there are crackers out
there who have these really advanced tools that can either
figure out a password or uh, you know, kind of
worked on a list so that the passwords I use
are vulnerable. How do I how do I protect myself?
(17:33):
And there are a few things you can do. One
is use a unique password for every service that you
log into, which is incredibly difficult if you're doing it
on your own, which is why I would suggest getting
a password manager program. And there are a lot of
them out there. There are some that are free, there's
some that you pay for. Um, there's some that are
(17:55):
in the cloud. There are some that are based on
your system. Yeah. Uh, you use a password manager, right,
I do as well. UM, I'll go ahead and say
which one I use. I use dash Lane, which I
tried out for the first time this year and I
like it well enough. Um. It saves passwords and if
(18:17):
you want, it will generate a password for you, so
you don't have to just come up with a string
of things. It'll it'll do it for you and save
it to your account. You create a master password that
is a strong password, meaning that there are upper and
lower case letters. There's also numbers in there. Uh, and
all you have to do is remember that one. Which
(18:39):
that sounds tricky, but I'll give you a hint on
how to do something like that. If you want to
try it yourself, you create a master password. Uh. Then
when you log into your dash Ling account in my case,
you then have access to all the other passwords that
are that that dash Lane generates. So I actually went
in to all my accounts and use the dash Lane
(19:01):
password generator program, and it creates a ten character long
strong password that's unique. So none of my accounts used
the same ones anymore. They're all ten characters long. They
are a mix of various characters and uh. When you
get to about nine characters, and if it's a truly
(19:24):
you know at least a seemingly random series of characters
and numbers. Uh. The difficulty of cracking that password escalates dramatically,
So I might go from a matter of days, two
weeks or months. And the harder you make it to crack,
the more likely your information will be safe so or
(19:45):
that it will just be difficult for anyone to guess. Um.
So that's the purpose of creating these strong passwords and
the purpose for the password managers, because strong passwords are
hard to remember. Um, So all I have to do
is remember my one master password here's the hint I
was gonna make. So if you want to make a
strong password, like a master strong password, uh, it's best
(20:10):
that you come up with a phrase that you will
not forget and it it's great if the phrase also
has a proper noun somewhere after the first word, so
that you have some capitals in there as well. And
you need a number, like a four digit number is best.
So for example, you might say Dad's first car was
(20:33):
a nineteen fifty six Volkswagen Bug. M all right, So
then your password. You take the first letter off of
each of those words and the number and you put
them together and that becomes your password. So the first
letter would be upper case D for Dad's then first car,
so it's upper case D, lower case F, lower case C,
(20:55):
lower case W, lower case A. Then you have the
one X and then percase v U percase B for
Volkswagen Bug. That could be your master password. And when
you look at it as just a string of letters
and numbers, it looks meaningless. You know, there's no there's
no phrase that's evident right there immediately unless you happen
(21:19):
to have already known it. So don't tell people you're oh,
I gotta change my password. Yeah, but no, don't tell
people what your phrases, but make it a phrase that
is easy to remember. And uh and that could be
your master password, and don't use it again. Just use
it for your master password and then use the password
(21:41):
generator or a password generator if you don't want to
trust one thing with it. But it's it's easier to
use a password managers on board password generator because it
can save it directly to your account. Otherwise you're gonna
have to transfer that that password to whatever your manager
is UM and then that way you've got a vault
(22:04):
of passwords that are encrypted that are ten characters, hopefully
at least ten characters nine or ten characters at the
very least, and are strong. It's funny. It's it's rather
than coming up with a mnemonic device to remember your password,
you start with them mnemonic device and from it from it. Yeah,
(22:25):
I think that that's way easier because that is I've
used a password generator before that creates a random string
of characters and then tells you it's easy to remember this.
Just remember echo bravos seven delta delta bro. You know,
I'm like, this is that where are you from where
that is easy? How is how is remembering a random
(22:49):
selection of echoes and Bravos and etcetera and numbers easier
than say, just remembering e e blah blah. You know,
like that's not easier to me. But this other method
where you create a pmneumonic device first and then convert
that into a strong password makes way more sense to me.
And uh again because you know the output of it
(23:14):
is a seemingly random string of letters and numbers. Uh,
it's not something that's easy for a computer to guess. Hi, guys,
it's Jeamvan twenty nineteen. Chris called me up and he
yelled at me. So I've updated the password. And while
I'm doing that, we're just, uh, we're gonna take another
quick break. Well, um, I use one password by agile
(23:41):
bits um, which is a you can get as a
desktop application for Windows or Mac. UM also works on
iOS and Android. UM and uh, you know it has
a browser plug in too on the desktop, so that
you uh, say, you visit a site where you have
a um an account, maybe a shopping site, maybe a
(24:02):
banking site or something like that for example, so you
have your log in and password, you have to log
in and has a little button and you press the
button in it, you know, says what is your overall passwords?
He is your master password in there, and then as
soon as you uh log in, you'll be given an
opportunity to log into the site and it submits the
information for you. Yeah, this is important if you're using
(24:23):
a someone else's computer and you are using a browser
to navigate to something. And you know, again, if you've
created these these strong passwords, remembering each one is going
to be really hard. And if you and it's not
like you're going to go and install your you know,
you don't want to install the desktop program on someone
else's computer. I mean, that's not your job, it's their computer.
(24:46):
Especially like let's say that you're at a library or
something and you want to log in and check email,
but you've used one of these strong password vaults using
something that has a web browser interface in it, so
that you can log into the service and access those
passwords and then log out and those passwords are no
longer there. That's important. Yeah, yeah, and uh, it does
(25:08):
give you a one password. Also gives you the opportunity
to when you're creating a password, UM, to make it
as longer as short as you need to really so,
or include symbols, or not to include symbols. So one
of the important tips that this article that that Jonathan
and I read points out is that eight digit or
eight character uh passwords are easier to crack than longer ones.
(25:34):
So if you're you're presented with a a website, you're
you're filling out the information for the account, it says, oh, well,
your password needs to be six characters are longer. Don't
pick a six character password? Is the is the simple
thing for that, whether it's your own or one that uh,
one of many, many very capable password generators. Um, yeah,
it was. As Jonathan said, these are the two that
(25:55):
we picked, but there are lots of them out that
they're great. There are a lot of them and they
all like you can read reviews of them and uh,
and you know, these are companies that their reputation is
completely built upon how reliable they are and that and
how upfront and transparent they are in the sense of
they're not using data themselves to get access to stuff.
(26:18):
In fact, most of these companies have the information encrypted
so that they don't have any idea what passwords you
are using. Because it's just like we were talking about
with the the password databases, where all they are encrypted passwords,
same sort of thing. They have no way of knowing
what you chose as your various passwords. They just provide
(26:41):
the hard the world the software that that lets you
do it. So yeah, if you can, if you can
choose a password manager that allow you to create longer
passwords and to save them automatically in the in your database,
that's a good thing, especially if your database is encrypted
wherever it is, whether it's on the cloud or on
your your hard drive or your phone. UM, you know
(27:02):
those that's important to know. UM. Also one of the
interesting things, and this is one of those things that
companies do that make your security less uh more open.
Let's say to to being cracked is people who for
their accounts have their email address UM as their user name.
(27:25):
Because these are this is sort of the equivalent of
of linking accounts. So you know, anybody, Let's say somebody
hacks into UM an account like they did with that
large shopping provider, the one that had all the uh
loyalty programs or cards. Uh. If they if they say, well,
(27:45):
all they got was people's email addresses. Well, that's an
important part of the equation. So maybe they'll start using
that email address that they got from those loyalty cards
in accounts with Amazon and Facebook, Google and all these
other places. They may start figuring out where your accounts are.
If they can figure out, you know, using that user
(28:07):
name and they identify one of the passwords, then the
dominoes start to fall. So uh, using multiple user names
and especially not your email address, you can arrange that.
That's very helpful as well. Um, you wouldn't necessarily think
it right off the shelf, but when you think that
these these people are putting together databases of this information,
(28:30):
it makes it clear that varying as much information as
possible is a good idea. Also, changing your passwords regularly.
Let's say you do have a banking site. Um, you
have a fifteen character password. It's got four different symbols
in a upper and lower case letters and numbers. That's
pretty secure. You should probably change it every few months,
(28:53):
just to be on the safe side. This is your
financial information we're talking about. It's a good idea to
swap it out, and you know, another night sings. A
lot of those password managers will even have a you know,
you can set a reminder on many of them that
you know they'll they'll keep a track of when you
established a particular password and let you know when it's
time you should change it up. And again, if you're
(29:16):
using one of these that has a password generator is
part of it, then all it takes is logging in
and uh often it'll go ahead and fill out the
forms that you need already and then you just press
a little button to generate a new password. It will
save the new password to your account. So I mean
it's something that takes five seconds once you've set up
the first time. And uh, you know, five seconds of
(29:37):
effort to keep crackers at bay is not a bad idea. Uh.
And keep in mind also that as GPUs become more sophisticated,
um as software gets more sophisticated, as as these algorithms
get more sophisticated, it's gonna get harder and harder to
protect the password. You know, you can play the game
(29:58):
of adding more care actors, which does uh increase the
difficulties significantly to get the positive hit. So uh, you know,
we we can stay ahead just by adding longer and
longer passwords as we go along. But you know, that's
a game that ultimately we're gonna have to sit there
(30:19):
and say we need to find a new way to
protect stuff, because that's the problem is that you know, you're, you're,
you're just playing a game of cat and mouse at
that point. And you know, we talked about quantum computers
a few times. One of the potential things the quantum
computer could be very good at is cracking codes. Because
(30:40):
a quantum computer is is also really well equipped for
parallel processing. Um. So that's something else to think about.
Is that now? Granted, right now, quantum computers are still
largely theoretical. There are a few working examples, but they're
horriously difficult to design and even more difficult to maintain
(31:04):
because you know, the slightest alteration and they there the
whole coherence problem becomes apparent. Yeah, either it is or
it isn't torn maybe somewhere in between. Um. Yeah, and uh.
I also read another article on on Ours Technica by
the same author actually, where they had discovered that in
(31:24):
versions of Windows seven and eight, um, it's possible to
get hold of people's security questions. Uh. Now, uh, that
sounds I think it's easy to come off with a
negative that seems like it's a negative against Microsoft, and
I guess in a way it is. But it assumes
first that the person has the person's computer. You would
(31:47):
actually have to have their computer to get it, and
you'd also have to know how to retrieve that information.
But that goes back to our discussion of Matt Honan too,
because if you know a lot of these security words
that you set up to talk to people on the
phone about your accounts or you set them up online.
You know, what's the name of your first pet? You know,
(32:09):
and you put in your first dog's name, and then
you use that in multiple places. Then want that was
what enabled them to get hold of that information. If
this person got hold of your computer was able to
pull that out from the log in help, they could
use that on your accounts too. So it might be
a little good to use some reverse social engineering. And
(32:29):
when someone asks you what who what you're uh the
name of your first dog was or first pet was,
you put your favorite UH form of salad dressing in
there instead something something unusual that they wouldn't be able
to pick. So that which by the way obvious, is
a blast when you have to call as you've forgotten
(32:52):
your passwords stuff, and you call in and then they're like, so,
what's your favorite pets name? Paul Newman's Thousand Island dressing. Yeah,
that's right. Well I'll tell you that this is and
anybody who's frustrated by this conversation and will tell you
(33:12):
that using these super secure passwords and obviously a fustutory
material here is a pain in the neck because you know,
if you don't have to have your password manager with
you when you're on a friends computer logging in to
check your mail and it's got some kind of thirty
two character weird password and you don't remember it, and
(33:32):
you're going, man, I know no one's ever going to
crack into this computer. It's a friends computer. I'm fairly saying, well, yeah,
you probably are fairly safe. But it's probably worth a
frustration then, more so than it will be having to
put out all the fires of all the account information
that you could be giving up otherwise. And it's not
so much worrying about your friends computer as it is
(33:53):
worrying about that database that's on the other end of
this password system, because uh, the more passwords a company
accumulates as more and more people use its service, the
more attractive it is as a target to crackers. And
they're doing you know, that's that's what they do. They
look at systems and try and find ways of penetrating it.
(34:13):
So it's you know, they're not they're not worried about
getting your your buddy bills computer. They're looking at you know,
like Mega core that has all those passwords in it.
That's what they want. So you know, using that easy password,
while it's convenient, is also ultimately a dangerous thing. And
(34:36):
you know, I gotta I gotta admit, like, for the
very long time, I had pretty poor password protection. I
mean I just I was just I did not. I
was not very good about it at all. Even as
we were telling people change your passwords. Still wasn't doing
as as good a job as I should have. Don't
(34:57):
back up your hard drive regularly? Oh yes, I do,
I do good. I got well the Mac hard drive,
my my PC hard drive. I do not back up
as regularly as I should, which really I need to
start doing that. But the thing in the neck. But
but cloud services have made that really a lot better too, now,
you know cloud hell of course, has its own set
of problems, which we've talked about in previous podcasts. But
(35:19):
everything technological has its own set of problems. You just
have to decide which ones are the most acceptable setup
problems for you. So, but I have I have switched.
I mean, I am now, I am wholeheartedly in this.
Let's protect our passwords, especially after seeing what happened to Honan.
I mean, you and I are in the public eye.
We're not celebrities by any stretch of the imagination. But
(35:42):
it's not that far um, it's not it's not all
the realm of possibility that someone at some point could say,
you know what would be funny? Well, and and it
just really takes somebody getting a hold of your name.
That's why they tell people to shred when you have
a junk mail or something with your name on it,
to shred that information. Because I've got one of those two.
You never know when somebody's gonna go and you know,
(36:04):
say Jonathan Strickline. I think there's a bunch of people
named that, actually there are so one of them got
booked in North Atlanta for something a couple of weeks ago,
but wasn't me. I want to ask how you know
that I'm on the lamb because I've got a Google
alert said to my name. All right, that wraps up
another classic episode. I think we've all learned a valuable lesson.
(36:25):
I know I have. I know I learned that Chris
remembers my phone number for example. Well, I hope you
guys enjoyed it. If you have any suggestions for future
episodes of tech Stuff, reach out to me. The address
is tech stuff at how stuff works dot com, or
pop on over to our website that's tech stuff podcast
dot com. You'll find links to our presence on social media.
You'll find an archive of all of our past episodes.
(36:48):
You'll find a link to our online store where you
can buy tech Stuff merch. Get some tech stuff swag
handed out like it's Christmas. Please, because every purchase you
make goes to help the show. We greatly appreciate it,
and I will talk to you again really soon. YEA
(37:09):
text Stuff is a production of I Heart Radio's How
Stuff Works. For more podcasts from my heart Radio, visit
the i heart Radio app, Apple Podcasts, or wherever you
listen to your favorite shows.
Welcome to tech Stuff, a production of I Heart Radios
How Stuff Works. Hey there, and welcome to tech Stuff.
I'm your host, Jonathan Strickland. I'm an executive producer with
How Stuff Works in my Heart Radio, and I love
all things tech. I decided to deliver it that way
because Tary was going to lipstick it with me otherwise.
(00:26):
I am here to give you a classic episode of
tech Stuff, and I thought for a while that I
should re enact the entire thing and do all the
voices for me and for Chris, but Sary reminded me
that I also want to get home today, so instead,
we're just gonna play this classic episode for you. It
is called tech Stuff looks at Password Security, and it
dates from September nineteen, two thousand twelve. Enjoy Security has
(00:51):
been in the news a lot lately as of the
time we're recording this in lead August two thousand twelve, UM,
and part of that is because, as we have touched
on an a handful of times since some of the big,
more widely publicized cases have been making the news that
you know, hackers have been breaking into different accounts at
(01:12):
major corporations online, stealing people's information. It's unclear whether people's
credit card numbers were stolen or if we have your
home address or we know the name of your dog.
There was a whole story of Matt Honan getting his
entire digital life hacked because of a vulnerability between the
systems of Amazon and Apple, which clearly taken a loan,
(01:35):
clearly were not obvious as problems, but when put together,
post problems because they were the people who were doing
the hacking game to the system and put them against
one another to create a bigger picture that allowed them
to get the information. Well, uh, you know, people have
been saying that you need secure password please, and there
are news reports about this too. People are still using
(01:58):
password as password or obvious terms one, two, three, four.
That's the kind of thing an idiot puts on his luggage. Hey, so,
uh yeah, I mean those kinds of things are still
in practice, and of course you need to use more
secure passwords, but it's it's it goes deeper than that.
(02:20):
There's more information out there now about how even using
stronger passwords alone isn't necessarily going to keep hackers from
being able to get into your account. So think about
what you're doing. There's there's several several things that you
have to consider. One of those is the idea of
(02:42):
linking accounts together, because that means that should one account
become vulnerable, then those other linked accounts could also be vulnerable.
That was the case with Matt Honan, right. So one
of the many problems of his yes UM because more
identifiable problems because once they got to access to his
Google account, then they were able to reset stuff all
(03:03):
over the place. And then it turned out that all
they really wanted was to access his Twitter account, which
is I guess in a way he's fortunate, but it's
still pretty crazy everything that they managed to do in
order to do that, and they caused quite a bit
of damage along the way to mattahone in anyway not
to mention to the the the public perception of security
(03:23):
UM on the back end. So that's one thing is
linking lots of accounts together holds a very specific danger.
I mean, for one thing like Facebook Connect or really
any open i D approach, right, if that system is
not secure, you have a single point that you can
target that will give you access to lots of stuff.
(03:45):
Now that's so sad because for us, the consumer that's
so helpful. Yeah, having one account that you can log
into and from there you can authenticate with multiple other services.
You don't have to form after form after form. Uh,
you know, it's it is a very valuable service now.
And I'm not saying that that Facebook Connect or Open
(04:08):
Idea or any of that is that they are not secure.
They're putting they're putting lots of protections in place to
try and keep user information as safe as possible. It's not. Yeah,
it's not so much that it's inherently wrong, as that
if something does happen, it can cause serious problems. Right.
So that's one issue. Another issue is the way that
(04:29):
we create passwords as users for those of us who
are using either very common words or even names. Um,
even if we think we're being clever by adding a
few numbers to it, that's not really that secure. And
if it becomes even more insecure if we're using those
(04:50):
passwords at multiple accounts. So I think, uh, we we were.
We both read an article from Ours Technical by Dan
Gooden called why passwords have never been weaker and crackers
have never been stronger. It's actually it's a fascinating read,
and I do recommend you check it out if you
find this episode interesting, where even if you don't, it's
(05:12):
a good thing to know. And uh, it's it's typically
our technical typically get into more technical detail than than
articles on how stuff works dot com. But if you're
if you're really serious about it, there there's a lot
of important information in there, and we can give you
kind of the layman approach to what is going on here.
But part of that is that I remember reading, and
it may not have been in this article, I do
(05:33):
remember reading a statistic that the average user has something
like six and a half passwords. That's in there. Okay,
so they use six and a half past and you know,
of course this is an average. We're not saying someone
out there's just putting, you know what, I was gonna
type in my whole password, which is typically password, and
I'm just gonna type in pass for this one. No,
that's not what it means sword, it's the average. So
(05:53):
but that means that, you know, you think the average
person has around twenty five accounts across the web, but
they're using on average six and a half passwords, so
each password is being used for around three times on average.
I mean that's again an average. You might have just
one password that used twenty times and the other three
used the other five. Well, I don't want to use
the same password on Google, and yeah, who's so I'll
(06:17):
use one for one and the other one for the other,
and then I'll use the Google one again for pest
or whatever one for Facebook because they are those are
disconnected enough where it's not gonna know. That's still a
problem unless you think that I am a super genius,
because I can say this, no, I I reused passwords
from time to time too. I'm guilty of it, just
(06:37):
as much as the planet. I was awful for a
long time. Passwords among Yeah there were that was pretty
much mine too. I had about three passwords that I
used for almost everything. That is no longer the case. People,
I don't do that anymore. Well, I told you I
didn't mean you erase all those accounts anyway. So that's
that's another user behavior, and we'll get more into that
(06:58):
in a minute. But then the third piece is how
safe are those passwords within the databases of the companies
that hold those passwords. So if you are a cracker,
you know a hacker who is specifically trying to crack
into security systems, and you have identified a potential target
(07:21):
to try and get at their password database, then uh,
if it's if it's one where the user base of
that service or company also typically has accounts at other places.
You've managed to not just get the passwords for that
one account, but knowing that people tend to reuse their passwords,
(07:42):
you might actually have access to multiple services. Now, there
are ways that companies can protect against this, not just
by building a good security system that's hard to crack,
but also by uh encrypting those passwords in the database
that if you get that database, yes you've got a
(08:03):
whole bunch of data, but it does not translate directly
to the passwords because it's been put through a hashing algorithm. Yeah,
and there's there are several sort of standard hashing algorithms.
So basically it's a it's a little like email encryption too.
So you have, let's just pick pass the four letter
word pass um, you put it through the hashing algorithm,
(08:26):
and on the other side of that, it the letters
and numbers that make up the encrypted information look nothing
like that. And it might be that your four letter
password has just become a thirty two letter encrypted string
of characters. Yeah, so somebody seeing that written down, say
on a piece of paper, is not going to have
any idea what that is, and they're not really going
(08:47):
to have any way to decipher it. And theoretically it's
pretty well, uh, pretty well protected, right theoretically, But here's
the problem is that not first of all, not every
company has historically encrypted all those passwords. And there have
been cases where crackers have gotten access to a password
(09:07):
database that was stored in plain text. That means that
the password that you type in appears in that database
as you typed it, so there's no hidden you know,
code or anything. You've got those passwords, Well, that's very
valuable to a cracker for more than just the fact
that they now have access to your account. What's also
valuable is that they now have a list of words
(09:30):
that people use as passwords. So, uh, there's a there's
a type of attack we should talk about, the brute
force attack. A brute force attack is when a cracker
tries to get access to a system by filling out
the essentially filling out the password field multiple times until
(09:51):
they get a positive result. And um, one way of
doing a brute force attack. A very common way is
to do what's called a dictionary at at where you take.
You create a virtual dictionary of words that you use
as the basis for passwords. Knowing that a lot of
people will pick a common dictionary word as the basis
(10:13):
of their password hard wark, antelope, ant eater, you know,
and it just goes all the way through to pick
animals for some reason. But something else that they'll do
as part of this dictionary attack what they'll start adding
changing symbols. So let's say your your password is hardwark,
but you're being clever and changing the a's symbols at
(10:33):
symbols and uh, you know, let's see you pick a
word with with ease in it and you change them
to threes. They try those two, Yeah, because those are
very common approaches. And yes, you know, keeping in mind
that most of us are using passwords that are easy
for us to remember, and the more random ish or
seemingly random these passwords get, the harder it is for
(10:56):
us to recall them. So, knowing that's a weakness, the
racker can say, all right, well, let's go with all
these words, and let's go with the various variations we
would expect people to use with these words. And even
if you've done stuff like just added a couple of
numbers at the end, that's not always a tough thing either.
They can start going through all of these different variations
(11:17):
adding various numbers at the end. If they know how
many characters your password is, that already has given them
a huge advantage. And the reason why this is possible
is because we've got processors out there that can do
these these calculations in parallel. You know, if you were
to do them all one after the other, it may
take you centuries to get through all the possibilities of
(11:39):
a particular password, depending on how many characters there are
within that password. Hey guys, it's Jonathan from two thousand nineteen.
I just hacked into this classic episode because the password
protection was laughable. It was just palette one to three.
So I'm gonna mess around with some stuff. But let's
take a quick break while I do that. In Hollywood,
(12:07):
Hollywood computers can do an executive brute force attack in
about twelve seconds. Yeah, well, sometimes that can happen here too,
but that's generally not the way it works. Well, that's
that's one of the interesting things about this article is
you learn from reading that UH an attack like this
doesn't take very long at all, that at most, assuming
(12:27):
that you're not following really really strong password particles. UM. Yeah,
it turns out that it's like, because of this parallel processing,
you've got a processor that's working on multiple UH approaches
to this logan attempt. So we can go through all
these different variations, even when there are billions and billions,
(12:49):
as Karl Sagan would say, variations of passwords, the processor
can go through so many so quickly. You know, each
each thread in that parallel processing is movie got an
incredible rate, and you've got multiple threads all going UH.
There are crackers who use graphics processing units GPUs to
do this. They because the GPUs are designed to be
(13:10):
parallel processors. Yeah. Even even though they're designed primarily to
handle graphics instructions and display them on your your monitor,
GPUs can be UH pressed into service, let's say, by
a program by a software that that can specifically UM
send instructions to it. So what people do, UM, there
(13:33):
are open source programs that you can use to UH
assign password cracking to your GPU. UM sad to say,
and and one of the uh, the interesting stories that
are One of the interesting bits that I read from
this article too was uh that people have grown increasingly
intelligent about the way they save cracked passwords. So they're
(13:57):
saving up dictionary attack type information. And so if you
use you know, password one, is your password on one site, um,
and they want to hack in to your account at
the House of online Grapefruit, they might try they and
they've got your information. They could try it there too,
(14:18):
to see if you've used your password on more than
one site. So that makes it increasingly dangerous for you
to use the same password in multiple locations because there
is a growing database of password information that that people
are saving and not just throwing away once an attack
is completely That database also means that they can look
at things like frequencies like how frequently are people using
(14:40):
the specific word or variations of this word as a password.
And the more people who use it, the more you're like,
all right, well let's bump this up the list. It's
more of a likely candidate for a password. So, you know,
we like to think that the passwords we choose are unique,
but that's if we're basing it off a name or
a word. That's not the case. Are lots of people
(15:01):
out there using lots of passwords, and there's a good
chance that someone out there is using the same quote
unquote unique password. You are. Just remember your unique just
like everybody else. You know, when everybody is special, no
one is. It's incredible. Um. The so yeah, the the
(15:21):
the database can tell the cracker all right, Well, not
only am I using a dictionary attack, but I'm using
a curated dictionary attack in a way, because these are
the known passwords that are floating out there in the world,
and these are the ones that are really popular that
lots of people use. So we'll go through all the
variations of these first, and you just you tweak your
(15:42):
cracking program to do that so that you can get
the the largest number of results in the least amount
of time. And another thing you can do is once
you've figured out these passwords that are very popular, that
helps you determine other things, like there are only so
many hashing algorithms that are really popular out there in
the world of computer security, right, so if you know
(16:05):
which hashing algorithm there the particular company is using, and
you are able to get let's say you get access
to their encrypted password database. So now you've got a
list of passwords that are encrypted, so you cannot just
look at them and know what the passwords are. If
you are able to determine which security protocol they're using,
(16:25):
and you have this massive database of um of of
of passwords that are really popular, you can run those
passwords through the same encryption algorithm to look at the
hashes that come out and then start matching them up
with the stuff that was in the database. So you're
still cracking the passwords, you're just going about in a
different way as far as this brute force attack is concerned.
(16:47):
It's still a brute force attack. It's just doing it
in a kind of an odd roundabout way because you've
got the you've got the hash of the password, you've
got the security protocol that's being used. Now you're trying
to yes the original word that created that hashed password.
Once you're able to do that, that account is no
longer secure. And if that again, if you're using that
(17:09):
same password elsewhere, those accounts aren't secure. Um, So you
might be asking yourself, hey, if there are crackers out
there who have these really advanced tools that can either
figure out a password or uh, you know, kind of
worked on a list so that the passwords I use
are vulnerable. How do I how do I protect myself?
(17:33):
And there are a few things you can do. One
is use a unique password for every service that you
log into, which is incredibly difficult if you're doing it
on your own, which is why I would suggest getting
a password manager program. And there are a lot of
them out there. There are some that are free, there's
some that you pay for. Um, there's some that are
(17:55):
in the cloud. There are some that are based on
your system. Yeah. Uh, you use a password manager, right,
I do as well. UM, I'll go ahead and say
which one I use. I use dash Lane, which I
tried out for the first time this year and I
like it well enough. Um. It saves passwords and if
(18:17):
you want, it will generate a password for you, so
you don't have to just come up with a string
of things. It'll it'll do it for you and save
it to your account. You create a master password that
is a strong password, meaning that there are upper and
lower case letters. There's also numbers in there. Uh, and
all you have to do is remember that one. Which
(18:39):
that sounds tricky, but I'll give you a hint on
how to do something like that. If you want to
try it yourself, you create a master password. Uh. Then
when you log into your dash Ling account in my case,
you then have access to all the other passwords that
are that that dash Lane generates. So I actually went
in to all my accounts and use the dash Lane
(19:01):
password generator program, and it creates a ten character long
strong password that's unique. So none of my accounts used
the same ones anymore. They're all ten characters long. They
are a mix of various characters and uh. When you
get to about nine characters, and if it's a truly
(19:24):
you know at least a seemingly random series of characters
and numbers. Uh. The difficulty of cracking that password escalates dramatically,
So I might go from a matter of days, two
weeks or months. And the harder you make it to crack,
the more likely your information will be safe so or
(19:45):
that it will just be difficult for anyone to guess. Um.
So that's the purpose of creating these strong passwords and
the purpose for the password managers, because strong passwords are
hard to remember. Um, So all I have to do
is remember my one master password here's the hint I
was gonna make. So if you want to make a
strong password, like a master strong password, uh, it's best
(20:10):
that you come up with a phrase that you will
not forget and it it's great if the phrase also
has a proper noun somewhere after the first word, so
that you have some capitals in there as well. And
you need a number, like a four digit number is best.
So for example, you might say Dad's first car was
(20:33):
a nineteen fifty six Volkswagen Bug. M all right, So
then your password. You take the first letter off of
each of those words and the number and you put
them together and that becomes your password. So the first
letter would be upper case D for Dad's then first car,
so it's upper case D, lower case F, lower case C,
(20:55):
lower case W, lower case A. Then you have the
one X and then percase v U percase B for
Volkswagen Bug. That could be your master password. And when
you look at it as just a string of letters
and numbers, it looks meaningless. You know, there's no there's
no phrase that's evident right there immediately unless you happen
(21:19):
to have already known it. So don't tell people you're oh,
I gotta change my password. Yeah, but no, don't tell
people what your phrases, but make it a phrase that
is easy to remember. And uh and that could be
your master password, and don't use it again. Just use
it for your master password and then use the password
(21:41):
generator or a password generator if you don't want to
trust one thing with it. But it's it's easier to
use a password managers on board password generator because it
can save it directly to your account. Otherwise you're gonna
have to transfer that that password to whatever your manager
is UM and then that way you've got a vault
(22:04):
of passwords that are encrypted that are ten characters, hopefully
at least ten characters nine or ten characters at the
very least, and are strong. It's funny. It's it's rather
than coming up with a mnemonic device to remember your password,
you start with them mnemonic device and from it from it. Yeah,
(22:25):
I think that that's way easier because that is I've
used a password generator before that creates a random string
of characters and then tells you it's easy to remember this.
Just remember echo bravos seven delta delta bro. You know,
I'm like, this is that where are you from where
that is easy? How is how is remembering a random
(22:49):
selection of echoes and Bravos and etcetera and numbers easier
than say, just remembering e e blah blah. You know,
like that's not easier to me. But this other method
where you create a pmneumonic device first and then convert
that into a strong password makes way more sense to me.
And uh again because you know the output of it
(23:14):
is a seemingly random string of letters and numbers. Uh,
it's not something that's easy for a computer to guess. Hi, guys,
it's Jeamvan twenty nineteen. Chris called me up and he
yelled at me. So I've updated the password. And while
I'm doing that, we're just, uh, we're gonna take another
quick break. Well, um, I use one password by agile
(23:41):
bits um, which is a you can get as a
desktop application for Windows or Mac. UM also works on
iOS and Android. UM and uh, you know it has
a browser plug in too on the desktop, so that
you uh, say, you visit a site where you have
a um an account, maybe a shopping site, maybe a
(24:02):
banking site or something like that for example, so you
have your log in and password, you have to log
in and has a little button and you press the
button in it, you know, says what is your overall passwords?
He is your master password in there, and then as
soon as you uh log in, you'll be given an
opportunity to log into the site and it submits the
information for you. Yeah, this is important if you're using
(24:23):
a someone else's computer and you are using a browser
to navigate to something. And you know, again, if you've
created these these strong passwords, remembering each one is going
to be really hard. And if you and it's not
like you're going to go and install your you know,
you don't want to install the desktop program on someone
else's computer. I mean, that's not your job, it's their computer.
(24:46):
Especially like let's say that you're at a library or
something and you want to log in and check email,
but you've used one of these strong password vaults using
something that has a web browser interface in it, so
that you can log into the service and access those
passwords and then log out and those passwords are no
longer there. That's important. Yeah, yeah, and uh, it does
(25:08):
give you a one password. Also gives you the opportunity
to when you're creating a password, UM, to make it
as longer as short as you need to really so,
or include symbols, or not to include symbols. So one
of the important tips that this article that that Jonathan
and I read points out is that eight digit or
eight character uh passwords are easier to crack than longer ones.
(25:34):
So if you're you're presented with a a website, you're
you're filling out the information for the account, it says, oh, well,
your password needs to be six characters are longer. Don't
pick a six character password? Is the is the simple
thing for that, whether it's your own or one that uh,
one of many, many very capable password generators. Um, yeah,
it was. As Jonathan said, these are the two that
(25:55):
we picked, but there are lots of them out that
they're great. There are a lot of them and they
all like you can read reviews of them and uh,
and you know, these are companies that their reputation is
completely built upon how reliable they are and that and
how upfront and transparent they are in the sense of
they're not using data themselves to get access to stuff.
(26:18):
In fact, most of these companies have the information encrypted
so that they don't have any idea what passwords you
are using. Because it's just like we were talking about
with the the password databases, where all they are encrypted passwords,
same sort of thing. They have no way of knowing
what you chose as your various passwords. They just provide
(26:41):
the hard the world the software that that lets you
do it. So yeah, if you can, if you can
choose a password manager that allow you to create longer
passwords and to save them automatically in the in your database,
that's a good thing, especially if your database is encrypted
wherever it is, whether it's on the cloud or on
your your hard drive or your phone. UM, you know
(27:02):
those that's important to know. UM. Also one of the
interesting things, and this is one of those things that
companies do that make your security less uh more open.
Let's say to to being cracked is people who for
their accounts have their email address UM as their user name.
(27:25):
Because these are this is sort of the equivalent of
of linking accounts. So you know, anybody, Let's say somebody
hacks into UM an account like they did with that
large shopping provider, the one that had all the uh
loyalty programs or cards. Uh. If they if they say, well,
(27:45):
all they got was people's email addresses. Well, that's an
important part of the equation. So maybe they'll start using
that email address that they got from those loyalty cards
in accounts with Amazon and Facebook, Google and all these
other places. They may start figuring out where your accounts are.
If they can figure out, you know, using that user
(28:07):
name and they identify one of the passwords, then the
dominoes start to fall. So uh, using multiple user names
and especially not your email address, you can arrange that.
That's very helpful as well. Um, you wouldn't necessarily think
it right off the shelf, but when you think that
these these people are putting together databases of this information,
(28:30):
it makes it clear that varying as much information as
possible is a good idea. Also, changing your passwords regularly.
Let's say you do have a banking site. Um, you
have a fifteen character password. It's got four different symbols
in a upper and lower case letters and numbers. That's
pretty secure. You should probably change it every few months,
(28:53):
just to be on the safe side. This is your
financial information we're talking about. It's a good idea to
swap it out, and you know, another night sings. A
lot of those password managers will even have a you know,
you can set a reminder on many of them that
you know they'll they'll keep a track of when you
established a particular password and let you know when it's
time you should change it up. And again, if you're
(29:16):
using one of these that has a password generator is
part of it, then all it takes is logging in
and uh often it'll go ahead and fill out the
forms that you need already and then you just press
a little button to generate a new password. It will
save the new password to your account. So I mean
it's something that takes five seconds once you've set up
the first time. And uh, you know, five seconds of
(29:37):
effort to keep crackers at bay is not a bad idea. Uh.
And keep in mind also that as GPUs become more sophisticated,
um as software gets more sophisticated, as as these algorithms
get more sophisticated, it's gonna get harder and harder to
protect the password. You know, you can play the game
(29:58):
of adding more care actors, which does uh increase the
difficulties significantly to get the positive hit. So uh, you know,
we we can stay ahead just by adding longer and
longer passwords as we go along. But you know, that's
a game that ultimately we're gonna have to sit there
(30:19):
and say we need to find a new way to
protect stuff, because that's the problem is that you know, you're, you're,
you're just playing a game of cat and mouse at
that point. And you know, we talked about quantum computers
a few times. One of the potential things the quantum
computer could be very good at is cracking codes. Because
(30:40):
a quantum computer is is also really well equipped for
parallel processing. Um. So that's something else to think about.
Is that now? Granted, right now, quantum computers are still
largely theoretical. There are a few working examples, but they're
horriously difficult to design and even more difficult to maintain
(31:04):
because you know, the slightest alteration and they there the
whole coherence problem becomes apparent. Yeah, either it is or
it isn't torn maybe somewhere in between. Um. Yeah, and uh.
I also read another article on on Ours Technica by
the same author actually, where they had discovered that in
(31:24):
versions of Windows seven and eight, um, it's possible to
get hold of people's security questions. Uh. Now, uh, that
sounds I think it's easy to come off with a
negative that seems like it's a negative against Microsoft, and
I guess in a way it is. But it assumes
first that the person has the person's computer. You would
(31:47):
actually have to have their computer to get it, and
you'd also have to know how to retrieve that information.
But that goes back to our discussion of Matt Honan too,
because if you know a lot of these security words
that you set up to talk to people on the
phone about your accounts or you set them up online.
You know, what's the name of your first pet? You know,
(32:09):
and you put in your first dog's name, and then
you use that in multiple places. Then want that was
what enabled them to get hold of that information. If
this person got hold of your computer was able to
pull that out from the log in help, they could
use that on your accounts too. So it might be
a little good to use some reverse social engineering. And
(32:29):
when someone asks you what who what you're uh the
name of your first dog was or first pet was,
you put your favorite UH form of salad dressing in
there instead something something unusual that they wouldn't be able
to pick. So that which by the way obvious, is
a blast when you have to call as you've forgotten
(32:52):
your passwords stuff, and you call in and then they're like, so,
what's your favorite pets name? Paul Newman's Thousand Island dressing. Yeah,
that's right. Well I'll tell you that this is and
anybody who's frustrated by this conversation and will tell you
(33:12):
that using these super secure passwords and obviously a fustutory
material here is a pain in the neck because you know,
if you don't have to have your password manager with
you when you're on a friends computer logging in to
check your mail and it's got some kind of thirty
two character weird password and you don't remember it, and
(33:32):
you're going, man, I know no one's ever going to
crack into this computer. It's a friends computer. I'm fairly saying, well, yeah,
you probably are fairly safe. But it's probably worth a
frustration then, more so than it will be having to
put out all the fires of all the account information
that you could be giving up otherwise. And it's not
so much worrying about your friends computer as it is
(33:53):
worrying about that database that's on the other end of
this password system, because uh, the more passwords a company
accumulates as more and more people use its service, the
more attractive it is as a target to crackers. And
they're doing you know, that's that's what they do. They
look at systems and try and find ways of penetrating it.
(34:13):
So it's you know, they're not they're not worried about
getting your your buddy bills computer. They're looking at you know,
like Mega core that has all those passwords in it.
That's what they want. So you know, using that easy password,
while it's convenient, is also ultimately a dangerous thing. And
(34:36):
you know, I gotta I gotta admit, like, for the
very long time, I had pretty poor password protection. I
mean I just I was just I did not. I
was not very good about it at all. Even as
we were telling people change your passwords. Still wasn't doing
as as good a job as I should have. Don't
(34:57):
back up your hard drive regularly? Oh yes, I do,
I do good. I got well the Mac hard drive,
my my PC hard drive. I do not back up
as regularly as I should, which really I need to
start doing that. But the thing in the neck. But
but cloud services have made that really a lot better too, now,
you know cloud hell of course, has its own set
of problems, which we've talked about in previous podcasts. But
(35:19):
everything technological has its own set of problems. You just
have to decide which ones are the most acceptable setup
problems for you. So, but I have I have switched.
I mean, I am now, I am wholeheartedly in this.
Let's protect our passwords, especially after seeing what happened to Honan.
I mean, you and I are in the public eye.
We're not celebrities by any stretch of the imagination. But
(35:42):
it's not that far um, it's not it's not all
the realm of possibility that someone at some point could say,
you know what would be funny? Well, and and it
just really takes somebody getting a hold of your name.
That's why they tell people to shred when you have
a junk mail or something with your name on it,
to shred that information. Because I've got one of those two.
You never know when somebody's gonna go and you know,
(36:04):
say Jonathan Strickline. I think there's a bunch of people
named that, actually there are so one of them got
booked in North Atlanta for something a couple of weeks ago,
but wasn't me. I want to ask how you know
that I'm on the lamb because I've got a Google
alert said to my name. All right, that wraps up
another classic episode. I think we've all learned a valuable lesson.
(36:25):
I know I have. I know I learned that Chris
remembers my phone number for example. Well, I hope you
guys enjoyed it. If you have any suggestions for future
episodes of tech Stuff, reach out to me. The address
is tech stuff at how stuff works dot com, or
pop on over to our website that's tech stuff podcast
dot com. You'll find links to our presence on social media.
You'll find an archive of all of our past episodes.
(36:48):
You'll find a link to our online store where you
can buy tech Stuff merch. Get some tech stuff swag
handed out like it's Christmas. Please, because every purchase you
make goes to help the show. We greatly appreciate it,
and I will talk to you again really soon. YEA
(37:09):
text Stuff is a production of I Heart Radio's How
Stuff Works. For more podcasts from my heart Radio, visit
the i heart Radio app, Apple Podcasts, or wherever you
listen to your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.