Name: Have You Been Pwned? - Computerphile
Uploaded: 2020-03-27T16:58:22.000Z
Duration: 10 min 59 s
Description: Thousands of YouTube videos with English-Chinese subtitles! Now you can learn to understand native speakers, expand your vocabulary, and improve your pronunciation...

Past continuous

I guess what we were asking today is have your passwords been pwned

One of the websites I used to keep secure online is have I been pwned right now, I love this websites. It's great.

Past simple

Run by a guy called Troy hunt and whenever it is a big leak

The imperative

Let's say a company gets hacked and always using these passwords get leave out in internet

Obviously people who are trying to crack passwords and break into your accounts

They're going to be looking at these things

But what he does, is he collects them and lets you know

You've got an email address that you use for most of your accounts

You put this in the website and if that email address ever appears in a leak

I assume probably tied to a password but not necessarily

It will let you know and that's a really good thing because no one's on top of all the leaks, right?

I certainly am not. And so maybe I have an email address. So I want to make sure hasn't been given away

So this is a great website, you know, we'll put a link to it. But actually this is not what we're talking about today

what we're talking about today is the Password API

it's also put online right which is another great asset.

This is where you could actually send in your password in a manner of speaking

and It'll tell you whether it's ever been leaked

Now that's important because if your password has ever been leaked before

Then it could be appearing in a long list of words that are being used for a dictionary attack

Right, and that just makes your password much more vulnerable

In general I would argue that if your password has been leaked before it's not really safe to use

Should you be putting your password into a box on the internet that says it will tell you if it's been hacked?

In general, be very careful about where you type in your password

Even if I make a website and I say you should definitely trust me because it's me.

Just know what you know for a start. I might just be inept of programming and I've got a vulnerability

So this uses an interesting mechanism called k-anonymity

to make sure that you can send in your password and find out whether it's in this big database of passwords

All right, which is using hashing, and it's really great

so you can go on to haveibeenpwned.com/passwords

and you can type in your password there and you can look at the source code

That's probably okay. But actually it's got a REST API where you can actually visit specific URLs

and obtain information on whether your password is in that database

you could do it for example for all the passwords in your collection in your password manager

and actually some password managers like 1Password actually do this automatically for you

If you type in a password that you think is great for a new website

Your password manager can say actually this one's already been leaked like previously

because even if this website is fully trustworthy

It's not a good idea to be sending a hashed version of your password to this website, right?

this is the website that has all the lists of all the passwords

if yours shows up, suddenly your IP address is saying My passwords weak my passwords weak

and that's just not a good thing you want to have happen, right?

Well, just like with all passwords. We hash it as a start to begin protecting it

So let's imagine I have my password which is you know Password1

this is where we link to the video where I said don't use that password

if there's any variation on the word password or have any of the numbers 1 2 3 4 in or doing it?

You need to delete those passwords. Maybe delete your account out of shame

This will be hashed using SHA-1 which for this purpose is okay, right?

You wouldn't necessarily permanently store your passwords in this format

But for this API is OK and that's going to produce 160 bit hash

Right, which might look something like FA2 241C... for 160 bits

Ok. Now the problem is if I send this off to the website, I've just given them my password

SHA-1 is hash but that could be broken. Especially if my password is not good, right

and also he's got a bunch of these passwords and hashes already computed in this database

So as soon as he sees that I've got the hash.

I trust the guy but I still wouldn't want to do that, right?

And so this API used a system called K anonymity

what happens is instead of me giving them the whole hash

But they can give me back anything that might match

and I am the one that actually finds that whether it does, right?

characters of the hex of this password hash

so I will send the pwned password API FA224, for example

and it will send me back some number of passwords

that have been leaked in the past whose hashes begin with those five characters now, there'll be a lot of them

there's some 550 million passwords in this database which is a kind of scary and

It will return to you all the passwords but could match this and how many times they've been seen in leaked passwords, right? And

Usually you'll get about 4 or 500 back right? That's when you go through the list yourself at your end and say ok

Actually, my password is or it's not in there, right?

Because there's going to be a lot of possible hashes and possible passwords are start with these 5 characters

This is called k-anonymity the idea is that the website only knows we're one of about 500

People that could have this password. It doesn't even know actually if we have one of these passwords

So I've written some code to do this and we'll have a look before you get a code out if you've hashed it with SHA-1

Is this just the way that this system works that it uses SHA-1 or is it I was just trying to work out because yes

Exactly it isn't the case for these passwords all originally hashed in SHA-1 like this database includes both the plaintext and the hashed versions

These are passwords that are previously been cracked right, as opposed to leaked in hashed form

Maybe my password has been leaked in like bcrypt form and no one ever broke it right in which case it's have no real concern

I mean it's better if it've never been leaked, but you know

Subtitles ListPlay Video

Have You Been Pwned? - Computerphile

vulnerable

specific

vulnerability

slightly