1 00:00:12,559 --> 00:00:17,279 welcome back it is time to go on an 2 00:00:15,360 --> 00:00:19,439 emotional journey with phil talking 3 00:00:17,279 --> 00:00:21,199 about passwords 4 00:00:19,439 --> 00:00:23,439 phil is a developer evangelist for 5 00:00:21,199 --> 00:00:25,359 twilio and a google developer expert 6 00:00:23,439 --> 00:00:27,199 living in melbourne australia 7 00:00:25,359 --> 00:00:29,519 he loves building web applications and 8 00:00:27,199 --> 00:00:31,199 tools to help developers he once helped 9 00:00:29,519 --> 00:00:33,040 build a website to capture everyone's 10 00:00:31,199 --> 00:00:36,079 favorite sandwich fillings and he has 11 00:00:33,040 --> 00:00:37,840 way too many github repositories 12 00:00:36,079 --> 00:00:39,920 away from the keyboard phil listens to 13 00:00:37,840 --> 00:00:42,239 scarpunk hangs out with his miniature 14 00:00:39,920 --> 00:00:44,719 dash and ruby and is on a mission to 15 00:00:42,239 --> 00:00:47,680 discover the world's best beers 16 00:00:44,719 --> 00:00:50,320 if you find any good ones please tell me 17 00:00:47,680 --> 00:00:52,160 uh over to you phil 18 00:00:50,320 --> 00:00:53,920 thank you very much yes 19 00:00:52,160 --> 00:00:55,120 i want to hear about all the best ears 20 00:00:53,920 --> 00:00:57,120 and 21 00:00:55,120 --> 00:00:59,359 i don't think i have time sadly in this 22 00:00:57,120 --> 00:01:01,280 talk to get the dog on the screen 23 00:00:59,359 --> 00:01:02,879 um but yes let's take an emotional 24 00:01:01,280 --> 00:01:04,479 journey with a capital letter a number a 25 00:01:02,879 --> 00:01:06,720 special character an emotional journey 26 00:01:04,479 --> 00:01:07,680 for that character a subplot and a twist 27 00:01:06,720 --> 00:01:09,360 ending 28 00:01:07,680 --> 00:01:10,960 uh this might be the longest talk title 29 00:01:09,360 --> 00:01:12,880 i've ever written but i think i'm in 30 00:01:10,960 --> 00:01:16,080 love with it uh mainly because it's not 31 00:01:12,880 --> 00:01:17,920 even my joke but we'll get to that later 32 00:01:16,080 --> 00:01:19,439 um 33 00:01:17,920 --> 00:01:21,759 as we started with my name is for nash 34 00:01:19,439 --> 00:01:23,680 i'm a developer evangelist at a company 35 00:01:21,759 --> 00:01:25,920 called twilio uh twilio if you don't 36 00:01:23,680 --> 00:01:28,080 know is a communications platform 37 00:01:25,920 --> 00:01:28,799 that is we're an api that you can use to 38 00:01:28,080 --> 00:01:30,799 do 39 00:01:28,799 --> 00:01:33,040 almost anything you want to communicate 40 00:01:30,799 --> 00:01:34,640 with or between your users uh from text 41 00:01:33,040 --> 00:01:36,320 messaging voice calls emails all the way 42 00:01:34,640 --> 00:01:39,360 up to video chats and full contact 43 00:01:36,320 --> 00:01:41,759 centers uh twilio has something for that 44 00:01:39,360 --> 00:01:43,439 um 45 00:01:41,759 --> 00:01:44,560 and uh if you do want to find me online 46 00:01:43,439 --> 00:01:46,720 if you want to ask me questions either 47 00:01:44,560 --> 00:01:48,159 about this talk or indeed about twilio 48 00:01:46,720 --> 00:01:50,079 i'm basically filmmash all over the 49 00:01:48,159 --> 00:01:54,079 place but particularly on twitter or 50 00:01:50,079 --> 00:01:56,159 just drop me an email filnash twilio.com 51 00:01:54,079 --> 00:01:58,960 so let's talk uh about passwords because 52 00:01:56,159 --> 00:02:01,759 that's what i'm here to uh berate i 53 00:01:58,960 --> 00:02:03,680 guess today uh but i wanted to start 54 00:02:01,759 --> 00:02:07,520 with a bit of a story 55 00:02:03,680 --> 00:02:09,520 about my own uh dealings with passwords 56 00:02:07,520 --> 00:02:12,560 because i've been mostly terrible uh 57 00:02:09,520 --> 00:02:14,959 over my uh lifetime usage of computers 58 00:02:12,560 --> 00:02:17,040 uh and indeed my first password was 59 00:02:14,959 --> 00:02:19,599 approximately the least secure password 60 00:02:17,040 --> 00:02:20,959 one could ever imagine uh now this 61 00:02:19,599 --> 00:02:24,400 admittedly was the first time i ever had 62 00:02:20,959 --> 00:02:26,319 a computer account uh on on a machine 63 00:02:24,400 --> 00:02:28,319 that you know it wasn't mine 64 00:02:26,319 --> 00:02:30,080 uh i was at school i think i was maybe 65 00:02:28,319 --> 00:02:31,920 12 or 13 66 00:02:30,080 --> 00:02:34,720 and and choosing that password to log 67 00:02:31,920 --> 00:02:38,640 into the computer system at school 68 00:02:34,720 --> 00:02:39,360 and i picked uh the password nash yes 69 00:02:38,640 --> 00:02:42,080 my 70 00:02:39,360 --> 00:02:44,879 my my last name in all lower case a good 71 00:02:42,080 --> 00:02:45,840 four character long password i i like 72 00:02:44,879 --> 00:02:48,319 this 73 00:02:45,840 --> 00:02:50,480 um i was i was delighted with this i i 74 00:02:48,319 --> 00:02:53,120 was really quick at typing it because um 75 00:02:50,480 --> 00:02:56,080 it was also part of my username um i'm 76 00:02:53,120 --> 00:02:57,840 sure everybody else has uh 77 00:02:56,080 --> 00:02:59,440 similar kind of first password stories 78 00:02:57,840 --> 00:03:02,159 or terrible passwords and if you have a 79 00:02:59,440 --> 00:03:04,640 terrible password uh that you no longer 80 00:03:02,159 --> 00:03:06,480 use um please do share it in the chat 81 00:03:04,640 --> 00:03:08,159 i'm i'm keeping an eye on watching that 82 00:03:06,480 --> 00:03:09,280 as well i'd love to see the uh the 83 00:03:08,159 --> 00:03:11,680 terrible things you might have thought 84 00:03:09,280 --> 00:03:12,640 were a good password at one time 85 00:03:11,680 --> 00:03:14,319 um 86 00:03:12,640 --> 00:03:15,840 the second password was not better 87 00:03:14,319 --> 00:03:17,680 actually i i 88 00:03:15,840 --> 00:03:19,040 did get hacked and i'll tell talk more 89 00:03:17,680 --> 00:03:20,400 about that in a moment 90 00:03:19,040 --> 00:03:22,000 and so when i changed my password i 91 00:03:20,400 --> 00:03:23,519 changed it to apparently i was geeky and 92 00:03:22,000 --> 00:03:26,000 into i guess chemistry at the time and 93 00:03:23,519 --> 00:03:29,280 changed it to atom still four characters 94 00:03:26,000 --> 00:03:31,760 still uh all lowercase uh but that one 95 00:03:29,280 --> 00:03:34,799 actually stayed secure for the remainder 96 00:03:31,760 --> 00:03:36,720 of at least my usage of it um but yeah i 97 00:03:34,799 --> 00:03:38,799 got i got hacked my my friends of course 98 00:03:36,720 --> 00:03:40,720 got into my account 99 00:03:38,799 --> 00:03:41,599 uh and um 100 00:03:40,720 --> 00:03:43,280 uh 101 00:03:41,599 --> 00:03:45,519 and thankfully like because i was 12 or 102 00:03:43,280 --> 00:03:46,799 13 because there was barely any uh email 103 00:03:45,519 --> 00:03:49,440 at the time because there was barely any 104 00:03:46,799 --> 00:03:51,360 internet at the time 105 00:03:49,440 --> 00:03:54,319 there wasn't a lot that they could do to 106 00:03:51,360 --> 00:03:56,480 damage my account reputation uh bank 107 00:03:54,319 --> 00:03:58,239 balance i guess there was nothing they 108 00:03:56,480 --> 00:03:59,680 could do but i learned well i didn't 109 00:03:58,239 --> 00:04:01,040 really learn less and i used a second 110 00:03:59,680 --> 00:04:02,959 terrible password but i certainly 111 00:04:01,040 --> 00:04:04,799 learned that losing access to an account 112 00:04:02,959 --> 00:04:07,120 because a password is compromised is 113 00:04:04,799 --> 00:04:09,680 totally totally worse 114 00:04:07,120 --> 00:04:11,599 um there you go dog is a terrible 115 00:04:09,680 --> 00:04:13,040 terrible password thank you that's 116 00:04:11,599 --> 00:04:14,959 amazing one less character than i 117 00:04:13,040 --> 00:04:15,760 managed to fit in impressive 118 00:04:14,959 --> 00:04:18,320 um 119 00:04:15,760 --> 00:04:18,320 and uh 120 00:04:19,280 --> 00:04:23,919 thank you for these are great i love 121 00:04:20,799 --> 00:04:25,040 this uh the stars also um 122 00:04:23,919 --> 00:04:26,000 love it 123 00:04:25,040 --> 00:04:27,280 um 124 00:04:26,000 --> 00:04:29,280 so the problem is of course passwords 125 00:04:27,280 --> 00:04:31,520 are terrible we know this we all 126 00:04:29,280 --> 00:04:33,360 instinctively know this as developers 127 00:04:31,520 --> 00:04:35,919 and people that care uh enough about 128 00:04:33,360 --> 00:04:37,280 security to be here at a security track 129 00:04:35,919 --> 00:04:40,000 at a conference 130 00:04:37,280 --> 00:04:42,000 um we know this uh but we also know that 131 00:04:40,000 --> 00:04:43,759 we have probably a whole bunch of users 132 00:04:42,000 --> 00:04:45,520 that also like to make passwords with 133 00:04:43,759 --> 00:04:47,199 systems that we build 134 00:04:45,520 --> 00:04:49,040 and so whilst we 135 00:04:47,199 --> 00:04:52,000 whilst we probably can now make better 136 00:04:49,040 --> 00:04:54,960 passwords uh than those original ones oh 137 00:04:52,000 --> 00:04:56,560 my goodness uh abc123 138 00:04:54,960 --> 00:04:57,520 s and the s is really throwing things 139 00:04:56,560 --> 00:04:58,720 off there 140 00:04:57,520 --> 00:05:00,160 um 141 00:04:58,720 --> 00:05:02,000 that that uh 142 00:05:00,160 --> 00:05:03,919 you know we have to 143 00:05:02,000 --> 00:05:05,280 create systems in which users also end 144 00:05:03,919 --> 00:05:06,479 up using passwords and how can we make 145 00:05:05,280 --> 00:05:07,600 that better 146 00:05:06,479 --> 00:05:09,039 well 147 00:05:07,600 --> 00:05:10,880 one way that we don't make it better is 148 00:05:09,039 --> 00:05:12,479 via the guidelines 149 00:05:10,880 --> 00:05:14,960 and this is where my talk title comes 150 00:05:12,479 --> 00:05:17,120 from and really comes from a hilarious 151 00:05:14,960 --> 00:05:18,160 tweet from a long time ago 152 00:05:17,120 --> 00:05:19,600 you know the idea that your password 153 00:05:18,160 --> 00:05:21,039 must continually state letters a capital 154 00:05:19,600 --> 00:05:22,560 a plot a protagonist with good character 155 00:05:21,039 --> 00:05:25,039 development a twist and a heavy ending i 156 00:05:22,560 --> 00:05:27,039 love this um because these guidelines 157 00:05:25,039 --> 00:05:29,440 we've all seen them we've all had to 158 00:05:27,039 --> 00:05:31,360 accommodate them at some point in our 159 00:05:29,440 --> 00:05:33,120 creation of passwords right we need an 160 00:05:31,360 --> 00:05:35,440 uppercase lowercase number and a special 161 00:05:33,120 --> 00:05:38,880 character one of everything get a whole 162 00:05:35,440 --> 00:05:41,039 lot you win passwords congratulations 163 00:05:38,880 --> 00:05:41,840 uh here's a password that won't fast 164 00:05:41,039 --> 00:05:42,880 that 165 00:05:41,840 --> 00:05:45,360 and 166 00:05:42,880 --> 00:05:46,639 uh it's not a great password i mean it's 167 00:05:45,360 --> 00:05:48,639 double the number of characters that i 168 00:05:46,639 --> 00:05:51,199 like to use in passwords but you know 169 00:05:48,639 --> 00:05:53,919 still still not a great one uh but this 170 00:05:51,199 --> 00:05:55,360 one is a great one superb strong as 171 00:05:53,919 --> 00:05:56,960 anything can't be beaten it's got a 172 00:05:55,360 --> 00:05:58,560 capital letter it's got a lowercase 173 00:05:56,960 --> 00:06:00,319 letter it's got a number and an 174 00:05:58,560 --> 00:06:01,840 exclamation point what a special 175 00:06:00,319 --> 00:06:04,160 character 176 00:06:01,840 --> 00:06:04,160 um 177 00:06:04,479 --> 00:06:08,560 uh incredibly special character probably 178 00:06:06,720 --> 00:06:10,240 the one we will think of when you first 179 00:06:08,560 --> 00:06:12,160 think of writing a special character 180 00:06:10,240 --> 00:06:14,160 it's under number one anyway it's next 181 00:06:12,160 --> 00:06:16,000 to the number we'd all put at the end of 182 00:06:14,160 --> 00:06:17,280 that password in the first place and 183 00:06:16,000 --> 00:06:18,639 this is the problem 184 00:06:17,280 --> 00:06:20,639 uh 185 00:06:18,639 --> 00:06:22,800 this pattern 186 00:06:20,639 --> 00:06:25,120 is kind of indicative of how everybody 187 00:06:22,800 --> 00:06:27,280 when given those guidelines starts to 188 00:06:25,120 --> 00:06:29,120 think about their password 189 00:06:27,280 --> 00:06:31,520 uh 190 00:06:29,120 --> 00:06:33,280 they write you you capitalize the first 191 00:06:31,520 --> 00:06:35,039 letter in that word you thought of you 192 00:06:33,280 --> 00:06:36,080 stick a number normally one on the end 193 00:06:35,039 --> 00:06:37,680 you stick a 194 00:06:36,080 --> 00:06:39,600 special character normally exclamation 195 00:06:37,680 --> 00:06:41,440 point on the end of that 196 00:06:39,600 --> 00:06:43,360 ah passwords that end with a bang 197 00:06:41,440 --> 00:06:45,840 exactly um 198 00:06:43,360 --> 00:06:47,919 uh it's an exciting password it's a 199 00:06:45,840 --> 00:06:49,440 secure password we know this and then 200 00:06:47,919 --> 00:06:50,720 further those guidelines start to 201 00:06:49,440 --> 00:06:52,800 suggest that you maybe change those 202 00:06:50,720 --> 00:06:54,400 passwords regularly and you're like well 203 00:06:52,800 --> 00:06:55,599 i already spent a lot of time thinking 204 00:06:54,400 --> 00:06:57,120 of this one 205 00:06:55,599 --> 00:06:59,599 and getting it to the stage in which it 206 00:06:57,120 --> 00:07:01,199 was super secure so 207 00:06:59,599 --> 00:07:02,639 let's keep that security let's keep it 208 00:07:01,199 --> 00:07:04,000 in all in mind and just add like a 209 00:07:02,639 --> 00:07:05,039 number i guess 210 00:07:04,000 --> 00:07:06,800 um 211 00:07:05,039 --> 00:07:08,479 or maybe another one you know like this 212 00:07:06,800 --> 00:07:11,680 this kind of having to write new 213 00:07:08,479 --> 00:07:13,520 passwords um just begets the same 214 00:07:11,680 --> 00:07:15,520 pattern over and over again possibly 215 00:07:13,520 --> 00:07:16,960 similar to those old ones 216 00:07:15,520 --> 00:07:19,039 uh and this is a pattern the pat the 217 00:07:16,960 --> 00:07:21,120 problem here is really the pattern 218 00:07:19,039 --> 00:07:22,720 uh it's not actually the word password 219 00:07:21,120 --> 00:07:25,360 that i've been using in this fake 220 00:07:22,720 --> 00:07:27,280 password here but the pattern because uh 221 00:07:25,360 --> 00:07:29,280 this uh to any attacker really just 222 00:07:27,280 --> 00:07:31,280 looks like uh this it's an uppercase 223 00:07:29,280 --> 00:07:34,400 followed by some lowercase possibly 224 00:07:31,280 --> 00:07:35,680 making up a a dictionary word uh with a 225 00:07:34,400 --> 00:07:38,080 single digit and then a special 226 00:07:35,680 --> 00:07:41,360 character and if we have those passwords 227 00:07:38,080 --> 00:07:43,039 we didn't expand the number of potential 228 00:07:41,360 --> 00:07:46,319 passwords we had by adding these 229 00:07:43,039 --> 00:07:49,520 requirements we actually shrunk it down 230 00:07:46,319 --> 00:07:52,879 the attack space became a lot easier 231 00:07:49,520 --> 00:07:55,840 because we have just a pattern to attack 232 00:07:52,879 --> 00:07:55,840 and it's horrifying 233 00:07:56,800 --> 00:08:02,639 so uh i have an example um i have an 234 00:07:59,440 --> 00:08:03,599 example because back in 2018 235 00:08:02,639 --> 00:08:05,840 um 236 00:08:03,599 --> 00:08:07,440 there was an audit a security audit of 237 00:08:05,840 --> 00:08:09,599 the wa government 238 00:08:07,440 --> 00:08:12,639 an employee employee accounts and they 239 00:08:09,599 --> 00:08:14,240 assessed 234 000 passwords which is a 240 00:08:12,639 --> 00:08:16,160 pretty good you know assessment of 241 00:08:14,240 --> 00:08:18,800 various people working in amongst the 242 00:08:16,160 --> 00:08:20,160 government and uh a quarter of those a 243 00:08:18,800 --> 00:08:21,599 quarter of those passwords are deemed 244 00:08:20,160 --> 00:08:23,120 weak passwords 245 00:08:21,599 --> 00:08:26,560 now these i don't know what necessarily 246 00:08:23,120 --> 00:08:27,759 these uh passwords were accounts for 247 00:08:26,560 --> 00:08:29,840 uh but these are people working in 248 00:08:27,759 --> 00:08:32,800 government so probably you know somewhat 249 00:08:29,840 --> 00:08:34,080 important and to do with people 250 00:08:32,800 --> 00:08:35,039 um 251 00:08:34,080 --> 00:08:36,640 yeah 252 00:08:35,039 --> 00:08:38,399 we can see however 253 00:08:36,640 --> 00:08:39,680 because they published the top 20 uh 254 00:08:38,399 --> 00:08:42,800 passwords 255 00:08:39,680 --> 00:08:45,839 and number one of course was password123 256 00:08:42,800 --> 00:08:47,680 which is glorious 1464 people 257 00:08:45,839 --> 00:08:49,440 in the wa government use the password 258 00:08:47,680 --> 00:08:51,279 password123 259 00:08:49,440 --> 00:08:53,120 and then they publish that top 20. so we 260 00:08:51,279 --> 00:08:54,640 can have a look and see that all the 261 00:08:53,120 --> 00:08:57,680 patterns that are there 262 00:08:54,640 --> 00:08:59,519 now we can also tell that uh the wa 263 00:08:57,680 --> 00:09:01,920 government did not require special 264 00:08:59,519 --> 00:09:04,160 characters because no one used one um 265 00:09:01,920 --> 00:09:05,600 not in that top 20 anyway 266 00:09:04,160 --> 00:09:08,000 but we can see 267 00:09:05,600 --> 00:09:10,480 uh all of the patterns that are there um 268 00:09:08,000 --> 00:09:13,120 all of the uh dictionary words that 269 00:09:10,480 --> 00:09:14,640 start with a capital and end in numbers 270 00:09:13,120 --> 00:09:16,880 uh some of those numbers are dates right 271 00:09:14,640 --> 00:09:18,880 we've got the the year 2017 the last 272 00:09:16,880 --> 00:09:20,959 time they were made to change it clearly 273 00:09:18,880 --> 00:09:23,040 uh and in fact you can imagine 274 00:09:20,959 --> 00:09:25,360 that maybe a whole bunch of people uh 275 00:09:23,040 --> 00:09:26,959 started at the same time and were told 276 00:09:25,360 --> 00:09:29,279 kind of similar things so they all put 277 00:09:26,959 --> 00:09:31,040 welcome one as their password or maybe 278 00:09:29,279 --> 00:09:32,240 they all hit that uh 279 00:09:31,040 --> 00:09:34,000 um 280 00:09:32,240 --> 00:09:36,399 they all hit their password reset then 281 00:09:34,000 --> 00:09:39,519 in august 2017 previously having seen it 282 00:09:36,399 --> 00:09:40,880 in maybe spring 2017 or october 2017 and 283 00:09:39,519 --> 00:09:42,800 people are just looking around their 284 00:09:40,880 --> 00:09:44,720 office trying to think what am i going 285 00:09:42,800 --> 00:09:46,480 to what am i going to make a password 286 00:09:44,720 --> 00:09:48,480 out of they spot the calendar on the 287 00:09:46,480 --> 00:09:50,399 wall and like it's monday that'll 288 00:09:48,480 --> 00:09:52,800 that'll do it's the first monday 289 00:09:50,399 --> 00:09:54,480 it's spring 2017. they look down at 290 00:09:52,800 --> 00:09:56,320 their desk and there's a mouse there and 291 00:09:54,480 --> 00:09:57,680 it says logitech on it and that's that's 292 00:09:56,320 --> 00:09:59,680 the password 293 00:09:57,680 --> 00:10:01,760 uh and this is the extent to people 294 00:09:59,680 --> 00:10:03,680 uh kind of taking those guidelines and 295 00:10:01,760 --> 00:10:04,560 turning them into passwords that we can 296 00:10:03,680 --> 00:10:07,279 then 297 00:10:04,560 --> 00:10:09,279 go ahead and and guess 298 00:10:07,279 --> 00:10:11,440 as best we can 299 00:10:09,279 --> 00:10:11,440 so 300 00:10:13,440 --> 00:10:16,000 i want to tell you a little bit more 301 00:10:14,720 --> 00:10:18,480 about what i thought was my best 302 00:10:16,000 --> 00:10:20,720 password now this one is a password that 303 00:10:18,480 --> 00:10:22,880 i lasted lasted with me for quite a 304 00:10:20,720 --> 00:10:25,040 while um i don't 305 00:10:22,880 --> 00:10:26,240 as far as i know actively use it anymore 306 00:10:25,040 --> 00:10:27,839 but i'm not going to tell you exactly 307 00:10:26,240 --> 00:10:29,839 what it is just in case just in case 308 00:10:27,839 --> 00:10:31,040 there's something out there 309 00:10:29,839 --> 00:10:32,880 but i will tell you a little bit about 310 00:10:31,040 --> 00:10:35,120 it it had eight characters 311 00:10:32,880 --> 00:10:36,480 you know i did up from the uh four of my 312 00:10:35,120 --> 00:10:37,680 previous favorites 313 00:10:36,480 --> 00:10:39,120 uh it was eight characters long there 314 00:10:37,680 --> 00:10:40,959 were numbers and letters in there but 315 00:10:39,120 --> 00:10:43,200 not special characters and actually not 316 00:10:40,959 --> 00:10:46,640 lowercase uh numbers uh no lowercase 317 00:10:43,200 --> 00:10:48,640 letters either uh uppercase only uh and 318 00:10:46,640 --> 00:10:51,120 it was the model number of my hi-fi yes 319 00:10:48,640 --> 00:10:52,240 as a and i was still relatively sort of 320 00:10:51,120 --> 00:10:54,640 young at this point but i did look 321 00:10:52,240 --> 00:10:55,839 around my room uh and see a hi-fi there 322 00:10:54,640 --> 00:10:56,880 and just be like all right cool what's 323 00:10:55,839 --> 00:10:59,120 the serial number what's the model 324 00:10:56,880 --> 00:11:00,000 number on this can i remember it it's 325 00:10:59,120 --> 00:11:01,839 eight characters and it's made in 326 00:11:00,000 --> 00:11:04,240 numbers and letters it'll do 327 00:11:01,839 --> 00:11:06,000 but this is great like it didn't 328 00:11:04,240 --> 00:11:09,279 nobody stole it by seeing me type it 329 00:11:06,000 --> 00:11:10,320 into a laptop uh type it into a keyboard 330 00:11:09,279 --> 00:11:12,560 um 331 00:11:10,320 --> 00:11:14,560 and break into my account that way 332 00:11:12,560 --> 00:11:16,720 but of course i did eventually 333 00:11:14,560 --> 00:11:18,640 uh get hacked 334 00:11:16,720 --> 00:11:20,720 and this time around uh it's not because 335 00:11:18,640 --> 00:11:23,440 it wasn't a decent password i don't 336 00:11:20,720 --> 00:11:24,320 think anyone's ever gonna guess it but 337 00:11:23,440 --> 00:11:26,240 um 338 00:11:24,320 --> 00:11:28,880 it was down to repetition because of 339 00:11:26,240 --> 00:11:31,120 course i was so proud of this password 340 00:11:28,880 --> 00:11:33,200 uh so just genuinely delighted with how 341 00:11:31,120 --> 00:11:34,640 strong i thought it was that i used it 342 00:11:33,200 --> 00:11:35,519 everywhere 343 00:11:34,640 --> 00:11:38,240 um 344 00:11:35,519 --> 00:11:41,480 every single account whatever it was the 345 00:11:38,240 --> 00:11:41,480 same password 346 00:11:42,560 --> 00:11:47,360 and of course 347 00:11:43,760 --> 00:11:48,800 unbeknown to me uh the security of uh 348 00:11:47,360 --> 00:11:50,480 applications and websites on the 349 00:11:48,800 --> 00:11:51,680 internet were not quite as strong as i'd 350 00:11:50,480 --> 00:11:53,839 have thought they were 351 00:11:51,680 --> 00:11:57,519 and uh and over the years we've suffered 352 00:11:53,839 --> 00:12:00,480 many many breaches of um of uh password 353 00:11:57,519 --> 00:12:01,600 data username and password data uh you 354 00:12:00,480 --> 00:12:03,600 know some 355 00:12:01,600 --> 00:12:05,440 where the password was stored in plain 356 00:12:03,600 --> 00:12:08,480 text which is horrifying somewhere it 357 00:12:05,440 --> 00:12:12,880 was just stored with a a fairly uh 358 00:12:08,480 --> 00:12:14,560 breakable um hashing algorithm and so 359 00:12:12,880 --> 00:12:17,680 my username and password has leaked out 360 00:12:14,560 --> 00:12:20,160 many times uh from at least some of uh 361 00:12:17,680 --> 00:12:21,279 these big ones like adobe or dropbox or 362 00:12:20,160 --> 00:12:24,079 bitly 363 00:12:21,279 --> 00:12:26,160 lastfm linkedin discuss tumblr there's 364 00:12:24,079 --> 00:12:29,120 been so many it's been so many since uh 365 00:12:26,160 --> 00:12:31,040 i put some logos on the slide um 366 00:12:29,120 --> 00:12:32,639 and did this i think my 367 00:12:31,040 --> 00:12:35,279 mine particularly were like leaked out 368 00:12:32,639 --> 00:12:38,240 of i think linkedin and maybe 369 00:12:35,279 --> 00:12:40,000 last fm and i lost access to other 370 00:12:38,240 --> 00:12:41,120 accounts i lost access to 371 00:12:40,000 --> 00:12:43,040 um 372 00:12:41,120 --> 00:12:45,120 uh in one day i lost access to a skype 373 00:12:43,040 --> 00:12:46,720 account and spotify account 374 00:12:45,120 --> 00:12:48,079 and i nearly lost access to a dropbox 375 00:12:46,720 --> 00:12:49,760 account so i know it wasn't that breach 376 00:12:48,079 --> 00:12:51,360 that caused this issue 377 00:12:49,760 --> 00:12:53,040 but the dropbox account i know i nearly 378 00:12:51,360 --> 00:12:54,639 lost access because i got a text message 379 00:12:53,040 --> 00:12:56,160 with a two-factor authentication code in 380 00:12:54,639 --> 00:12:57,760 it and i did not 381 00:12:56,160 --> 00:12:59,839 text that on to anybody else so 382 00:12:57,760 --> 00:13:01,680 two-factor authentication saved me there 383 00:12:59,839 --> 00:13:04,320 but on the same day i lost spotify and 384 00:13:01,680 --> 00:13:06,639 skype now i imagine i managed to get 385 00:13:04,320 --> 00:13:07,920 both of those accounts back 386 00:13:06,639 --> 00:13:09,360 eventually 387 00:13:07,920 --> 00:13:10,480 um 388 00:13:09,360 --> 00:13:12,079 but 389 00:13:10,480 --> 00:13:13,680 and and some yeah like the spotify 390 00:13:12,079 --> 00:13:15,839 account was fine but the skype account 391 00:13:13,680 --> 00:13:16,880 had been used for some old genuinely odd 392 00:13:15,839 --> 00:13:18,880 things 393 00:13:16,880 --> 00:13:20,399 uh in which um 394 00:13:18,880 --> 00:13:21,839 i actually ended up i i got really 395 00:13:20,399 --> 00:13:23,200 scared of the whole thing because i did 396 00:13:21,839 --> 00:13:24,399 and deleted all the kind of text 397 00:13:23,200 --> 00:13:26,560 conversations that had happened in my 398 00:13:24,399 --> 00:13:28,560 skype account since i uh since i'd lost 399 00:13:26,560 --> 00:13:31,200 it and it turned out that peop 400 00:13:28,560 --> 00:13:33,600 whoever was doing it was behaving as a 401 00:13:31,200 --> 00:13:35,680 french woman kind of proposing to french 402 00:13:33,600 --> 00:13:37,120 men from my skype account with my 403 00:13:35,680 --> 00:13:38,959 username 404 00:13:37,120 --> 00:13:39,839 very very odd 405 00:13:38,959 --> 00:13:41,839 but 406 00:13:39,839 --> 00:13:44,000 um i managed to get it back and stop all 407 00:13:41,839 --> 00:13:45,360 of that and hopefully the frenchman did 408 00:13:44,000 --> 00:13:46,160 not get scammed out of whatever they 409 00:13:45,360 --> 00:13:49,720 were 410 00:13:46,160 --> 00:13:49,720 being scammed with 411 00:13:49,839 --> 00:13:52,560 so if you don't already know uh the way 412 00:13:51,839 --> 00:13:54,800 to 413 00:13:52,560 --> 00:13:57,279 uh deal with uh this and find out if 414 00:13:54,800 --> 00:13:58,800 you've been in a breach if you have uh 415 00:13:57,279 --> 00:14:01,600 lost your username and password is to 416 00:13:58,800 --> 00:14:03,680 hit up troy hunts have ibmpone.com stick 417 00:14:01,600 --> 00:14:06,079 your email address in there and find out 418 00:14:03,680 --> 00:14:07,760 that's great for you um but again we 419 00:14:06,079 --> 00:14:10,000 have people watching a security talk we 420 00:14:07,760 --> 00:14:11,920 probably are using different passwords 421 00:14:10,000 --> 00:14:13,600 in different places 422 00:14:11,920 --> 00:14:16,480 and this is not super great necessarily 423 00:14:13,600 --> 00:14:17,920 for our users so how do we fix all of 424 00:14:16,480 --> 00:14:20,000 this this is the real important part 425 00:14:17,920 --> 00:14:22,079 i've told you my terrible password 426 00:14:20,000 --> 00:14:23,839 stories and those password stories are 427 00:14:22,079 --> 00:14:25,120 probably the password stories of our 428 00:14:23,839 --> 00:14:26,880 users of our 429 00:14:25,120 --> 00:14:30,000 of our applications as well so how do we 430 00:14:26,880 --> 00:14:31,839 fix it 431 00:14:30,000 --> 00:14:34,160 well first up the guidelines were wrong 432 00:14:31,839 --> 00:14:36,320 i'm really excited about that 433 00:14:34,160 --> 00:14:37,760 um 434 00:14:36,320 --> 00:14:39,519 uh the guidelines uh i think the 435 00:14:37,760 --> 00:14:41,519 guidelines that most people followed and 436 00:14:39,519 --> 00:14:43,600 in order to make those like uppercase 437 00:14:41,519 --> 00:14:46,399 lowercase digits and and special 438 00:14:43,600 --> 00:14:48,160 characters written by originally by um 439 00:14:46,399 --> 00:14:50,480 nist the national institute for science 440 00:14:48,160 --> 00:14:51,760 technology in the us who are uh good at 441 00:14:50,480 --> 00:14:54,000 that kind of thing and they were wrong 442 00:14:51,760 --> 00:14:56,000 right they they led us to this kind of 443 00:14:54,000 --> 00:14:59,279 thing if we've not seen this xkcd comic 444 00:14:56,000 --> 00:15:02,160 then it is glorious um 445 00:14:59,279 --> 00:15:04,560 and uh and and even the example uh in 446 00:15:02,160 --> 00:15:07,199 our top left panel here of uh 447 00:15:04,560 --> 00:15:08,560 of this password which is pretty secure 448 00:15:07,199 --> 00:15:10,800 it certainly doesn't fit the pattern i 449 00:15:08,560 --> 00:15:13,839 was talking about earlier this is more 450 00:15:10,800 --> 00:15:17,440 uh throwing in uh leap text by changing 451 00:15:13,839 --> 00:15:19,680 o's for zeros and and uh a for four 452 00:15:17,440 --> 00:15:20,959 um still includes you know maybe the 453 00:15:19,680 --> 00:15:22,880 number and the punctuation are at the 454 00:15:20,959 --> 00:15:24,639 end there um 455 00:15:22,880 --> 00:15:26,480 but right it does not take a long time 456 00:15:24,639 --> 00:15:28,399 to crack one of these passwords 457 00:15:26,480 --> 00:15:31,040 and if we'd just been doing really long 458 00:15:28,399 --> 00:15:34,079 passwords past phrases 459 00:15:31,040 --> 00:15:36,959 then we'd have much more much more 460 00:15:34,079 --> 00:15:36,959 secure passwords 461 00:15:38,880 --> 00:15:43,680 and so those guidelines did change and 462 00:15:40,480 --> 00:15:46,959 nist uh updated their guidelines in 2017 463 00:15:43,680 --> 00:15:49,600 uh but most of the kind of uh 464 00:15:46,959 --> 00:15:52,480 english-speaking worlds uh security uh 465 00:15:49,600 --> 00:15:54,000 forces so nist is in the u.s uh acsc is 466 00:15:52,480 --> 00:15:55,600 the australian cyber security center and 467 00:15:54,000 --> 00:15:56,720 the ncse is 468 00:15:55,600 --> 00:15:59,199 the national 469 00:15:56,720 --> 00:16:01,920 cyber security center that's in the uk 470 00:15:59,199 --> 00:16:03,040 um two countries just using national to 471 00:16:01,920 --> 00:16:05,680 mean 472 00:16:03,040 --> 00:16:08,320 them it doesn't really work but um but 473 00:16:05,680 --> 00:16:09,600 but the uk australia and the u.s all 474 00:16:08,320 --> 00:16:10,880 public have published new guidelines 475 00:16:09,600 --> 00:16:12,480 mostly following this although nist 476 00:16:10,880 --> 00:16:14,160 actually uh suggests at least eight 477 00:16:12,480 --> 00:16:16,480 characters it's australia that says at 478 00:16:14,160 --> 00:16:18,560 least 14 characters and i like that and 479 00:16:16,480 --> 00:16:20,240 i think if we're building applications 480 00:16:18,560 --> 00:16:22,079 which require users to have passwords 481 00:16:20,240 --> 00:16:23,839 and we want to validate those passwords 482 00:16:22,079 --> 00:16:26,000 to be somewhat secure making them at 483 00:16:23,839 --> 00:16:27,839 least 14 characters could be the best 484 00:16:26,000 --> 00:16:29,199 takeaway from this or any talk about 485 00:16:27,839 --> 00:16:30,720 passwords 486 00:16:29,199 --> 00:16:32,480 um 487 00:16:30,720 --> 00:16:35,839 so making at least 14 characters except 488 00:16:32,480 --> 00:16:38,320 all characters uh i think we should have 489 00:16:35,839 --> 00:16:39,600 more emojis in passwords i don't tell 490 00:16:38,320 --> 00:16:41,519 anybody what emojis you're using in 491 00:16:39,600 --> 00:16:44,000 passwords but you shouldn't have to be 492 00:16:41,519 --> 00:16:45,199 uh held back to any kind of ascii based 493 00:16:44,000 --> 00:16:47,120 character set or anything like that 494 00:16:45,199 --> 00:16:49,040 except all characters including spaces 495 00:16:47,120 --> 00:16:51,279 emojis and crazy things 496 00:16:49,040 --> 00:16:52,399 um not crazy 497 00:16:51,279 --> 00:16:55,920 you know what i mean and then don't 498 00:16:52,399 --> 00:16:58,160 allow insecure passwords um insecure uh 499 00:16:55,920 --> 00:16:59,839 here uh has a bunch of meanings 500 00:16:58,160 --> 00:17:02,079 uh for example 501 00:16:59,839 --> 00:17:03,839 uh dictionary words uh that's a 502 00:17:02,079 --> 00:17:04,640 relatively straightforward one to stop 503 00:17:03,839 --> 00:17:06,559 having 504 00:17:04,640 --> 00:17:08,400 people using uh then repeated or 505 00:17:06,559 --> 00:17:11,520 sequential characters uh as somebody 506 00:17:08,400 --> 00:17:12,240 pointed out uh u l l l lld 507 00:17:11,520 --> 00:17:13,199 uh 508 00:17:12,240 --> 00:17:16,400 uh 509 00:17:13,199 --> 00:17:18,799 s is too many repeated ls there so 510 00:17:16,400 --> 00:17:20,319 wouldn't pass as a password under this 511 00:17:18,799 --> 00:17:22,240 uh circumstance 512 00:17:20,319 --> 00:17:24,240 uh no contact specific word so not the 513 00:17:22,240 --> 00:17:25,600 username of the user not the application 514 00:17:24,240 --> 00:17:27,439 name or the email address that they're 515 00:17:25,600 --> 00:17:29,440 using and then finally passwords that 516 00:17:27,439 --> 00:17:32,320 have been in a breach do not allow 517 00:17:29,440 --> 00:17:34,640 passwords that have been in a breach 518 00:17:32,320 --> 00:17:36,640 this is a big one 519 00:17:34,640 --> 00:17:39,679 so how do we do this in python and what 520 00:17:36,640 --> 00:17:41,360 have we got available to us uh in python 521 00:17:39,679 --> 00:17:43,120 to to do this 522 00:17:41,360 --> 00:17:44,559 well i had a little look around kind of 523 00:17:43,120 --> 00:17:46,160 popular 524 00:17:44,559 --> 00:17:48,080 frameworks and how this is dealt with 525 00:17:46,160 --> 00:17:50,720 and django has a really good start to 526 00:17:48,080 --> 00:17:52,960 this which is nice um a lot of the time 527 00:17:50,720 --> 00:17:55,360 i actually work with uh javascript and 528 00:17:52,960 --> 00:17:58,160 ruby and there there is nothing like 529 00:17:55,360 --> 00:18:00,400 this in terms of a a good default 530 00:17:58,160 --> 00:18:01,760 um set of password validators that are 531 00:18:00,400 --> 00:18:03,120 available to you 532 00:18:01,760 --> 00:18:05,520 um 533 00:18:03,120 --> 00:18:08,480 although i say that like these password 534 00:18:05,520 --> 00:18:10,240 validators in django uh so we have user 535 00:18:08,480 --> 00:18:12,880 attributes similarity validator so that 536 00:18:10,240 --> 00:18:14,960 is not the same as your username or your 537 00:18:12,880 --> 00:18:17,120 password or other attributes in the user 538 00:18:14,960 --> 00:18:19,919 model minimum length which of course you 539 00:18:17,120 --> 00:18:22,480 have to set and i say 14. 540 00:18:19,919 --> 00:18:24,720 common password validator is uh 541 00:18:22,480 --> 00:18:26,960 that's a checks against a list of 20 000 542 00:18:24,720 --> 00:18:28,400 common passwords which is very good and 543 00:18:26,960 --> 00:18:30,320 the numeric password validator is just 544 00:18:28,400 --> 00:18:32,080 it's not all numbers now these 545 00:18:30,320 --> 00:18:33,360 validators are available 546 00:18:32,080 --> 00:18:35,039 in jagger but they're not actually on by 547 00:18:33,360 --> 00:18:36,320 default but you can just add them in by 548 00:18:35,039 --> 00:18:37,840 default so 549 00:18:36,320 --> 00:18:39,919 i think that's really cool 550 00:18:37,840 --> 00:18:40,960 i think it's very cool 551 00:18:39,919 --> 00:18:42,960 um 552 00:18:40,960 --> 00:18:45,600 then there's things like wt forms which 553 00:18:42,960 --> 00:18:47,039 seems popular amongst uh flask um has 554 00:18:45,600 --> 00:18:48,880 some validators available to it but 555 00:18:47,039 --> 00:18:51,520 again if you just if you just whack in 556 00:18:48,880 --> 00:18:53,679 that you know length min 14 557 00:18:51,520 --> 00:18:55,120 uh then we're gonna make things mostly 558 00:18:53,679 --> 00:18:56,400 happy i reckon 559 00:18:55,120 --> 00:18:57,919 um 560 00:18:56,400 --> 00:19:00,160 yeah 561 00:18:57,919 --> 00:19:01,919 so uh so any suggestions on this uh just 562 00:19:00,160 --> 00:19:03,919 to enable all those django validators 563 00:19:01,919 --> 00:19:06,799 they're great or if you don't have that 564 00:19:03,919 --> 00:19:08,960 make your password at least 14. and 565 00:19:06,799 --> 00:19:11,600 finally my final recommendation is a 566 00:19:08,960 --> 00:19:13,760 library called zxcvbn 567 00:19:11,600 --> 00:19:15,919 uh it seems um 568 00:19:13,760 --> 00:19:17,360 maybe hard to remember this one but uh 569 00:19:15,919 --> 00:19:19,360 uh if you look down at your keyboard in 570 00:19:17,360 --> 00:19:20,960 front of you you'll find uh if you're 571 00:19:19,360 --> 00:19:22,960 using a qwerty keyboard that's just the 572 00:19:20,960 --> 00:19:24,960 first six characters the bottom row it's 573 00:19:22,960 --> 00:19:26,960 actually really easy to remember and it 574 00:19:24,960 --> 00:19:28,480 makes a terrible password uh so don't 575 00:19:26,960 --> 00:19:30,919 use it as a password 576 00:19:28,480 --> 00:19:34,799 um but i'm just gonna i really love 577 00:19:30,919 --> 00:19:36,559 zxcvbn um because of what it can tell 578 00:19:34,799 --> 00:19:39,440 you about a password and it works with 579 00:19:36,559 --> 00:19:40,240 that kind of idea of entropy rather than 580 00:19:39,440 --> 00:19:42,799 uh 581 00:19:40,240 --> 00:19:43,919 just length or um filling in those 582 00:19:42,799 --> 00:19:45,679 guidelines 583 00:19:43,919 --> 00:19:48,240 uh so i'm gonna 584 00:19:45,679 --> 00:19:50,960 i'm gonna start to use zx zvb 585 00:19:48,240 --> 00:19:52,720 zx cvbn uh just to have a look at a 586 00:19:50,960 --> 00:19:54,480 couple of passwords if you have any 587 00:19:52,720 --> 00:19:56,559 passwords you want checked 588 00:19:54,480 --> 00:19:58,400 uh through this drop them in the chat 589 00:19:56,559 --> 00:19:59,440 and i'll see them in about 30 to 40 590 00:19:58,400 --> 00:20:01,600 seconds 591 00:19:59,440 --> 00:20:02,880 uh meanwhile i'm just going to import 592 00:20:01,600 --> 00:20:07,840 uh 593 00:20:02,880 --> 00:20:07,840 from zx cdbn import zx2 vpn 594 00:20:08,240 --> 00:20:11,360 and uh and just check 595 00:20:12,240 --> 00:20:17,280 my favorite uh go to let's just start 596 00:20:14,799 --> 00:20:19,840 with password password one uh and have a 597 00:20:17,280 --> 00:20:22,880 look at that so zxcvbn gives you a load 598 00:20:19,840 --> 00:20:24,880 of information about this uh for a start 599 00:20:22,880 --> 00:20:25,679 um like the number of guesses it might 600 00:20:24,880 --> 00:20:28,240 take 601 00:20:25,679 --> 00:20:30,880 um in this case it's getting about 379 602 00:20:28,240 --> 00:20:32,640 passwords uh guesses before you get this 603 00:20:30,880 --> 00:20:34,720 um it tells you that it's a dictionary 604 00:20:32,640 --> 00:20:36,000 word which is uh cool 605 00:20:34,720 --> 00:20:37,919 um 606 00:20:36,000 --> 00:20:40,240 and and excitingly it kind of tells you 607 00:20:37,919 --> 00:20:41,919 some some display times that you can 608 00:20:40,240 --> 00:20:42,799 show for like how long this will take to 609 00:20:41,919 --> 00:20:44,400 crack 610 00:20:42,799 --> 00:20:46,480 and so if you were trying passwords at 611 00:20:44,400 --> 00:20:48,400 100 per hour 612 00:20:46,480 --> 00:20:49,520 password one will be cracked in about 613 00:20:48,400 --> 00:20:52,159 four hours 614 00:20:49,520 --> 00:20:54,000 uh but if you can do that real fast uh 615 00:20:52,159 --> 00:20:56,320 it's gonna be less than a second and 616 00:20:54,000 --> 00:20:57,440 then finally and really really usefully 617 00:20:56,320 --> 00:20:59,679 um 618 00:20:57,440 --> 00:21:00,960 we uh it also gives some feedback for 619 00:20:59,679 --> 00:21:02,960 users as well so this is a common 620 00:21:00,960 --> 00:21:04,240 password here are some suggestions add 621 00:21:02,960 --> 00:21:05,840 some more words 622 00:21:04,240 --> 00:21:07,360 capitalizing the p wasn't particularly 623 00:21:05,840 --> 00:21:10,400 helpful 624 00:21:07,360 --> 00:21:12,240 um password dogs that's not gonna go too 625 00:21:10,400 --> 00:21:13,679 well is that capitalist for capital 626 00:21:12,240 --> 00:21:14,720 security 627 00:21:13,679 --> 00:21:16,720 um 628 00:21:14,720 --> 00:21:18,159 again similar uh similar to password in 629 00:21:16,720 --> 00:21:20,559 this case we've got a dictionary word 630 00:21:18,159 --> 00:21:23,280 it's gonna take a day this time if you i 631 00:21:20,559 --> 00:21:25,120 can only do a hundred passwords an hour 632 00:21:23,280 --> 00:21:26,159 uh and then four minutes at ten per 633 00:21:25,120 --> 00:21:27,919 second 634 00:21:26,159 --> 00:21:30,799 uh it's very common add another word but 635 00:21:27,919 --> 00:21:31,679 more words are better um 636 00:21:30,799 --> 00:21:33,919 uh 637 00:21:31,679 --> 00:21:35,120 what do we our chat has run away oh my 638 00:21:33,919 --> 00:21:36,960 goodness 639 00:21:35,120 --> 00:21:39,120 uh 640 00:21:36,960 --> 00:21:41,919 line of ducks 641 00:21:39,120 --> 00:21:43,440 uh so zxcbn is is sweet for this there 642 00:21:41,919 --> 00:21:45,440 is a web demo thank you for sharing that 643 00:21:43,440 --> 00:21:48,559 matt um 644 00:21:45,440 --> 00:21:49,600 i like to uh to check um other things 645 00:21:48,559 --> 00:21:51,120 uh so 646 00:21:49,600 --> 00:21:52,799 it also has uh what i wanted to point 647 00:21:51,120 --> 00:21:54,799 out was there's a score and the score 648 00:21:52,799 --> 00:21:57,280 goes from zero to four where four is the 649 00:21:54,799 --> 00:21:58,320 strongest and so four is is the kind of 650 00:21:57,280 --> 00:22:00,640 thing you're trying to drive people 651 00:21:58,320 --> 00:22:03,520 towards uh really simple things like 652 00:22:00,640 --> 00:22:05,520 hello is a score of zero i think dogs 653 00:22:03,520 --> 00:22:06,320 with a capital s there came as a one 654 00:22:05,520 --> 00:22:08,880 because at least there was a 655 00:22:06,320 --> 00:22:11,520 capitalization in it um but if we want 656 00:22:08,880 --> 00:22:12,799 to uh you know get to 657 00:22:11,520 --> 00:22:15,919 strong ones we start using those 658 00:22:12,799 --> 00:22:17,919 passphrases like correct horse battery 659 00:22:15,919 --> 00:22:19,679 staple not a password you should use but 660 00:22:17,919 --> 00:22:21,600 look at that score is four it's going to 661 00:22:19,679 --> 00:22:24,880 take centuries to get anything that long 662 00:22:21,600 --> 00:22:27,039 and i'm excited about that so zxcv bn 663 00:22:24,880 --> 00:22:29,360 allows you not only to check passwords 664 00:22:27,039 --> 00:22:30,320 in a sensible manner it actually gives 665 00:22:29,360 --> 00:22:32,240 you those 666 00:22:30,320 --> 00:22:34,000 gives you great feedback 667 00:22:32,240 --> 00:22:36,720 uh to your users 668 00:22:34,000 --> 00:22:38,840 to see why a password failed and help 669 00:22:36,720 --> 00:22:41,520 them get a better 670 00:22:38,840 --> 00:22:43,919 password what about insecure passwords 671 00:22:41,520 --> 00:22:46,720 uh this kind of ticks off the guideline 672 00:22:43,919 --> 00:22:49,360 problem but what about those um 673 00:22:46,720 --> 00:22:50,400 uh insecure passwords uh that that we 674 00:22:49,360 --> 00:22:52,960 talked about 675 00:22:50,400 --> 00:22:54,799 well i mentioned uh have i been pwned um 676 00:22:52,960 --> 00:22:56,480 troy hunt service for telling you 677 00:22:54,799 --> 00:22:59,120 whether your uh email has been phoned 678 00:22:56,480 --> 00:23:02,559 but that also exposes an api uh known as 679 00:22:59,120 --> 00:23:05,760 the phone passwords api that has 613 680 00:23:02,559 --> 00:23:07,840 million 584 246 passwords that have been 681 00:23:05,760 --> 00:23:09,120 previously exposed in data breaches and 682 00:23:07,840 --> 00:23:12,080 so we can use 683 00:23:09,120 --> 00:23:13,520 uh phone passwords to check whether any 684 00:23:12,080 --> 00:23:14,720 of the passwords our users are trying to 685 00:23:13,520 --> 00:23:16,799 use with us 686 00:23:14,720 --> 00:23:18,640 have been previously exposed in data 687 00:23:16,799 --> 00:23:21,640 breaches 688 00:23:18,640 --> 00:23:21,640 um 689 00:23:22,720 --> 00:23:27,120 uh i have been exposing data breaches 690 00:23:24,559 --> 00:23:29,120 and it has an api um now you might be 691 00:23:27,120 --> 00:23:30,720 wondering aren't we just going to breach 692 00:23:29,120 --> 00:23:32,400 a whole bunch more passwords if we start 693 00:23:30,720 --> 00:23:34,880 swinging passwords over the network to 694 00:23:32,400 --> 00:23:37,039 another api but don't worry about that 695 00:23:34,880 --> 00:23:39,039 um the api is a bit more sensible than 696 00:23:37,039 --> 00:23:43,760 that and uses what is called 697 00:23:39,039 --> 00:23:45,760 a key anonymity uh model to um 698 00:23:43,760 --> 00:23:47,679 not expose the password uh not share 699 00:23:45,760 --> 00:23:49,679 passwords over the network 700 00:23:47,679 --> 00:23:52,320 so what you do instead is you get the 701 00:23:49,679 --> 00:23:53,279 sha1 hash of the password you want to 702 00:23:52,320 --> 00:23:54,880 check 703 00:23:53,279 --> 00:23:56,320 you take the first five characters that 704 00:23:54,880 --> 00:23:59,600 hash 705 00:23:56,320 --> 00:24:01,039 and then use that in the api request 706 00:23:59,600 --> 00:24:03,520 within the url here so it's under 707 00:24:01,039 --> 00:24:05,679 arranged with that five character prefix 708 00:24:03,520 --> 00:24:08,240 and back from that you receive 709 00:24:05,679 --> 00:24:09,360 all the hashes that start with those 710 00:24:08,240 --> 00:24:10,880 five characters you receive the 711 00:24:09,360 --> 00:24:12,320 remainder of all those hashes and then 712 00:24:10,880 --> 00:24:15,039 counts of those 713 00:24:12,320 --> 00:24:15,919 to show how many times that has appeared 714 00:24:15,039 --> 00:24:16,880 in 715 00:24:15,919 --> 00:24:18,880 the uh 716 00:24:16,880 --> 00:24:20,400 in the data set itself and so you check 717 00:24:18,880 --> 00:24:22,480 if the remainder of your hash is in this 718 00:24:20,400 --> 00:24:24,559 result and at that point you can say 719 00:24:22,480 --> 00:24:27,600 this uh this password has either been 720 00:24:24,559 --> 00:24:29,360 breached or hasn't which is pretty cool 721 00:24:27,600 --> 00:24:31,600 um and there's a phone password library 722 00:24:29,360 --> 00:24:32,960 of course available in 723 00:24:31,600 --> 00:24:35,520 uh and we'll go have a look at that 724 00:24:32,960 --> 00:24:38,480 right now i just noticed that yeah i got 725 00:24:35,520 --> 00:24:40,640 the wrong password it was dogs 726 00:24:38,480 --> 00:24:42,320 jugs with a capital 727 00:24:40,640 --> 00:24:43,679 or the exclamation point 728 00:24:42,320 --> 00:24:44,880 and thankfully that's going to take a 729 00:24:43,679 --> 00:24:47,679 little bit like still need a score of 730 00:24:44,880 --> 00:24:51,679 one uh for the uh 731 00:24:47,679 --> 00:24:54,960 and if it was dogs with a small ass oops 732 00:24:51,679 --> 00:24:56,559 ah yeah no it's gonna take days uh days 733 00:24:54,960 --> 00:24:58,080 if you're gonna do 100 per hour still 734 00:24:56,559 --> 00:25:01,760 less than a second 735 00:24:58,080 --> 00:25:04,559 uh because it's just words um 736 00:25:01,760 --> 00:25:07,840 so again uh i'm now gonna 737 00:25:04,559 --> 00:25:11,200 just gonna get um 738 00:25:07,840 --> 00:25:14,200 opponent the passwords library in uh 739 00:25:11,200 --> 00:25:14,200 imports 740 00:25:14,880 --> 00:25:19,840 and now we can do things like uh check 741 00:25:17,520 --> 00:25:22,080 those passwords so we can check 742 00:25:19,840 --> 00:25:24,240 uh for example uh my first password 743 00:25:22,080 --> 00:25:25,799 again i can check that uh it's actually 744 00:25:24,240 --> 00:25:29,600 been a password 745 00:25:25,799 --> 00:25:32,080 3219 times uh i've been in breaches 3219 746 00:25:29,600 --> 00:25:33,840 times which is horrifying that uh my 747 00:25:32,080 --> 00:25:35,760 childhood password has been used and 748 00:25:33,840 --> 00:25:37,520 breached that many times 749 00:25:35,760 --> 00:25:39,360 uh although it does prove that my second 750 00:25:37,520 --> 00:25:43,360 attempt was slightly better with less 751 00:25:39,360 --> 00:25:44,640 than half the number of breaches um 752 00:25:43,360 --> 00:25:46,080 we had uh 753 00:25:44,640 --> 00:25:48,799 dogs 754 00:25:46,080 --> 00:25:49,919 um 152 times been breached out of the 755 00:25:48,799 --> 00:25:51,520 capital 756 00:25:49,919 --> 00:25:52,880 ah well dog with a capitalist an 757 00:25:51,520 --> 00:25:54,559 exclamation point still not going to 758 00:25:52,880 --> 00:25:57,360 take very long to crack but has not been 759 00:25:54,559 --> 00:25:59,679 breached before which is nice to see 760 00:25:57,360 --> 00:26:01,919 and if you were wondering 761 00:25:59,679 --> 00:26:03,520 why you shouldn't use correct horse 762 00:26:01,919 --> 00:26:05,440 battery 763 00:26:03,520 --> 00:26:07,520 staple 764 00:26:05,440 --> 00:26:09,679 staple 765 00:26:07,520 --> 00:26:11,600 it has been breached five times 766 00:26:09,679 --> 00:26:13,039 so some people out there are not only 767 00:26:11,600 --> 00:26:14,880 using the password correct horse battery 768 00:26:13,039 --> 00:26:16,480 staple they're using it in places that 769 00:26:14,880 --> 00:26:17,679 lost access to all the passwords and 770 00:26:16,480 --> 00:26:20,320 gave it away 771 00:26:17,679 --> 00:26:21,679 horrifying right 772 00:26:20,320 --> 00:26:23,520 um 773 00:26:21,679 --> 00:26:26,320 so that is the prompt passwords api i 774 00:26:23,520 --> 00:26:28,640 highly recommend checking out and using 775 00:26:26,320 --> 00:26:30,799 it to keep an eye on this kind of stuff 776 00:26:28,640 --> 00:26:33,600 and like i said there is uh both uh 777 00:26:30,799 --> 00:26:35,039 plain um phone passwords library 778 00:26:33,600 --> 00:26:36,960 and there is a django 779 00:26:35,039 --> 00:26:38,559 validator as well 780 00:26:36,960 --> 00:26:41,039 so you might want to replace say the 781 00:26:38,559 --> 00:26:43,039 common words validator in django with uh 782 00:26:41,039 --> 00:26:45,360 the phone passwords validator 783 00:26:43,039 --> 00:26:47,919 and the common words validator actually 784 00:26:45,360 --> 00:26:50,559 generates its twenty thousand words uh 785 00:26:47,919 --> 00:26:52,240 from the havon phone data set uh and so 786 00:26:50,559 --> 00:26:54,000 it could be useful to try and use them 787 00:26:52,240 --> 00:26:54,960 kind of in collaboration 788 00:26:54,000 --> 00:26:56,240 um 789 00:26:54,960 --> 00:26:57,840 so uh 790 00:26:56,240 --> 00:26:59,520 um 791 00:26:57,840 --> 00:27:01,760 if you wanted to hit like the common 792 00:26:59,520 --> 00:27:05,440 words data set first and then if it's 793 00:27:01,760 --> 00:27:07,600 not in there uh farm out to the api uh 794 00:27:05,440 --> 00:27:10,080 but honestly the api returns so fast and 795 00:27:07,600 --> 00:27:12,159 is uh is fully cached in cloudflare it's 796 00:27:10,080 --> 00:27:14,640 it's um pretty impressive uh so it's 797 00:27:12,159 --> 00:27:16,400 quick and it's always up 798 00:27:14,640 --> 00:27:20,279 um incorrect host batteries they thought 799 00:27:16,400 --> 00:27:20,279 well i want to check that now 800 00:27:21,120 --> 00:27:25,279 not there cool that'll secure done 801 00:27:26,480 --> 00:27:29,760 so i'm running out of time uh but i will 802 00:27:28,399 --> 00:27:31,200 tell you that the next level beyond 803 00:27:29,760 --> 00:27:32,640 making sure these passwords are actually 804 00:27:31,200 --> 00:27:34,799 secure for all of your users is of 805 00:27:32,640 --> 00:27:36,080 course to add a second level uh of 806 00:27:34,799 --> 00:27:37,360 authentication a two-factor 807 00:27:36,080 --> 00:27:39,600 authentication 808 00:27:37,360 --> 00:27:41,679 um 809 00:27:39,600 --> 00:27:43,840 i have that turned on in almost every 810 00:27:41,679 --> 00:27:46,000 account i can and uh and if i can i do 811 00:27:43,840 --> 00:27:48,640 it for an app if i can't then via sms is 812 00:27:46,000 --> 00:27:51,440 still better than not having a second 813 00:27:48,640 --> 00:27:52,559 factor of authentication at all so think 814 00:27:51,440 --> 00:27:54,240 about that 815 00:27:52,559 --> 00:27:56,640 and ultimately 816 00:27:54,240 --> 00:27:59,840 uh my lesson for today is passwords are 817 00:27:56,640 --> 00:28:02,480 terrible uh but not necessarily because 818 00:27:59,840 --> 00:28:03,679 those um 819 00:28:02,480 --> 00:28:04,960 not necessarily 820 00:28:03,679 --> 00:28:06,880 it's not necessarily user's fault the 821 00:28:04,960 --> 00:28:08,799 guidelines have been terrible uh but 822 00:28:06,880 --> 00:28:10,880 users are pretty bad at this i'm pretty 823 00:28:08,799 --> 00:28:13,360 bad at this although i've now got better 824 00:28:10,880 --> 00:28:15,279 and of course have my own uh password 825 00:28:13,360 --> 00:28:16,799 manager but passwords are terrible and 826 00:28:15,279 --> 00:28:18,880 not everybody does that 827 00:28:16,799 --> 00:28:21,120 password guidelines are worse uh 828 00:28:18,880 --> 00:28:23,279 although the update to the guidelines 829 00:28:21,120 --> 00:28:24,480 made them better so the next time you 830 00:28:23,279 --> 00:28:25,919 see somebody else telling you need a 831 00:28:24,480 --> 00:28:28,000 special character or a digit or an 832 00:28:25,919 --> 00:28:30,240 uppercase letter tell them they're using 833 00:28:28,000 --> 00:28:31,600 out-of-date guidelines because they are 834 00:28:30,240 --> 00:28:33,600 bad 835 00:28:31,600 --> 00:28:35,120 make passwords longer again make them at 836 00:28:33,600 --> 00:28:36,640 just at least 14 characters and we're 837 00:28:35,120 --> 00:28:38,399 probably going to solve a lot of these 838 00:28:36,640 --> 00:28:40,399 problems for a lot of people 839 00:28:38,399 --> 00:28:41,919 um check against those breaches and 840 00:28:40,399 --> 00:28:43,760 against dictionaries check those words 841 00:28:41,919 --> 00:28:45,360 up against the phone passwords api it's 842 00:28:43,760 --> 00:28:46,640 it's actually a super useful and free to 843 00:28:45,360 --> 00:28:48,240 use api 844 00:28:46,640 --> 00:28:51,360 uh and finally implement two factor 845 00:28:48,240 --> 00:28:53,120 authentication just just 846 00:28:51,360 --> 00:28:54,399 make passwords less of a problem that 847 00:28:53,120 --> 00:28:56,159 way 848 00:28:54,399 --> 00:28:59,039 uh that's all i've got time for uh 849 00:28:56,159 --> 00:29:01,760 thanks so much thanks for uh suggesting 850 00:28:59,039 --> 00:29:03,760 uh things in the chat um and for all 851 00:29:01,760 --> 00:29:06,559 your uh uh playing along with my 852 00:29:03,760 --> 00:29:11,200 terrible passwords and um 853 00:29:06,559 --> 00:29:13,520 uh yeah um enjoy the rest of python 854 00:29:11,200 --> 00:29:15,120 thank you very much phil 855 00:29:13,520 --> 00:29:17,919 you have come 856 00:29:15,120 --> 00:29:20,960 right up to the time so if anyone's got 857 00:29:17,919 --> 00:29:23,600 any questions please do ask them in the 858 00:29:20,960 --> 00:29:26,000 hallway chat uh phil did say he's happy 859 00:29:23,600 --> 00:29:27,520 to to answer any questions and i'm sure 860 00:29:26,000 --> 00:29:29,039 you'll have a hundred different 861 00:29:27,520 --> 00:29:31,440 passwords you want to run through these 862 00:29:29,039 --> 00:29:34,000 two um i just i just bought a piece of 863 00:29:31,440 --> 00:29:35,050 dishwasher yeah 864 00:29:34,000 --> 00:29:37,440 it's looking good 865 00:29:35,050 --> 00:29:39,679 [Laughter] 866 00:29:37,440 --> 00:29:41,760 we will be back at quarter past 4 867 00:29:39,679 --> 00:29:43,919 australian eastern time 868 00:29:41,760 --> 00:29:48,120 for our next talk so enjoy your break 869 00:29:43,919 --> 00:29:48,120 everyone we'll see you shortly 870 00:29:57,039 --> 00:29:59,120 you