1
00:00:00,210 --> 00:00:00,850
All right, guys.

2
00:00:00,900 --> 00:00:08,340
So now that we've covered creating user passwords, encrypting our database, as well as hashing passwords,

3
00:00:08,730 --> 00:00:14,550
we've kind of reached a level of security that most websites are at.

4
00:00:14,790 --> 00:00:19,170
Now, there's a lot more security that we're going to learn about a little bit later on.

5
00:00:19,710 --> 00:00:25,860
But you're actually at a point where you already know quite a lot about authentication and keeping user

6
00:00:25,860 --> 00:00:31,950
passwords secure, and definitely a lot more than a lot of people who actually run websites.

7
00:00:32,220 --> 00:00:35,720
And I know that some of you guys are keen to get a job.

8
00:00:35,730 --> 00:00:41,520
And if that is you, then I want you to go onto a website called plaintextoffenders.com. I'll

9
00:00:41,520 --> 00:00:43,280
link to it in the course resources.

10
00:00:43,560 --> 00:00:50,880
But here what you'll find is emails that come from various companies where the users requested to reset

11
00:00:50,880 --> 00:00:57,400
their password and they're sending the user a plain text version of their password.

12
00:00:57,690 --> 00:01:03,840
Now, at this point, we know to be able to even get the user's password in plain text, it means that

13
00:01:03,840 --> 00:01:07,830
they're doing some horrible things with securing the passwords.

14
00:01:08,040 --> 00:01:13,920
Either it's encrypted and there's an encryption key somewhere that they're storing or it's simply just

15
00:01:13,920 --> 00:01:18,520
stored on their database as plain text, which is the worst possible type of security.

16
00:01:18,840 --> 00:01:27,030
So given that you already know a lot better than the people who run getlinuxjobs.com or world

17
00:01:27,030 --> 00:01:34,890
sim.com or Telecom Egypt, then you could actually just email these people and tell them that I'm

18
00:01:34,890 --> 00:01:39,650
a web developer and I know about authentication and securing users passwords.

19
00:01:39,660 --> 00:01:41,940
You obviously seem like you might need some help.

20
00:01:42,210 --> 00:01:43,640
Would you like me to work for you?

21
00:01:44,010 --> 00:01:45,990
I recommend giving that a go too

22
00:01:46,020 --> 00:01:50,790
if you're keen on getting a job. If you're not looking for a job, then have a look at these websites.

23
00:01:50,910 --> 00:01:55,410
And if you're signed up to any of them, be sure to delete your account because it's definitely not

24
00:01:55,410 --> 00:01:55,910
secure.

25
00:01:56,070 --> 00:02:03,120
And this is why a lot of companies and a lot of websites get hacked because they don't continue beyond

26
00:02:03,120 --> 00:02:03,690
this point.

27
00:02:04,050 --> 00:02:09,509
So that means it's a really good time to talk to you about how passwords are hacked,

28
00:02:09,690 --> 00:02:13,530
so a sort of hacking Passwords 101 class if you will.

29
00:02:13,830 --> 00:02:16,740
Now, most of the time, I use my programming powers for good.

30
00:02:17,070 --> 00:02:23,100
But in this case, I want to talk to you about how passwords might be hacked so that once we understand

31
00:02:23,190 --> 00:02:29,700
how the other side approaches this problem, then we can learn more about security and make our website

32
00:02:29,710 --> 00:02:30,780
safer for users.

33
00:02:31,200 --> 00:02:36,230
And by the way, I have no idea why hackers are always portrayed in a balaclava.

34
00:02:36,240 --> 00:02:38,760
It's not like they're going to burgle anybody.

35
00:02:39,030 --> 00:02:44,580
I mean, especially this guy, he must be incredibly warm sitting next to all these computers, wearing

36
00:02:44,580 --> 00:02:46,470
so much clothing on his face.

37
00:02:47,130 --> 00:02:48,220
But I digress.

38
00:02:48,600 --> 00:02:55,320
So as a company, this is probably one of the things that you least look forward to. The day when you

39
00:02:55,320 --> 00:02:59,160
wake up and you get a call and you've been hacked.

40
00:02:59,460 --> 00:03:06,300
And this has happened really recently to a lot of big companies like Adobe Creative Cloud got hacked

41
00:03:06,300 --> 00:03:09,510
in 2013, LinkedIn got hacked in 2012.

42
00:03:09,810 --> 00:03:14,150
And there's loads of accounts where their passwords get leaked.

43
00:03:14,430 --> 00:03:21,320
Lots of unhappy users who reuse their passwords and are feeling extremely vulnerable.

44
00:03:21,690 --> 00:03:27,360
And you can see that even to this day, people can purchase these hacked accounts where people might

45
00:03:27,360 --> 00:03:34,200
not have realized that their LinkedIn email and their passwords are linked and people are potentially

46
00:03:34,200 --> 00:03:40,580
buying that data up and using it to hack into their PayPal accounts or other similar payment portals.

47
00:03:40,860 --> 00:03:48,450
So even if you don't learn anything from this lesson, I recommend just going to this website. I'll link

48
00:03:48,450 --> 00:03:52,110
to it in the course resources just for educational purposes.

49
00:03:52,380 --> 00:03:57,540
But put in your email address and make sure that if you do have any passwords that show up, change

50
00:03:57,540 --> 00:03:59,360
all the places where you use that password.

51
00:03:59,520 --> 00:04:05,670
But why is it that all of these big companies are getting hacked and leaking their users passwords?

52
00:04:05,790 --> 00:04:09,120
Are they not at least encrypting or hashing their passwords?

53
00:04:09,690 --> 00:04:10,740
Well, they are.

54
00:04:11,040 --> 00:04:12,150
But consider this.

55
00:04:12,150 --> 00:04:17,850
So you're a hacker and you've managed to get into the LinkedIn user database.

56
00:04:18,300 --> 00:04:21,390
And just for simplicity's sake, let's say it looks like this.

57
00:04:21,390 --> 00:04:23,340
You've got a username and you've got a hash.

58
00:04:23,700 --> 00:04:29,730
And thankfully, they didn't store their users' passwords in plain text, so you can't access their passwords

59
00:04:29,730 --> 00:04:30,330
straight away.

60
00:04:30,900 --> 00:04:39,600
However, if you look at this table a little bit more closely, you will realize that three of the hashes

61
00:04:39,630 --> 00:04:41,880
are completely identical.

62
00:04:42,420 --> 00:04:44,400
Now, why might that be?

63
00:04:44,790 --> 00:04:52,700
Well, remember that the same password always turns into the same hash no matter how often you try it.

64
00:04:52,710 --> 00:04:59,240
And that's a core part of the hash function that we rely on in order to validate our users as well.

65
00:05:00,030 --> 00:05:06,870
That means a hacker would look at this table and realize that Angela, Tony, and Emily all have the same

66
00:05:06,870 --> 00:05:13,190
password, and what they can do is they can start to construct what we call a hash table.

67
00:05:13,500 --> 00:05:20,100
So you would take some of the most commonly used passwords and you would use the same hash function

68
00:05:20,400 --> 00:05:23,290
to create the hash value for each of those.

69
00:05:23,610 --> 00:05:27,810
And these are some of the most common passwords that people love to use.

70
00:05:27,810 --> 00:05:32,280
123456, qwerty, password, 111111.

71
00:05:32,290 --> 00:05:41,100
And so you generate this hash table and then all you have to do is just look up the hash of the user

72
00:05:41,340 --> 00:05:45,120
and compare it against the hash you have in your table.

73
00:05:45,480 --> 00:05:51,660
So you search by the hash value and you land upon the password, which is qwerty.

74
00:05:52,080 --> 00:05:59,140
So now you've figured out that three out of four users in this table all have the same password and it's

75
00:05:59,490 --> 00:05:59,850
qwerty.

76
00:06:00,150 --> 00:06:06,600
So what if they didn't use one of the most common passwords and instead they use something else, say

77
00:06:06,810 --> 00:06:09,450
their date of birth or their pet's name?

78
00:06:09,750 --> 00:06:13,940
Well, let's see how we would make a hash table if we were a hacker.

79
00:06:14,460 --> 00:06:18,330
You would probably start with all the words from a dictionary,

80
00:06:18,510 --> 00:06:21,650
and this is where the term dictionary attack comes from.

81
00:06:21,930 --> 00:06:29,040
You create hashes from all the possible words in a dictionary, and that will only be about 150,000 hashes

82
00:06:29,040 --> 00:06:30,210
that you would need to create.

83
00:06:30,450 --> 00:06:36,170
And then you add to that hash table all the numbers from a telephone book and all the combination of

84
00:06:36,180 --> 00:06:37,950
characters up to six places.

85
00:06:38,220 --> 00:06:45,840
And then you add all of these together and you end up with something close to 19.8 billion

86
00:06:45,840 --> 00:06:50,040
combinations, which admittedly sounds like a large number,

87
00:06:50,040 --> 00:06:50,330
right?

88
00:06:50,340 --> 00:06:54,300
How long would it take your computer to calculate that

89
00:06:54,300 --> 00:06:55,170
many hashes?

90
00:06:55,380 --> 00:06:56,520
So what do we do?

91
00:06:56,550 --> 00:06:58,080
Well, let's go shopping.

92
00:06:58,500 --> 00:07:06,990
Let's go and buy some of the latest GPUs or graphics cards which are capable of parallel processing and

93
00:07:06,990 --> 00:07:14,070
therefore are particularly suited to not only Bitcoin mining, but also generating hashes.

94
00:07:14,340 --> 00:07:23,090
With one of the latest GPS, you can calculate about 20 billion MD5 hashes per second.

95
00:07:23,460 --> 00:07:31,170
So that means with our hash table of 19.8 billion combinations, it'll only take one

96
00:07:31,170 --> 00:07:36,210
of these GPUs 0.9 seconds, which is nothing.

97
00:07:36,600 --> 00:07:41,520
It's not a lot of time to invest in order to hash so many people's passwords.

98
00:07:41,820 --> 00:07:48,730
And to make it even worse, large hash tables have been built for the most common passwords.

99
00:07:49,050 --> 00:07:55,920
So because we've had so much data from previous hacks such as the Adobe one or the LinkedIn one or TalkTalk

100
00:07:55,920 --> 00:08:00,630
or Equifax, we know what the most common passwords are that people use.

101
00:08:00,840 --> 00:08:07,770
And every year companies like Splash Data will compile what are the most common passwords, say the

102
00:08:07,770 --> 00:08:08,910
top 25.

103
00:08:09,240 --> 00:08:12,990
And this is where all of those values that went into our table came from.

104
00:08:13,200 --> 00:08:15,800
But you can actually go one step further.

105
00:08:16,140 --> 00:08:23,790
There are pre-built hash tables that people have created for the top 10,000 most common passwords.

106
00:08:24,180 --> 00:08:28,620
And you can see that MD5 is one of the quickest hashes to calculate.

107
00:08:28,860 --> 00:08:34,470
And this is why it's very, very common to find MD5 hash tables.

108
00:08:34,590 --> 00:08:38,100
And you can even use Google as a basic hash table.

109
00:08:38,429 --> 00:08:42,150
You can paste in the hash that you found from the hacked database.

110
00:08:42,150 --> 00:08:47,500
You perform a simple Google search and you come up with the original password.

111
00:08:48,240 --> 00:08:53,580
Now, if at this point you're extremely scared and you're wondering, well, what exactly can you do

112
00:08:53,580 --> 00:08:54,270
about this?

113
00:08:54,330 --> 00:09:01,680
Well, consider that in our user table, there was one hash that was extremely difficult to find and

114
00:09:01,680 --> 00:09:06,940
it didn't match up with any of the hashes in this little simple hash table we built.

115
00:09:07,140 --> 00:09:14,490
So what if we put that into Google to search on a larger scale and see if it matches any of the hashes

116
00:09:14,730 --> 00:09:17,340
in the hash tables that people have generated?

117
00:09:17,880 --> 00:09:20,210
And it doesn't. It doesn't match anything.

118
00:09:20,490 --> 00:09:27,690
And the reason is because when John created his password, he had a very, very strong password with

119
00:09:27,690 --> 00:09:34,980
uppercase letters, lowercase letters, numbers, symbols, but most importantly, a long password.

120
00:09:35,220 --> 00:09:42,510
When you think about hashing as a mathematical formula, you'll realize that as the number of characters

121
00:09:42,540 --> 00:09:50,130
of your password increases, the computation time that it takes to crack it increases exponentially.

122
00:09:50,290 --> 00:09:57,300
So it doesn't matter if your account on LinkedIn or Adobe  Creative Cloud or Ashley Madison was cracked,

123
00:09:57,570 --> 00:09:59,520
as long as you had a

124
00:09:59,820 --> 00:10:06,300
strong password, they wouldn't be able to work it out from a hash table. So as an example, there's

125
00:10:06,300 --> 00:10:12,330
a website called Password Checker and you can put in your password and it'll tell you not only the strength,

126
00:10:12,600 --> 00:10:18,960
but also how long it will take various types of machines to be able to crack that password.

127
00:10:19,170 --> 00:10:24,660
So let's say that I create a six-character password composed of a random set of characters,

128
00:10:24,660 --> 00:10:27,810
right? 123456.

129
00:10:28,320 --> 00:10:35,460
And you can see that even for a standard desktop PC, it only takes about three seconds to perform a

130
00:10:35,460 --> 00:10:38,510
brute force attack to crack that password.

131
00:10:39,090 --> 00:10:43,500
But let's see what happens if I add another six more characters.

132
00:10:43,920 --> 00:10:47,220
1, 2, 3, 4, 5, 6.

133
00:10:48,440 --> 00:10:57,500
Now, it takes 31 years for a standard desktop PC to be able to crack it and even a fast GPU takes two

134
00:10:57,500 --> 00:10:59,270
years to crack my password.

135
00:10:59,600 --> 00:11:07,400
So even though all of the websites encourage you to add a capital letter, lowercase letter, some numbers

136
00:11:07,400 --> 00:11:14,660
and some random characters, if you only have six characters in your password, so a short password,

137
00:11:14,990 --> 00:11:17,670
it still doesn't take very long to crack.

138
00:11:18,020 --> 00:11:25,910
So the most important thing of creating a strong password that is almost uncrackable is just to increase

139
00:11:25,910 --> 00:11:32,460
the number of characters. And also to prevent yourself from being a victim of a dictionary attack,

140
00:11:32,750 --> 00:11:39,710
just make sure that you don't use a dictionary word or a place name or something that is in a directory

141
00:11:39,710 --> 00:11:41,480
somewhere like a telephone number.

142
00:11:41,930 --> 00:11:42,290
All right.

143
00:11:42,290 --> 00:11:46,180
So at least after this lesson, you'll know how to keep yourself more secure.

144
00:11:46,580 --> 00:11:52,130
But in the next lesson, we're going to address these vulnerabilities that occur because of weak hashing

145
00:11:52,130 --> 00:11:52,760
algorithms,

146
00:11:52,970 --> 00:11:58,790
and we're going to learn how we can combat hackers who try to attack our database using a dictionary

147
00:11:58,790 --> 00:12:00,950
attack or by creating a hash table.

148
00:12:01,250 --> 00:12:04,300
So for all of that and more, I'll see you on the next lesson.

149
00:12:04,460 --> 00:12:09,050
But as a quick bonus, if you ever want to trick your friends into thinking that you're some sort of

150
00:12:09,050 --> 00:12:14,480
a hacker, at least according to Hollywood, I recommend checking out a website called hackertyper

151
00:12:14,480 --> 00:12:21,280
.net where you can just mash the keyboard and you end up with something that looks extremely realistic.

152
00:12:21,290 --> 00:12:26,840
But a word of warning: try not to do this on an airplane or in a government building unless you want to

153
00:12:26,840 --> 00:12:28,380
actually get investigated.