Placeholder Image

字幕表 動画を再生する

  • I guess what we were asking today is have your passwords been pwned

  • One of the websites I used to keep secure online is have I been pwned right now, I love this websites. It's great.

  • Run by a guy called Troy hunt and whenever it is a big leak

  • Let's say a company gets hacked and always using these passwords get leave out in internet

  • Obviously people who are trying to crack passwords and break into your accounts

  • They're going to be looking at these things

  • But what he does, is he collects them and lets you know

  • You've got an email address that you use for most of your accounts

  • You put this in the website and if that email address ever appears in a leak

  • I assume probably tied to a password but not necessarily

  • It will let you know and that's a really good thing because no one's on top of all the leaks, right?

  • I certainly am not. And so maybe I have an email address. So I want to make sure hasn't been given away

  • So this is a great website, you know, we'll put a link to it. But actually this is not what we're talking about today

  • what we're talking about today is the Password API

  • it's also put online right which is another great asset.

  • This is where you could actually send in your password in a manner of speaking

  • and It'll tell you whether it's ever been leaked

  • Now that's important because if your password has ever been leaked before

  • by you or by someone else

  • Then it could be appearing in a long list of words that are being used for a dictionary attack

  • Right, and that just makes your password much more vulnerable

  • In general I would argue that if your password has been leaked before it's not really safe to use

  • There's some interesting questions here

  • Should you be putting your password into a box on the internet that says it will tell you if it's been hacked?

  • In general, no!

  • In general, be very careful about where you type in your password

  • Even if I make a website and I say you should definitely trust me because it's me.

  • Still don't trust me. All right

  • Just know what you know for a start. I might just be inept of programming and I've got a vulnerability

  • So this uses an interesting mechanism called k-anonymity

  • to make sure that you can send in your password and find out whether it's in this big database of passwords

  • and no one gets to find out what it was.

  • All right, which is using hashing, and it's really great

  • So we're going to talk about that now

  • so you can go on to haveibeenpwned.com/passwords

  • and you can type in your password there and you can look at the source code

  • That's probably okay. But actually it's got a REST API where you can actually visit specific URLs

  • and obtain information on whether your password is in that database

  • you can do this very often

  • you could do it for example for all the passwords in your collection in your password manager

  • and actually some password managers like 1Password actually do this automatically for you

  • and they check your password this way

  • I mean, that's a really good idea

  • If you type in a password that you think is great for a new website

  • Your password manager can say actually this one's already been leaked like previously

  • so don't use that one.

  • So, how does this work?

  • and how does it remain secure

  • because even if this website is fully trustworthy

  • It's not a good idea to be sending a hashed version of your password to this website, right?

  • this is the website that has all the lists of all the passwords

  • if yours shows up, suddenly your IP address is saying My passwords weak my passwords weak

  • and that's just not a good thing you want to have happen, right?

  • So how does it work?

  • Well, just like with all passwords. We hash it as a start to begin protecting it

  • So let's imagine I have my password which is you know Password1

  • this is where we link to the video where I said don't use that password

  • if there's any variation on the word password or have any of the numbers 1 2 3 4 in or doing it?

  • You need to delete those passwords. Maybe delete your account out of shame

  • This will be hashed using SHA-1 which for this purpose is okay, right?

  • You wouldn't necessarily permanently store your passwords in this format

  • But for this API is OK and that's going to produce 160 bit hash

  • Right, which might look something like FA2 241C... for 160 bits

  • 160 bits?

  • Yeah

  • Ok. Now the problem is if I send this off to the website, I've just given them my password

  • I mean not quite because

  • SHA-1 is hash but that could be broken. Especially if my password is not good, right

  • and also he's got a bunch of these passwords and hashes already computed in this database

  • So as soon as he sees that I've got the hash.

  • He reverse looks up the password.

  • That's a vulnerability, right?

  • I trust the guy but I still wouldn't want to do that, right?

  • And so this API used a system called K anonymity

  • what happens is instead of me giving them the whole hash

  • I give them just enough of the hash

  • But they can give me back anything that might match

  • and I am the one that actually finds that whether it does, right?

  • and that's a really neat trick.

  • So I will give them the first

  • one, two, three, four, five

  • characters of the hex of this password hash

  • so I will send the pwned password API FA224, for example

  • and it will send me back some number of passwords

  • that have been leaked in the past whose hashes begin with those five characters now, there'll be a lot of them

  • there's some 550 million passwords in this database which is a kind of scary and

  • It will return to you all the passwords but could match this and how many times they've been seen in leaked passwords, right? And

  • Usually you'll get about 4 or 500 back right? That's when you go through the list yourself at your end and say ok

  • Actually, my password is or it's not in there, right?

  • Because there's going to be a lot of possible hashes and possible passwords are start with these 5 characters

  • This is called k-anonymity the idea is that the website only knows we're one of about 500

  • People that could have this password. It doesn't even know actually if we have one of these passwords

  • Which is quite nice, right?

  • So I've written some code to do this and we'll have a look before you get a code out if you've hashed it with SHA-1

  • Is this just the way that this system works that it uses SHA-1 or is it I was just trying to work out because yes

  • Exactly it isn't the case for these passwords all originally hashed in SHA-1 like this database includes both the plaintext and the hashed versions

  • These are passwords that are previously been cracked right, as opposed to leaked in hashed form

  • so for example

  • Maybe my password has been leaked in like bcrypt form and no one ever broke it right in which case it's have no real concern

  • I mean it's better if it've never been leaked, but you know

  • So these are passwords that have been leaked and they ended up in plaintext either because they were already in plaintext

  • or because they've been cracked and they're now in plaintext. She's got some code. Ok, let's look at some code

  • So the first thing we can do is just pull this API directly very easy to do you simply go to a web address

  • Part of which is the beginning of your hash and then we try that. All right, so let's to give an example

  • So I'm gonna hit I'm gonna use curl right to obtain a website back

  • Just going to send an HTTP request and receive a response

  • Curl, it's just a software library that I'm using here to send off a request to a specific address and whatever website or day

  • Comes back. I received that onto the command line, so it's gonna be curl

  • HTTPS only works for HTTPS to make sure there's encryption involved. API dot pwned passwords

  • comm for such range forward slash and then the

  • Prefix of my hash which in this case was FA224. So FA224 that's going to come back

  • It's done it with a big long list of all the possible passwords that they have that start with that hash

  • Now it doesn't return the FA224

  • It just returns the other bits because it's a waste of time now some of these are being cracked or or seen maybe one time

  • This one's been seen 169 times. I have no idea what it is. I'd have to break the password to find out

  • Given it's been leaked 106 nine times. It's probably not very strong. Maybe it's Password1

  • Yeah, it could be you can try any of your password this way

  • all you have to do is take your password hash it right which is easy to do on the command line or I've written some

  • Python code and

  • Then we can fire off to this API the first few bits and then we get back a list

  • We look through the list to see if our full hash is in there. And if so, our password isn't broken

  • So I've written some Python code we'll do this exact thing, right?

  • So all it does is it uses a the cryptography library

  • which is a great library in Python to hash the password in SHA-1

  • It takes the first five characters of the hexadecimal representation and it sends them off to the password API

  • It comes back with let's say 500 of them. I split it all up

  • I look through and try find my password

  • And if I find it then it'll print that it's found right and obviously I should change it now, of course

  • I'm just typing this with random passwords, but you get the idea

  • So let's have a go - I've called it pwned.py And then let's use this one Password1 with a capital P

  • So it's been found the hash actually starts with 70CCD and it's been found a 111000 times

  • That isn't great what that means is that in different leaks. This password has occurred a hundred thousand times, right?

  • It's definitely in password list right it's a prime candidate. We already knew this is Password1, right?

  • Let's try something a little bit more difficult. So let's say Password1234

  • This is going to be in there. There's only 3000 times

  • Right, but it's still not very good

  • If your password appears any number of times just one

  • Then that means that theoretically someone that had access to this list and these are all publicly available these leaks could

  • Could put that in there big big long list of things and just try them as a matter

  • Of course on any new leak that turns up. It doesn't mean that you're definitely going to get hacked

  • It just means that there's a better chance right and it's not ideal

  • So why not have a look and see so I mean so we've used this password

  • But perhaps we should use something slightly stronger any ideas in the password cracking video. iloveyoukate was it? All right

  • Let's try that. So I love you Kate. All right, there we go

  • It was found 93 times, I think some people might have started using it I mean, please don't use that bad passwords

  • You know, it's very nice. But yeah

  • Yeah, I mean any password that appeared in that list is

  • going to be is breakable enough that it's definitely going to be in there, right? So that's a huge problem

  • You know if you if you start to get a slightly more difficult passwords

  • Like some of the ones that we were looking at maybe in the choosing your password video

  • So for example 4 words, so let's say why don't you do correct horse battery staple

  • That is definitely in there and I can tell you about even running it.

  • correcthorsebatterystaple was found. 114 times. No people. We don't use correcthorsebatterystaple

  • What about but using your tip of pushing a random character?

  • So if I take correct horse battery staple and let's say I put a star in the middle of here

  • So correcthorsebat*erystaple. All right, not probably pronounceable

  • All right, then we'll find it wasn't found in the dictionary. Right? Don't use it now because it will be in there now

  • But this is the idea

  • So to sort of make unexpected changes, but it's very easy to just pull this API right and just see you know

  • It's this new password. I'm trying already in there

  • Right and if it is don't use it, that's quite simple. If you're using a parcel management generating most your passwords at random

  • They're unlikely to be in there, but you never know and it just makes it that much weaker if they are

  • Okay

  • Shall I ask you how do you say that point own poem home? Pwned is it? I don't know

  • I mean if I'm wrong then I'm a noob

  • I thought you were leet

  • Definitely not

I guess what we were asking today is have your passwords been pwned

字幕と単語

ワンタップで英和辞典検索 単語をクリックすると、意味が表示されます

A2 初級

溺愛されたことがありますか?- コンピュータ愛好家 (Have You Been Pwned? - Computerphile)

  • 4 0
    林宜悉 に公開 2021 年 01 月 14 日
動画の中の単語