1 00:00:00,000 --> 00:00:02,952 [MUSIC PLAYING] 2 00:00:02,952 --> 00:00:18,210 3 00:00:18,210 --> 00:00:21,390 DAVID MALAN: This is CS50's introduction to cybersecurity. 4 00:00:21,390 --> 00:00:22,470 My name is David Malan. 5 00:00:22,470 --> 00:00:25,140 And this week, let's focus on securing accounts. 6 00:00:25,140 --> 00:00:27,180 You and I have so many accounts nowadays, 7 00:00:27,180 --> 00:00:29,430 be it for websites or apps or the like. 8 00:00:29,430 --> 00:00:32,130 And we'll focus today on exactly what the threats are 9 00:00:32,130 --> 00:00:35,340 to all of those accounts but more importantly, what some of the defenses 10 00:00:35,340 --> 00:00:37,590 are so that you can keep those accounts secure. 11 00:00:37,590 --> 00:00:40,810 But let's first consider what we mean by security in the physical world, 12 00:00:40,810 --> 00:00:41,470 for instance. 13 00:00:41,470 --> 00:00:44,760 Whether you live in a home, an apartment, a dormitory or the like, 14 00:00:44,760 --> 00:00:47,940 odds are you have a key that lets you into that building. 15 00:00:47,940 --> 00:00:51,420 Now, that key, of course, lets you in through that locked door, 16 00:00:51,420 --> 00:00:54,930 and then you have access to the entire habitat. 17 00:00:54,930 --> 00:00:57,930 But the catch is that if someone else gets that key, of course, 18 00:00:57,930 --> 00:01:03,007 they, too, can let themselves into that system or into that same building. 19 00:01:03,007 --> 00:01:05,340 So let's consider now in the digital world, though, what 20 00:01:05,340 --> 00:01:07,848 some of the building blocks are of security so 21 00:01:07,848 --> 00:01:10,890 that we can focus exactly what those threats and what those defenses are. 22 00:01:10,890 --> 00:01:13,230 So first, allow me to propose that we think 23 00:01:13,230 --> 00:01:16,470 about the security of our accounts in terms of authentication. 24 00:01:16,470 --> 00:01:19,270 So authentication refers to this process, 25 00:01:19,270 --> 00:01:24,160 digitally, of proving who you are, that I, for instance, am David. 26 00:01:24,160 --> 00:01:27,100 But that alone isn't necessarily enough to keep 27 00:01:27,100 --> 00:01:30,760 a system secure because just because I'm David doesn't necessarily mean 28 00:01:30,760 --> 00:01:33,370 I should have access to your entire home. 29 00:01:33,370 --> 00:01:35,408 Perhaps I should not have access at all. 30 00:01:35,408 --> 00:01:37,450 Perhaps I should just have access to the entryway 31 00:01:37,450 --> 00:01:40,070 or some narrower form of access. 32 00:01:40,070 --> 00:01:41,830 And so there's this related topic when it 33 00:01:41,830 --> 00:01:46,120 comes to the security of locations or systems known as authorization. 34 00:01:46,120 --> 00:01:49,300 So authorization speaks to whether or not 35 00:01:49,300 --> 00:01:54,260 you should have access to something, once you have proven that you are, 36 00:01:54,260 --> 00:01:58,060 that I am David and that I should, in fact, have access to the door 37 00:01:58,060 --> 00:01:59,530 that I just walked through. 38 00:01:59,530 --> 00:02:03,340 Now, when it comes to our accounts in the digital world, 39 00:02:03,340 --> 00:02:06,970 we, of course, don't use physical keys, but very frequently nowadays we 40 00:02:06,970 --> 00:02:09,340 use usernames, which, of course, can be public. 41 00:02:09,340 --> 00:02:11,560 It might be a username like David. 42 00:02:11,560 --> 00:02:13,090 It might be a username like Malan. 43 00:02:13,090 --> 00:02:17,680 Or it might be more commonly, even an entire email address that presumably 44 00:02:17,680 --> 00:02:19,910 uniquely identifies you in the world. 45 00:02:19,910 --> 00:02:23,920 But even though that's public, the thing that you and I ideally keep private 46 00:02:23,920 --> 00:02:25,450 is, of course, our password. 47 00:02:25,450 --> 00:02:28,720 And nowadays, you and I must have dozens, maybe even 48 00:02:28,720 --> 00:02:32,530 hundreds of passwords that are hopefully distinct 49 00:02:32,530 --> 00:02:34,780 and not reused across all of those different websites, 50 00:02:34,780 --> 00:02:36,080 but more on that in a moment. 51 00:02:36,080 --> 00:02:38,830 And so it's really this password that ultimately 52 00:02:38,830 --> 00:02:41,920 allows you to authenticate yourself, demonstrate 53 00:02:41,920 --> 00:02:46,130 who you are because presumably I am the only one in the world that knows, 54 00:02:46,130 --> 00:02:49,468 not only my username or email address, which all of us can know, 55 00:02:49,468 --> 00:02:51,760 but presumably I'm the only one in the world that knows 56 00:02:51,760 --> 00:02:54,670 my username and this here password. 57 00:02:54,670 --> 00:02:57,400 And so the presumption is if I type in both of those values 58 00:02:57,400 --> 00:03:02,800 to some app or some website that I must, in fact, be David Malan, in that case. 59 00:03:02,800 --> 00:03:06,580 Of course, it's not good enough to just have a password. 60 00:03:06,580 --> 00:03:08,027 You need to have a good password. 61 00:03:08,027 --> 00:03:09,610 Now, what do we mean by good password? 62 00:03:09,610 --> 00:03:12,850 Well, ideally, this password is not going to be in a dictionary, 63 00:03:12,850 --> 00:03:15,310 like, literally a dictionary of English words 64 00:03:15,310 --> 00:03:17,450 or whatever your human language might be. 65 00:03:17,450 --> 00:03:17,950 Why? 66 00:03:17,950 --> 00:03:20,810 Well, there's this threat known as a dictionary attack. 67 00:03:20,810 --> 00:03:23,590 And by this I mean an adversary, a hacker that 68 00:03:23,590 --> 00:03:25,840 wants to get into your account, they could just 69 00:03:25,840 --> 00:03:28,570 start typing randomly to try to figure out what your password is. 70 00:03:28,570 --> 00:03:29,860 But they're a little smarter. 71 00:03:29,860 --> 00:03:32,170 They'll actually use a dictionary attack. 72 00:03:32,170 --> 00:03:34,720 That is they'll open a physical book of words, 73 00:03:34,720 --> 00:03:38,290 or more likely they'll open a file on their computer containing 74 00:03:38,290 --> 00:03:42,580 a whole lot of actual English words or in some other human language, and then 75 00:03:42,580 --> 00:03:45,100 just one at a time, try this word as your password, 76 00:03:45,100 --> 00:03:48,160 this word as your password, this word as your password and so forth. 77 00:03:48,160 --> 00:03:52,030 Because if you and I have chosen a pretty guessable password, one 78 00:03:52,030 --> 00:03:55,330 that is an actual word in a dictionary, they're going to get into your account 79 00:03:55,330 --> 00:03:56,710 much faster. 80 00:03:56,710 --> 00:03:58,510 But even if you and I are clever-- 81 00:03:58,510 --> 00:04:01,750 and odds are by this point in life you know that you shouldn't just 82 00:04:01,750 --> 00:04:04,510 choose a simple English or some other language word, 83 00:04:04,510 --> 00:04:07,630 but rather you should probably have some numbers, some letters, 84 00:04:07,630 --> 00:04:10,240 some punctuation, or the like-- you're still vulnerable, 85 00:04:10,240 --> 00:04:14,260 as am I, to what we would call a brute force attack. 86 00:04:14,260 --> 00:04:19,660 Brute force sort of evokes the memories of yesteryear 87 00:04:19,660 --> 00:04:22,600 where someone might have had a big branch of a tree using 88 00:04:22,600 --> 00:04:25,930 as a battering ram trying to get into the castles from past times. 89 00:04:25,930 --> 00:04:28,000 But brute force attacks in the digital world 90 00:04:28,000 --> 00:04:32,830 mean something analogously, whereby you're using software to digitally try 91 00:04:32,830 --> 00:04:34,840 all possible passwords. 92 00:04:34,840 --> 00:04:38,710 And so here, too, are you vulnerable because if your password is too short, 93 00:04:38,710 --> 00:04:41,740 even if it's random with letters, numbers, and symbols, 94 00:04:41,740 --> 00:04:44,530 odds are an adversary or a hacker that has enough time 95 00:04:44,530 --> 00:04:46,720 and enough technical savvy, they can just try 96 00:04:46,720 --> 00:04:49,390 every possible password in the world. 97 00:04:49,390 --> 00:04:52,400 And eventually, they might very well get into your system. 98 00:04:52,400 --> 00:04:56,622 So how do we go about defending against these kinds of attacks? 99 00:04:56,622 --> 00:04:59,080 Well, we use these passwords, but these passwords of course 100 00:04:59,080 --> 00:05:00,080 come in different forms. 101 00:05:00,080 --> 00:05:04,780 And it's kind of a low bar that is set by default on a lot of devices 102 00:05:04,780 --> 00:05:05,530 still nowadays. 103 00:05:05,530 --> 00:05:07,570 For instance, on your phone if you'd like 104 00:05:07,570 --> 00:05:13,060 to chime in here in the chat, how many characters or digits, in particular, 105 00:05:13,060 --> 00:05:14,875 are typically required of systems? 106 00:05:14,875 --> 00:05:17,500 Well, I would conjecture that very often when I set up a phone, 107 00:05:17,500 --> 00:05:22,900 I'm only asked for a passcode, a numeric password, of four digits alone. 108 00:05:22,900 --> 00:05:29,890 Now, if you have a four-digit passcode or password more generally, how secure 109 00:05:29,890 --> 00:05:30,550 is that? 110 00:05:30,550 --> 00:05:34,780 And how do we even go about thinking about how secure that password is? 111 00:05:34,780 --> 00:05:38,230 Well, I would propose that we could start to measure not even using 112 00:05:38,230 --> 00:05:40,990 fancy math, but just some basic heuristics, we could measure 113 00:05:40,990 --> 00:05:45,370 the security of a password that has just four digits by considering well, 114 00:05:45,370 --> 00:05:48,430 how many possible four-digit passcodes are there? 115 00:05:48,430 --> 00:05:50,680 So perhaps if you'd like to chime in here in the chat, 116 00:05:50,680 --> 00:05:54,040 how many possible passwords are there if they're 117 00:05:54,040 --> 00:05:58,990 all digits 0 through 9, decimal digits, and if you only have four of them? 118 00:05:58,990 --> 00:06:00,860 How many possibilities are there? 119 00:06:00,860 --> 00:06:01,780 I'm seeing 1,000. 120 00:06:01,780 --> 00:06:02,800 I'm seeing 10,000. 121 00:06:02,800 --> 00:06:05,350 I'm seeing 9,999. 122 00:06:05,350 --> 00:06:06,633 And I'm seeing a whole range. 123 00:06:06,633 --> 00:06:08,800 And I think a lot of you have the answer is spot on. 124 00:06:08,800 --> 00:06:10,510 It's 10,000. 125 00:06:10,510 --> 00:06:11,330 It's 10,000. 126 00:06:11,330 --> 00:06:11,830 Why? 127 00:06:11,830 --> 00:06:13,870 Well if we just think about this numerically, 128 00:06:13,870 --> 00:06:17,110 if I've got four decimal digits, 0 through 9, well, 129 00:06:17,110 --> 00:06:21,130 the smallest password I could come up with, so to speak, would be 0000. 130 00:06:21,130 --> 00:06:25,480 And the largest password I could come up with would be 99999. 131 00:06:25,480 --> 00:06:29,800 Now, you might think OK, well, that's, obviously 9,999 possibilities. 132 00:06:29,800 --> 00:06:35,770 But not quite because if you include 0000, that's the 10,000th possibility. 133 00:06:35,770 --> 00:06:39,460 So indeed there's 10,000 possible passwords 134 00:06:39,460 --> 00:06:42,440 if we're using four digits specifically. 135 00:06:42,440 --> 00:06:44,890 So how do we actually think about that more generally, 136 00:06:44,890 --> 00:06:49,250 especially so that we can now figure out the math for larger passwords as well? 137 00:06:49,250 --> 00:06:52,510 Well, if you've got 0 through 9 as the first possible digit, 138 00:06:52,510 --> 00:06:54,640 and 0 through 9 as the next, and 0 through 9 139 00:06:54,640 --> 00:06:57,130 is the third, and 0 through 9 as the fourth, 140 00:06:57,130 --> 00:07:00,963 you have 10 possibilities times 10 possibilities times 10 times 10. 141 00:07:00,963 --> 00:07:03,130 This, of course, if we do it out more mathematically 142 00:07:03,130 --> 00:07:06,550 is 10 to the fourth power, the exponent being 4. 143 00:07:06,550 --> 00:07:09,080 And that, of course, gives us 10,000 as well. 144 00:07:09,080 --> 00:07:11,890 So that might be the more mathematical way of approaching it, 145 00:07:11,890 --> 00:07:17,170 versus just the more intuitive, that 0000 can go all the way up to 9999. 146 00:07:17,170 --> 00:07:19,960 Now, again, a question for the group, how long 147 00:07:19,960 --> 00:07:24,130 do you think it might take for an adversary or a hacker 148 00:07:24,130 --> 00:07:28,540 to get into my device, for instance, my phone, if I do 149 00:07:28,540 --> 00:07:31,600 have a four-digit password? 150 00:07:31,600 --> 00:07:35,020 If I've got a four-digit password, this means there might have to try as many 151 00:07:35,020 --> 00:07:40,510 as 10,000 possibilities because in the easiest case, sure, they get lucky, 152 00:07:40,510 --> 00:07:43,240 and my password is still the default 0000. 153 00:07:43,240 --> 00:07:46,810 But in the worst case, I chose 9999, and they don't get to that 154 00:07:46,810 --> 00:07:48,550 until the very end of their attempts. 155 00:07:48,550 --> 00:07:50,770 Or maybe I choose something there in between. 156 00:07:50,770 --> 00:07:54,760 I'm seeing 10 seconds, less than a second, milliseconds, 10 seconds a day, 157 00:07:54,760 --> 00:07:55,780 4 hours. 158 00:07:55,780 --> 00:07:58,370 So the responses are all over the place. 159 00:07:58,370 --> 00:08:02,090 So how can we go about actually measuring this or estimating this? 160 00:08:02,090 --> 00:08:03,220 Well, let me propose this. 161 00:08:03,220 --> 00:08:04,928 I'm going to go over to my computer here. 162 00:08:04,928 --> 00:08:07,870 And even if you've never written any code before, 163 00:08:07,870 --> 00:08:10,270 let's go ahead and write some code together here. 164 00:08:10,270 --> 00:08:13,900 I'm going to go ahead and open a program called VS Code, Visual Studio 165 00:08:13,900 --> 00:08:17,470 Code, which is a free program that we use in CS50 more generally 166 00:08:17,470 --> 00:08:20,890 that allows me to write code on my Mac or PC or really 167 00:08:20,890 --> 00:08:22,270 any internet-based device. 168 00:08:22,270 --> 00:08:25,490 And I can actually write code, and not only write it, but run it. 169 00:08:25,490 --> 00:08:28,480 And I'm going to write code, in this case, in a language called Python. 170 00:08:28,480 --> 00:08:30,310 And this is just a very popular language, 171 00:08:30,310 --> 00:08:34,330 but I could use any of a dozen or more different programming languages. 172 00:08:34,330 --> 00:08:36,340 And the goal here is not to learn Python-- 173 00:08:36,340 --> 00:08:38,350 for that, we have whole other classes-- 174 00:08:38,350 --> 00:08:42,309 but to just demonstrate what an adversary, what a hacker 175 00:08:42,309 --> 00:08:46,720 need to do if they want to get into, for instance, your iPhone or Android device 176 00:08:46,720 --> 00:08:50,200 or anything that has just a four-digit password. 177 00:08:50,200 --> 00:08:52,600 Now, my presumption here for demonstration sake 178 00:08:52,600 --> 00:08:55,390 is that I'm going to go ahead and write code that just prints 179 00:08:55,390 --> 00:08:57,680 all possible passwords on the screen. 180 00:08:57,680 --> 00:09:01,510 But you could imagine if I had a USB cable or maybe a lightning cable, 181 00:09:01,510 --> 00:09:04,270 I could connect this phone to this laptop, 182 00:09:04,270 --> 00:09:07,300 especially if it's your phone that I just swiped from a table, 183 00:09:07,300 --> 00:09:09,250 could quickly plug it into my computer here, 184 00:09:09,250 --> 00:09:12,790 run the code that I'm about to write, and maybe automatically send 185 00:09:12,790 --> 00:09:16,510 all 10,000 possibilities to your device before you even 186 00:09:16,510 --> 00:09:18,010 realize the phone is gone. 187 00:09:18,010 --> 00:09:19,730 Now, here's how I'm going to do this. 188 00:09:19,730 --> 00:09:23,080 I'm going to go ahead, and in a text file called crack.py, 189 00:09:23,080 --> 00:09:24,860 where crack is actually a term of art. 190 00:09:24,860 --> 00:09:27,550 It just means to figure out what a password is, 191 00:09:27,550 --> 00:09:29,080 to brute force your way in. 192 00:09:29,080 --> 00:09:33,220 I'm going to go ahead and from a library called string. 193 00:09:33,220 --> 00:09:35,740 I'm going to go ahead and import digits. 194 00:09:35,740 --> 00:09:38,740 Now, this is a very easy way of just giving me 195 00:09:38,740 --> 00:09:40,360 access to the numbers 0 through 9. 196 00:09:40,360 --> 00:09:42,745 I could obviously type them all out on my keyboard. 197 00:09:42,745 --> 00:09:44,620 This is a little faster because this gives me 198 00:09:44,620 --> 00:09:46,528 like a list of the numbers I care about. 199 00:09:46,528 --> 00:09:49,070 Now, there's a bunch of different ways I can write this code. 200 00:09:49,070 --> 00:09:51,160 But what I really want to do intuitively is 201 00:09:51,160 --> 00:09:53,770 try all possible digits for the first value, 202 00:09:53,770 --> 00:09:56,980 try all possible digits for the second, then for the third, 203 00:09:56,980 --> 00:09:58,030 then for the fourth. 204 00:09:58,030 --> 00:10:00,860 So one way of doing this might be as follows. 205 00:10:00,860 --> 00:10:04,000 I'm going to use a keyword in Python called for, which just means do 206 00:10:04,000 --> 00:10:06,130 something for as long as I want you to. 207 00:10:06,130 --> 00:10:08,770 And then I'm going to give myself a variable, like in math, 208 00:10:08,770 --> 00:10:11,590 just so I can use something to keep track of each number. 209 00:10:11,590 --> 00:10:14,530 And I'm going to use a default value of i for integer. 210 00:10:14,530 --> 00:10:19,340 And then I'm going to go ahead and say that for each value i in those 10 211 00:10:19,340 --> 00:10:22,130 digits, I want to go ahead and do the following. 212 00:10:22,130 --> 00:10:25,760 Well, for each of those i digits, for the first value, 213 00:10:25,760 --> 00:10:28,620 I want to do for j in digits as well. 214 00:10:28,620 --> 00:10:32,180 And then for each value for my third placeholder, 215 00:10:32,180 --> 00:10:35,450 I might do something like for k in digits. 216 00:10:35,450 --> 00:10:38,370 And then lastly, I might do for l in digits. 217 00:10:38,370 --> 00:10:40,252 So this is admittedly not the best design. 218 00:10:40,252 --> 00:10:41,960 And those of you who've programmed before 219 00:10:41,960 --> 00:10:45,812 are probably cringing that I have this indentation, indentation, indentation. 220 00:10:45,812 --> 00:10:48,770 But it's a simple way of demonstrating, especially for those unfamiliar 221 00:10:48,770 --> 00:10:51,680 with programming, how we can try all possible first digits, 222 00:10:51,680 --> 00:10:55,130 all possible second, all possible third, all possible fourth. 223 00:10:55,130 --> 00:10:59,390 And all I'm going to do, bury inside of this code now is print out the value 224 00:10:59,390 --> 00:11:06,890 of i, j, k, and l so that iteratively, we should see on the screen 0000 225 00:11:06,890 --> 00:11:09,560 and then all the way up to 9999. 226 00:11:09,560 --> 00:11:12,770 So if you assume that I've connected my phone to this laptop, 227 00:11:12,770 --> 00:11:17,160 ideally, then, we'll have an estimation of how long it might take until we 228 00:11:17,160 --> 00:11:20,440 actually have cracked into the device. 229 00:11:20,440 --> 00:11:22,060 So let's go ahead and do this. 230 00:11:22,060 --> 00:11:24,720 I'm going to open up a separate window on my screen here called 231 00:11:24,720 --> 00:11:25,960 a terminal window. 232 00:11:25,960 --> 00:11:29,740 And I'm going to go ahead and run Python of crack.py. 233 00:11:29,740 --> 00:11:31,500 So in just a moment we're going to see is 234 00:11:31,500 --> 00:11:36,270 it going to take a few minutes, a few milliseconds, a day, four hours, or-- 235 00:11:36,270 --> 00:11:37,320 here we go. 236 00:11:37,320 --> 00:11:42,330 1, 2, 3, go. 237 00:11:42,330 --> 00:11:46,990 So those of you who estimated just a few milliseconds were spot on. 238 00:11:46,990 --> 00:11:48,190 So what's the takeaway here? 239 00:11:48,190 --> 00:11:50,580 Well, apparently using a four-digit password 240 00:11:50,580 --> 00:11:54,060 is not very secure at all because look how quickly 241 00:11:54,060 --> 00:11:57,630 I, the adversary, the hacker in the story, was able to get into your phone. 242 00:11:57,630 --> 00:11:59,340 And in fact, I could probably unplug it at that point 243 00:11:59,340 --> 00:12:01,923 because I've gotten whatever data I care about off your phone. 244 00:12:01,923 --> 00:12:04,030 And you might not be none the wiser. 245 00:12:04,030 --> 00:12:07,270 So how can we go about improving upon this system? 246 00:12:07,270 --> 00:12:10,020 Well, let me propose that instead of using a four-digit passcode, 247 00:12:10,020 --> 00:12:11,638 let's use four letters instead. 248 00:12:11,638 --> 00:12:13,930 And we'll use English because that's what I speak well. 249 00:12:13,930 --> 00:12:17,610 And in English, we have 26 letters of the alphabet, A through Z. 250 00:12:17,610 --> 00:12:18,390 But you know what? 251 00:12:18,390 --> 00:12:23,100 That might give us initially 26 possibilities for the first position, 252 00:12:23,100 --> 00:12:26,820 times 26, times 26, times 26 for the second through fourth. 253 00:12:26,820 --> 00:12:30,880 But let me propose that we actually use lowercase and uppercase letters. 254 00:12:30,880 --> 00:12:35,680 So that gives me not 26, but 52 possibilities for each location. 255 00:12:35,680 --> 00:12:40,500 So if I do 52 possibilities, that's 52 to the fourth power. 256 00:12:40,500 --> 00:12:43,980 And does anyone want to estimate how many possible passwords there 257 00:12:43,980 --> 00:12:51,340 are if I'm using four English letters now, uppercase or lowercase? 258 00:12:51,340 --> 00:12:53,790 I'm seeing 26 to the fourth power. 259 00:12:53,790 --> 00:12:56,290 But that's not right if we're using uppercase and lowercase. 260 00:12:56,290 --> 00:12:58,270 It's indeed 52 to the fourth power. 261 00:12:58,270 --> 00:13:00,220 And I'm seeing "a lot." 262 00:13:00,220 --> 00:13:05,450 But here we have estimates along the lines of indeed 7 million as well. 263 00:13:05,450 --> 00:13:08,457 So with 7 million possibilities, you might think, OK, surely, 264 00:13:08,457 --> 00:13:09,790 that's going to be a lot better. 265 00:13:09,790 --> 00:13:12,873 And it's going to take the adversary a lot longer to hack into this phone. 266 00:13:12,873 --> 00:13:13,720 But let's try that. 267 00:13:13,720 --> 00:13:16,160 Let me go back to my terminal window here. 268 00:13:16,160 --> 00:13:20,380 Let me reopen now my code file, and let's go ahead and use not digits, 269 00:13:20,380 --> 00:13:22,960 but let's go ahead and use ASCII letters. 270 00:13:22,960 --> 00:13:27,370 For those unfamiliar, ASCII letters are simply the letters A 271 00:13:27,370 --> 00:13:30,800 through Z in both uppercase and lowercase. 272 00:13:30,800 --> 00:13:35,140 Now, here I have to go ahead and change this from digits to ASCII letters, 273 00:13:35,140 --> 00:13:40,330 from digits to ASCII letters, from digits to ASCII letters, 274 00:13:40,330 --> 00:13:43,030 and lastly, from digits to ASCII letters. 275 00:13:43,030 --> 00:13:45,700 Again, there's an easier way I could implement this code 276 00:13:45,700 --> 00:13:47,980 to be more succinct and less duplicative, 277 00:13:47,980 --> 00:13:52,040 but it involves some features that we'll introduce in another class altogether. 278 00:13:52,040 --> 00:13:56,180 But now I have all possible ASCII letters from my first placeholder 279 00:13:56,180 --> 00:13:57,020 to the last. 280 00:13:57,020 --> 00:13:59,510 Let's go ahead and open up that same terminal window. 281 00:13:59,510 --> 00:14:01,010 Let's run Python of crack.py. 282 00:14:01,010 --> 00:14:04,550 And here now is the answer to how long might it take an adversary 283 00:14:04,550 --> 00:14:09,050 to get into your phone if you're using four letters of the English alphabet 284 00:14:09,050 --> 00:14:12,950 for your password instead. 285 00:14:12,950 --> 00:14:16,560 So this time, I have enough time to walk all the way over to the screen here. 286 00:14:16,560 --> 00:14:19,920 And you can see that we're going in alphabetical order, first lowercase, 287 00:14:19,920 --> 00:14:20,570 now uppercase. 288 00:14:20,570 --> 00:14:22,910 But in just a moment, we are done. 289 00:14:22,910 --> 00:14:25,580 And we're down all the way to ZZZZ. 290 00:14:25,580 --> 00:14:28,490 So that was a few seconds, which is indeed slower, 291 00:14:28,490 --> 00:14:30,780 but that really wasn't that much effort at all. 292 00:14:30,780 --> 00:14:33,590 So presumably, then, even four letters of the alphabet 293 00:14:33,590 --> 00:14:35,180 might not be enough to keep us secure. 294 00:14:35,180 --> 00:14:38,690 So let me go ahead and do what we all are told to do anyway, 295 00:14:38,690 --> 00:14:42,380 which is to go into your phone or whatever device in question 296 00:14:42,380 --> 00:14:45,390 and actually use four characters perhaps instead. 297 00:14:45,390 --> 00:14:49,010 So not just letters, not just digits, but let's toss in some punctuation 298 00:14:49,010 --> 00:14:49,860 as well. 299 00:14:49,860 --> 00:14:52,910 And in the world of punctuation, at least on a US English keyboard, 300 00:14:52,910 --> 00:14:58,320 there's typically as many as 94 possibilities for letters, numbers, 301 00:14:58,320 --> 00:15:02,750 and punctuation because we have 26 lowercase letters, 26 302 00:15:02,750 --> 00:15:06,380 uppercase letters, 10 decimal digits, 0 through 9, 303 00:15:06,380 --> 00:15:11,610 and another 32 punctuation symbols that we can add into the mix as well. 304 00:15:11,610 --> 00:15:15,200 So that gives me 94 possible keys that I can hit here, 305 00:15:15,200 --> 00:15:17,300 or 94 to the fourth power. 306 00:15:17,300 --> 00:15:19,670 And does anyone want to estimate what this is? 307 00:15:19,670 --> 00:15:23,540 We've gone from 10,000 to 7 million to I'm 308 00:15:23,540 --> 00:15:27,260 seeing it in the chat, roughly 78 million possibilities, so 309 00:15:27,260 --> 00:15:29,820 in some sense, 10 times more secure. 310 00:15:29,820 --> 00:15:32,870 Let's go back to my terminal window, open up my code here, 311 00:15:32,870 --> 00:15:37,040 and import not only ASCII letters, but also the digits from before, and also, 312 00:15:37,040 --> 00:15:39,420 this time, some punctuation as well. 313 00:15:39,420 --> 00:15:41,870 Now let's go ahead and change just the ASCII letters alone 314 00:15:41,870 --> 00:15:45,410 to ASCII letters plus those digits plus that punctuation. 315 00:15:45,410 --> 00:15:49,250 And just to save some time, I'm going to highlight and copy what I just typed, 316 00:15:49,250 --> 00:15:52,460 and I'm going to change the second position, the third position, 317 00:15:52,460 --> 00:15:57,320 and the fourth position, as well, to use that combination of 94 possibilities. 318 00:15:57,320 --> 00:15:59,330 I'm going to open up my terminal window again. 319 00:15:59,330 --> 00:16:01,280 I'm going to run Python of crack.py. 320 00:16:01,280 --> 00:16:04,130 And this time, because we have 10 times as many possibilities, 321 00:16:04,130 --> 00:16:09,110 I kind of had 10 times the amount of time to walk over to the screen 322 00:16:09,110 --> 00:16:14,810 because indeed we're still in the lowercase Es, Fs, Gs, Hs. 323 00:16:14,810 --> 00:16:17,028 And now it looks a bit like a Hollywood movie maybe. 324 00:16:17,028 --> 00:16:19,820 You can perhaps see, even though it's going across the screen fast, 325 00:16:19,820 --> 00:16:21,528 that there's a lot of cryptic output here 326 00:16:21,528 --> 00:16:24,590 because we're running through all of the letters, the digits, 327 00:16:24,590 --> 00:16:25,710 and the punctuation. 328 00:16:25,710 --> 00:16:27,770 So it looks a little fancy at that. 329 00:16:27,770 --> 00:16:30,110 Now, you might recall, too, from Hollywood movies, 330 00:16:30,110 --> 00:16:32,000 too, that they tend to be very dramatic. 331 00:16:32,000 --> 00:16:36,290 And so instead of just doing this, which is iterating from left to right very 332 00:16:36,290 --> 00:16:38,967 slowly, the movies and TV shows tend to very dramatically 333 00:16:38,967 --> 00:16:42,050 get, like, the third character right, then the first character right, then 334 00:16:42,050 --> 00:16:42,800 the fourth character right. 335 00:16:42,800 --> 00:16:45,050 And then just in time, you get the second one as well. 336 00:16:45,050 --> 00:16:47,090 That's not really ho brute force works. 337 00:16:47,090 --> 00:16:51,570 You tend to do things methodically, not jumping around from symbol to symbol. 338 00:16:51,570 --> 00:16:53,280 But this is clearly taking a long time. 339 00:16:53,280 --> 00:16:56,750 And I'm not even going to finish waiting for this to go because we still have 340 00:16:56,750 --> 00:16:58,320 to get through all the punctuation. 341 00:16:58,320 --> 00:17:02,750 So this is to say, ultimately, that 78 million possibilities is actually 342 00:17:02,750 --> 00:17:04,640 getting up there pretty fast. 343 00:17:04,640 --> 00:17:07,280 But honestly, if we come back in like a minute or so, 344 00:17:07,280 --> 00:17:09,770 I bet that will be finished nonetheless. 345 00:17:09,770 --> 00:17:14,089 And none of us hopefully has a password that's only four characters 346 00:17:14,089 --> 00:17:17,390 nowadays, letters, numbers, and punctuation. 347 00:17:17,390 --> 00:17:20,450 Odds are it's at least a conventional eight characters. 348 00:17:20,450 --> 00:17:24,228 And indeed most websites and apps require as much of you as well. 349 00:17:24,228 --> 00:17:26,270 Now, the math here is pretty straightforward too. 350 00:17:26,270 --> 00:17:32,000 If you have 94 possibilities, but you have eight characters in total now, now 351 00:17:32,000 --> 00:17:34,460 that's 94 to the eighth power. 352 00:17:34,460 --> 00:17:37,310 And does anyone want a ballpark just how many 353 00:17:37,310 --> 00:17:40,970 passwords are possible if it's only eight characters, which 354 00:17:40,970 --> 00:17:46,190 isn't even that long but you have eight of them total? 355 00:17:46,190 --> 00:17:48,770 Too many, comes back one answer. 356 00:17:48,770 --> 00:17:50,168 Too much to count. 357 00:17:50,168 --> 00:17:51,460 I see that we've given up here. 358 00:17:51,460 --> 00:17:52,980 But, oh, I did see one in the chat. 359 00:17:52,980 --> 00:17:56,493 It's roughly this many possible passwords, 360 00:17:56,493 --> 00:17:58,410 which is actually a little hard to figure out. 361 00:17:58,410 --> 00:18:03,630 So this is, let's see, millions, billions, trillions quadrillions. 362 00:18:03,630 --> 00:18:06,520 So this is 6 quadrillion possibilities. 363 00:18:06,520 --> 00:18:07,770 So now we're talking. 364 00:18:07,770 --> 00:18:13,230 Now the adversary is probably going to run out of time, run out of energy, 365 00:18:13,230 --> 00:18:15,960 run out of money, run out of lifetime if it's 366 00:18:15,960 --> 00:18:18,690 going to take this much time to try to crack, 367 00:18:18,690 --> 00:18:21,660 so to speak, your particular password. 368 00:18:21,660 --> 00:18:25,050 And so here's one of our first takeaways when it comes to cybersecurity 369 00:18:25,050 --> 00:18:26,430 and securing our accounts. 370 00:18:26,430 --> 00:18:30,062 It really is this game of relativity and resources. 371 00:18:30,062 --> 00:18:32,520 What we're really doing here is not something fundamentally 372 00:18:32,520 --> 00:18:37,980 different by adding in digits and letters and punctuation. 373 00:18:37,980 --> 00:18:41,070 It sort of still the same formula, the same approach to our passwords. 374 00:18:41,070 --> 00:18:44,820 But as we add complexity, and as we make it longer and longer, 375 00:18:44,820 --> 00:18:47,640 we're raising the bar to the adversary. 376 00:18:47,640 --> 00:18:48,390 Why? 377 00:18:48,390 --> 00:18:53,163 Well, so long as you and I don't do something dumb like still choose 0000 378 00:18:53,163 --> 00:18:59,190 0000 so long as we're choosing something that's pretty random in that range of 6 379 00:18:59,190 --> 00:19:04,110 quadrillion possibilities, it's going to take the adversary way more time than 380 00:19:04,110 --> 00:19:07,800 it would otherwise to brute force their way into that password. 381 00:19:07,800 --> 00:19:10,770 And so by the time they finally get into the account, 382 00:19:10,770 --> 00:19:12,720 you might have changed the password already, 383 00:19:12,720 --> 00:19:15,870 you might not be using the account anymore, or you or the adversary 384 00:19:15,870 --> 00:19:18,690 might not even be on this planet anymore. 385 00:19:18,690 --> 00:19:19,980 And that's indeed the goal. 386 00:19:19,980 --> 00:19:22,120 But there is a downside, of course. 387 00:19:22,120 --> 00:19:26,020 The longer your password gets, and the more complicated it gets, 388 00:19:26,020 --> 00:19:28,890 the more likely you and I are to not even be 389 00:19:28,890 --> 00:19:30,880 able to remember what that password is. 390 00:19:30,880 --> 00:19:33,660 And so here is that sort of balancing act, trying 391 00:19:33,660 --> 00:19:37,530 to figure out this balance between the usability of the account, just how user 392 00:19:37,530 --> 00:19:41,550 friendly it is to access, versus the security of that account. 393 00:19:41,550 --> 00:19:44,640 And finding that inflection point is somewhat personal or somewhat 394 00:19:44,640 --> 00:19:46,920 corporate in policy, typically. 395 00:19:46,920 --> 00:19:50,790 Well, let me pause here and see if there are any questions now 396 00:19:50,790 --> 00:19:54,240 on securing our accounts via passwords alone. 397 00:19:54,240 --> 00:19:56,370 AUDIENCE: I was wondering. 398 00:19:56,370 --> 00:19:59,610 A couple of years ago, there were devices, USB devices, 399 00:19:59,610 --> 00:20:02,190 with fingerprint recognition. 400 00:20:02,190 --> 00:20:05,670 How come that's not more frequently used? 401 00:20:05,670 --> 00:20:07,533 Or are they too expensive or-- 402 00:20:07,533 --> 00:20:09,450 DAVID MALAN: A really good question, and we'll 403 00:20:09,450 --> 00:20:12,870 come to this topic in a little bit on biometrics more generally. 404 00:20:12,870 --> 00:20:14,550 But your intuition is pretty much right. 405 00:20:14,550 --> 00:20:16,507 It's expensive to have another device. 406 00:20:16,507 --> 00:20:18,840 And most consumers are not going to bother wasting money 407 00:20:18,840 --> 00:20:20,070 on something just for them. 408 00:20:20,070 --> 00:20:21,240 Some companies might. 409 00:20:21,240 --> 00:20:23,940 But if they have a lot of employees, that could get very costly. 410 00:20:23,940 --> 00:20:27,300 But you might be glad to know that one of the topics we'll end on today 411 00:20:27,300 --> 00:20:31,440 is a new technology called passkeys that actually leverages 412 00:20:31,440 --> 00:20:36,090 a device you most likely already have, a phone, that might use your fingerprint 413 00:20:36,090 --> 00:20:39,000 or might use your face or some other form of biometrics. 414 00:20:39,000 --> 00:20:42,240 That's becoming more common nowadays, or soon will, 415 00:20:42,240 --> 00:20:47,770 even for your laptop and desktop which will talk to that phone, in some form. 416 00:20:47,770 --> 00:20:51,720 How about one more question here on securing accounts. 417 00:20:51,720 --> 00:20:59,130 AUDIENCE: My question is, why if four-digits password is so unsafe, 418 00:20:59,130 --> 00:21:04,877 why is some program still using this password not a website, like program? 419 00:21:04,877 --> 00:21:06,460 DAVID MALAN: Oh, really good question. 420 00:21:06,460 --> 00:21:08,280 Why are some programmers using this? 421 00:21:08,280 --> 00:21:11,520 So it's a trade off between usability and security. 422 00:21:11,520 --> 00:21:14,010 If you are the programmer designing the system, 423 00:21:14,010 --> 00:21:17,460 you presumably want users to use the system and to come back 424 00:21:17,460 --> 00:21:18,700 and to keep using it. 425 00:21:18,700 --> 00:21:21,570 But if you make it too hard for them to access 426 00:21:21,570 --> 00:21:24,240 that account, if you increase the probability that they're 427 00:21:24,240 --> 00:21:27,150 going to constantly forget their password, lose their password, 428 00:21:27,150 --> 00:21:31,480 they might just stop using your system or your app or your website altogether. 429 00:21:31,480 --> 00:21:33,850 And so that's probably not a good thing. 430 00:21:33,850 --> 00:21:36,210 Other reasons might include just unawareness 431 00:21:36,210 --> 00:21:41,070 or not having taken a class on cybersecurity or not having really 432 00:21:41,070 --> 00:21:45,450 thought through the implications of having such short passcodes. 433 00:21:45,450 --> 00:21:48,287 So nowadays is industry's starting to nudge us 434 00:21:48,287 --> 00:21:49,620 in better and better directions. 435 00:21:49,620 --> 00:21:51,630 But we'll see today and the rest of this class 436 00:21:51,630 --> 00:21:55,650 that there are still going to be a lot of trade offs, again, between usability 437 00:21:55,650 --> 00:21:56,730 and security. 438 00:21:56,730 --> 00:22:00,060 So what can we do to defend ourselves against these brute force attacks? 439 00:22:00,060 --> 00:22:02,310 Well, at least here in the US, there's an organization 440 00:22:02,310 --> 00:22:05,190 called the National Institute of Standards and Technology, 441 00:22:05,190 --> 00:22:08,310 Otherwise known as NIST, that actually issues recommendations 442 00:22:08,310 --> 00:22:11,370 for how we as consumers or companies or more generally, 443 00:22:11,370 --> 00:22:14,520 humans can go about securing their accounts more effectively. 444 00:22:14,520 --> 00:22:17,020 And we thought we'd share just some of these recommendations 445 00:22:17,020 --> 00:22:21,420 so that it informs not only your own behavior as an individual citizen 446 00:22:21,420 --> 00:22:24,390 or consumer, but perhaps if you're in a place of business 447 00:22:24,390 --> 00:22:27,450 where you can influence your own company's policies, 448 00:22:27,450 --> 00:22:31,180 here are generally what are considered best practices nowadays. 449 00:22:31,180 --> 00:22:34,560 So a quote from their recommendations, "memorized secrets 450 00:22:34,560 --> 00:22:37,560 shall be at least eight characters in length." 451 00:22:37,560 --> 00:22:40,500 So that at least corroborates the quick math and the test 452 00:22:40,500 --> 00:22:43,260 that we ourselves just ran, that only once we got up to, like, 453 00:22:43,260 --> 00:22:45,900 6 quadrillion possibilities did it feel like it 454 00:22:45,900 --> 00:22:51,490 was going to take a very long time to actually hack into someone's device. 455 00:22:51,490 --> 00:22:54,430 So consider that for your own accounts, even on your phones. 456 00:22:54,430 --> 00:22:56,620 You might have to go through a few menu options 457 00:22:56,620 --> 00:22:59,890 to upgrade from just four digits to something more. 458 00:22:59,890 --> 00:23:04,270 But odds are you'll benefit from this additional layer of security. 459 00:23:04,270 --> 00:23:06,070 This one's more of a mouthful but helpful 460 00:23:06,070 --> 00:23:09,790 as well, "verifiers," so the website or app that's 461 00:23:09,790 --> 00:23:12,670 verifying your input when you authenticate with your username 462 00:23:12,670 --> 00:23:17,440 and password-- "verifiers should permit subscriber-chosen memorized secrets 463 00:23:17,440 --> 00:23:21,220 of at least 64 characters in length. 464 00:23:21,220 --> 00:23:24,520 All printing ASCII characters as well as the space characters 465 00:23:24,520 --> 00:23:27,250 should be acceptable in memorized secrets. 466 00:23:27,250 --> 00:23:30,110 Unicode characters should be accepted as well." 467 00:23:30,110 --> 00:23:32,440 Now, if you're not yourself a computer person, 468 00:23:32,440 --> 00:23:34,150 there's a bit of jargon within this. 469 00:23:34,150 --> 00:23:38,350 But first of all, the takeaways are that websites and applications should 470 00:23:38,350 --> 00:23:41,050 let you and me come up with passwords that 471 00:23:41,050 --> 00:23:43,700 are actually as long as 64 characters. 472 00:23:43,700 --> 00:23:46,460 Now, that's pretty long, but that's exactly the point, 473 00:23:46,460 --> 00:23:48,580 particularly as it's gotten more difficult 474 00:23:48,580 --> 00:23:51,410 for you and I to remember all of our passwords, 475 00:23:51,410 --> 00:23:53,540 to come up with very complex passwords. 476 00:23:53,540 --> 00:23:57,320 The reality is you and I might very well be better off, 477 00:23:57,320 --> 00:24:02,840 on the whole, by just choosing an easier-to-remember but much longer 478 00:24:02,840 --> 00:24:06,920 password, for instance, a sentence, a quote, a phrase that you 479 00:24:06,920 --> 00:24:10,520 can more easily keep in your human mind but that doesn't necessarily 480 00:24:10,520 --> 00:24:14,270 have a crazy amount of punctuation or digits or letters, 481 00:24:14,270 --> 00:24:17,490 but at least is 64 characters in length. 482 00:24:17,490 --> 00:24:20,570 So even if an adversary tries a dictionary attack, 483 00:24:20,570 --> 00:24:23,280 trying all possible English words or some other language, 484 00:24:23,280 --> 00:24:27,290 even if they try a brute force attack, it's going to take them way too long 485 00:24:27,290 --> 00:24:31,310 unless, of course, you do something foolish like choose a 64-character 486 00:24:31,310 --> 00:24:35,280 passcode that's 000 or so forth. 487 00:24:35,280 --> 00:24:37,460 So you still want to be original within that space. 488 00:24:37,460 --> 00:24:40,730 Now, more technically, this recommendation is referring to ASCII. 489 00:24:40,730 --> 00:24:45,440 ASCII generally refers to US English symbols on a US English keyboard, 490 00:24:45,440 --> 00:24:47,930 as was the origin of this code system. 491 00:24:47,930 --> 00:24:50,510 So that includes A through Z, 0 through 9, 492 00:24:50,510 --> 00:24:52,700 and the punctuation I alluded to earlier. 493 00:24:52,700 --> 00:24:55,010 But websites and apps nowadays should also 494 00:24:55,010 --> 00:25:00,260 support Unicode, including things like emoji and other accented characters 495 00:25:00,260 --> 00:25:03,800 or symbols that you might have in languages beyond English. 496 00:25:03,800 --> 00:25:07,490 Unfortunately, this is not really common practice, I dare say. 497 00:25:07,490 --> 00:25:11,420 Just yesterday, I created an account on a new website for the first time, 498 00:25:11,420 --> 00:25:14,480 and it made me jump through hoops, so to speak, figuring out 499 00:25:14,480 --> 00:25:18,110 the right number of uppercase letters, lowercase letters, punctuation, 500 00:25:18,110 --> 00:25:21,570 and even then it told me I can only use certain punctuation. 501 00:25:21,570 --> 00:25:24,050 So I had to think about now which symbols I'm using. 502 00:25:24,050 --> 00:25:27,388 That is a lot of friction that is not good for usability. 503 00:25:27,388 --> 00:25:29,930 And it's of questionable value for the security of the system 504 00:25:29,930 --> 00:25:32,180 if I can't even remember the thing afterward. 505 00:25:32,180 --> 00:25:35,930 So keep this in mind, in general, that your password should not only 506 00:25:35,930 --> 00:25:39,200 be eight characters, minimally, but most apps 507 00:25:39,200 --> 00:25:42,260 and websites you maybe yourself develop moving forward 508 00:25:42,260 --> 00:25:45,000 should allow much longer passwords as well. 509 00:25:45,000 --> 00:25:47,450 And you as the human can use longer passwords 510 00:25:47,450 --> 00:25:49,380 if systems allow them as well. 511 00:25:49,380 --> 00:25:52,220 Now, here's another set of recommendations from NIST. 512 00:25:52,220 --> 00:25:55,490 "Verifiers--" the website or the apps that we're using-- 513 00:25:55,490 --> 00:25:57,800 "shall compare the prospective secrets--" 514 00:25:57,800 --> 00:26:00,740 the passwords you're choosing-- "against a list that contains 515 00:26:00,740 --> 00:26:05,093 values known to be commonly used, expected, or compromised." 516 00:26:05,093 --> 00:26:07,010 So that is to say when you type in a password, 517 00:26:07,010 --> 00:26:09,410 if it's already been a commonly used password, 518 00:26:09,410 --> 00:26:12,350 if it's very easily guessable, the website or app should probably 519 00:26:12,350 --> 00:26:14,960 say, uh, pick a better password than that 520 00:26:14,960 --> 00:26:17,628 just to decrease the probability that an adversary is 521 00:26:17,628 --> 00:26:18,920 going to get into that account. 522 00:26:18,920 --> 00:26:21,650 Specifically, NIST recommends that "passwords 523 00:26:21,650 --> 00:26:24,320 obtained from previous breached corpuses--" 524 00:26:24,320 --> 00:26:28,970 which is a fancy way of saying if some website, some database has been hacked, 525 00:26:28,970 --> 00:26:32,060 and that database contains usernames and passwords, 526 00:26:32,060 --> 00:26:34,100 and those passwords have now been uploaded 527 00:26:34,100 --> 00:26:38,780 to the internet for adversaries or anyone to download and browse, 528 00:26:38,780 --> 00:26:41,990 well, then you should not be allowed to pick a password from that list 529 00:26:41,990 --> 00:26:44,540 because it's essentially an alternative dictionary. 530 00:26:44,540 --> 00:26:48,740 It essentially is a list of passwords that a smart adversary should just 531 00:26:48,740 --> 00:26:52,430 start with before they even bother resorting to brute force, which 532 00:26:52,430 --> 00:26:54,440 we've seen would take much more time. 533 00:26:54,440 --> 00:26:56,220 Two, dictionary words. 534 00:26:56,220 --> 00:26:58,510 So this we've already stipulated would be a good thing 535 00:26:58,510 --> 00:27:01,010 to avoid because there's just much too easy for an adversary 536 00:27:01,010 --> 00:27:03,800 to go through a big list of English words or some other language 537 00:27:03,800 --> 00:27:05,090 and try those first. 538 00:27:05,090 --> 00:27:10,430 Three, repetitive or sequential characters, aaaaaa 539 00:27:10,430 --> 00:27:16,100 or a slightly more creatively but not good enough, 1235abcd. 540 00:27:16,100 --> 00:27:20,660 I would also add 0000 and so forth into that category as well. 541 00:27:20,660 --> 00:27:23,720 It's just too easy for the adversary to guess 542 00:27:23,720 --> 00:27:26,780 that maybe you're doing something repetitive like that too. 543 00:27:26,780 --> 00:27:31,070 And then lastly, context-specific words, such as the name of the service, 544 00:27:31,070 --> 00:27:33,720 the username, and derivatives thereof. 545 00:27:33,720 --> 00:27:37,340 This is to say, if you sign up for a Gmail account for the first time, 546 00:27:37,340 --> 00:27:41,210 you should not be allowed by Google to choose a password 547 00:27:41,210 --> 00:27:43,790 like "Gmail password," quote unquote. 548 00:27:43,790 --> 00:27:45,650 If you sign up for an Amazon account, you 549 00:27:45,650 --> 00:27:48,350 should not be allowed by Amazon to have your password be 550 00:27:48,350 --> 00:27:53,090 "Amazon password" or some such variant thereof because smart adversaries are 551 00:27:53,090 --> 00:27:54,590 going to try those same heuristics. 552 00:27:54,590 --> 00:27:55,640 And that's the catch too. 553 00:27:55,640 --> 00:27:58,790 If you can think of it, even if you think you're being clever, 554 00:27:58,790 --> 00:28:02,880 odds are a just-as-clever adversary can think of that heuristic as well 555 00:28:02,880 --> 00:28:07,100 and prioritize those tricks before they resort to brute force, 556 00:28:07,100 --> 00:28:09,530 like I did on my own laptop. 557 00:28:09,530 --> 00:28:11,480 A few other recommendations as well. 558 00:28:11,480 --> 00:28:15,470 "Memorized secret verifiers shall not permit the subscriber 559 00:28:15,470 --> 00:28:20,060 to store a hint that is inaccessible to an unauthenticated claimant. 560 00:28:20,060 --> 00:28:23,880 Verifiers shall now prompt subscribers to use specific types of information, 561 00:28:23,880 --> 00:28:27,890 for instance, 'what was the name of your first pet?' when choosing memorize 562 00:28:27,890 --> 00:28:28,460 secrets." 563 00:28:28,460 --> 00:28:32,330 So there are a lot of companies, a lot of websites, a lot of applications that 564 00:28:32,330 --> 00:28:35,000 violate this recommendation nowadays. 565 00:28:35,000 --> 00:28:37,370 And in fact, I bet you can think of one or more accounts 566 00:28:37,370 --> 00:28:40,490 that you have where you've had to tell them, for instance, what 567 00:28:40,490 --> 00:28:44,180 was the name of your first pet or your first car or your mother 568 00:28:44,180 --> 00:28:46,040 or father's name or the like. 569 00:28:46,040 --> 00:28:49,530 That's not good to collect either, nor is a hint 570 00:28:49,530 --> 00:28:52,080 a good thing because frankly, you and I are 571 00:28:52,080 --> 00:28:56,310 all too often in the habit of maybe typing into that hint field, 572 00:28:56,310 --> 00:28:59,580 if it's available, a question that's meant to help 573 00:28:59,580 --> 00:29:01,320 you remember what your password was. 574 00:29:01,320 --> 00:29:05,850 But if your hint is something like, my password is the name of my first pet, 575 00:29:05,850 --> 00:29:08,940 well, you're now just leaking information to the world. 576 00:29:08,940 --> 00:29:12,060 And anyone who can go online and figure out that information 577 00:29:12,060 --> 00:29:14,830 can now get into your account as well. 578 00:29:14,830 --> 00:29:17,340 And so that's really the threat, in this case. 579 00:29:17,340 --> 00:29:20,430 If you start using personally identifiable information 580 00:29:20,430 --> 00:29:24,780 in this age of social media and websites like LinkedIn and the like, 581 00:29:24,780 --> 00:29:29,020 there's just so much information out there about us that can be discovered. 582 00:29:29,020 --> 00:29:32,130 You don't want to fill all of these databases, all of these systems 583 00:29:32,130 --> 00:29:35,310 with each of these tidbits about you because a smart adversary 584 00:29:35,310 --> 00:29:38,580 with enough time and enough focus on you can probably 585 00:29:38,580 --> 00:29:41,470 figure out all of those same values. 586 00:29:41,470 --> 00:29:42,480 So what more? 587 00:29:42,480 --> 00:29:45,840 "Verifiers shall not require memorized secrets 588 00:29:45,840 --> 00:29:48,960 to be changed arbitrarily, for instance, periodically." 589 00:29:48,960 --> 00:29:51,300 So this one, too, is something that a lot of companies 590 00:29:51,300 --> 00:29:53,700 violate as a recommendation still. 591 00:29:53,700 --> 00:29:56,130 If you're in a corporate workplace, in particular, 592 00:29:56,130 --> 00:29:59,040 and you're being required by the system administrators 593 00:29:59,040 --> 00:30:02,740 to change your password every month, maybe every three months, 594 00:30:02,740 --> 00:30:07,800 six months, every year perhaps, that's not generally recommended anymore, 595 00:30:07,800 --> 00:30:13,240 even though not too long ago, it did feel like, sound like a best practice. 596 00:30:13,240 --> 00:30:18,960 But why is this not recommended anymore, to have you forcibly 597 00:30:18,960 --> 00:30:23,670 change your password periodically, like every few months? 598 00:30:23,670 --> 00:30:26,050 AUDIENCE: Because the password will be easily forgotten 599 00:30:26,050 --> 00:30:29,160 and be more vulnerable to brute force attacks. 600 00:30:29,160 --> 00:30:31,350 DAVID MALAN: Why would it be more vulnerable? 601 00:30:31,350 --> 00:30:35,490 AUDIENCE: Because the hackers can get access to all passwords 602 00:30:35,490 --> 00:30:37,553 and get hints about the new password. 603 00:30:37,553 --> 00:30:38,220 DAVID MALAN: OK. 604 00:30:38,220 --> 00:30:42,690 So yes, one danger of forcing you and me to change our password too frequently 605 00:30:42,690 --> 00:30:45,570 is that you and I do not tend to exert much effort when 606 00:30:45,570 --> 00:30:46,950 we're required to do so. 607 00:30:46,950 --> 00:30:51,455 For instance, if my password today is, for instance, password 1, well, 608 00:30:51,455 --> 00:30:53,580 you know what my password might be in three months? 609 00:30:53,580 --> 00:30:57,120 Password 2 or in another three months, password 3. 610 00:30:57,120 --> 00:30:59,460 You and I might exert the minimal amount of energy 611 00:30:59,460 --> 00:31:02,250 to change the password so that we meet the company's requirements 612 00:31:02,250 --> 00:31:04,590 but so that it's not too hard for you and me to remember 613 00:31:04,590 --> 00:31:05,670 what the new password is. 614 00:31:05,670 --> 00:31:09,510 And so indeed, if information about my past passwords leaks out 615 00:31:09,510 --> 00:31:11,670 and some adversary sees, oh, well, wait a minute, 616 00:31:11,670 --> 00:31:14,190 your password was password 2 last month, I'm 617 00:31:14,190 --> 00:31:17,520 just going to guess heuristically that this month it's password 3. 618 00:31:17,520 --> 00:31:19,680 We might indeed be leaking information. 619 00:31:19,680 --> 00:31:21,900 What's another reason that you might not want 620 00:31:21,900 --> 00:31:26,220 to require humans to change their passwords arbitrarily 621 00:31:26,220 --> 00:31:28,358 on some schedule like this? 622 00:31:28,358 --> 00:31:30,150 AUDIENCE: We keep forgetting our passwords, 623 00:31:30,150 --> 00:31:32,950 too, if we change it too frequently. 624 00:31:32,950 --> 00:31:34,980 So that is not a good practice for a website. 625 00:31:34,980 --> 00:31:35,855 DAVID MALAN: Exactly. 626 00:31:35,855 --> 00:31:38,340 If you make me change my password too frequently, 627 00:31:38,340 --> 00:31:41,160 honestly, I'm probably going to forget what my next password is 628 00:31:41,160 --> 00:31:42,960 because I'm going to get confused with last month's 629 00:31:42,960 --> 00:31:44,418 or the previous months or the like. 630 00:31:44,418 --> 00:31:47,130 And so there's these sociological effects on us humans, 631 00:31:47,130 --> 00:31:51,300 just being human, not being very good at remembering not only the first password 632 00:31:51,300 --> 00:31:55,060 you made me choose that's very complex, but the second and the third as well. 633 00:31:55,060 --> 00:31:58,290 And so generally, you should not come up with such a scheme anymore because 634 00:31:58,290 --> 00:31:59,850 of these adverse side effects. 635 00:31:59,850 --> 00:32:02,070 And how about one more recommendation here? 636 00:32:02,070 --> 00:32:05,670 "Verifiers shall implement a rate-limiting mechanism 637 00:32:05,670 --> 00:32:09,480 that effectively limits the number of failed authentication attempts that can 638 00:32:09,480 --> 00:32:11,730 be made on the subscriber's account." 639 00:32:11,730 --> 00:32:13,162 Now, what do we mean by this? 640 00:32:13,162 --> 00:32:15,120 Well, odds are this is something you yourselves 641 00:32:15,120 --> 00:32:18,780 might have experienced if, for instance, you forgot your password 642 00:32:18,780 --> 00:32:20,550 or you kept typing it slightly wrong. 643 00:32:20,550 --> 00:32:22,560 Maybe your phone screen was wet so it wasn't 644 00:32:22,560 --> 00:32:24,660 registering your fingertips properly. 645 00:32:24,660 --> 00:32:27,420 It turns out you can lock yourself out of your own phone. 646 00:32:27,420 --> 00:32:30,270 And you might have, in fact, seen something like this on iPhone. 647 00:32:30,270 --> 00:32:32,910 Android has a similar screen, if, for instance, you 648 00:32:32,910 --> 00:32:36,420 type in the wrong passcode 10 times in a row. 649 00:32:36,420 --> 00:32:41,700 The presumption, by Apple and Google and others, is that if after 10 times 650 00:32:41,700 --> 00:32:44,340 you still haven't inputted your password correctly, 651 00:32:44,340 --> 00:32:48,360 it's probably a higher probability that you are not David, 652 00:32:48,360 --> 00:32:52,310 that you are not you, but rather it's someone else who has taken your phone, 653 00:32:52,310 --> 00:32:55,100 stolen your phone, and is trying to get into it. 654 00:32:55,100 --> 00:32:57,030 Now that's not always the case. 655 00:32:57,030 --> 00:33:00,110 You can imagine situations where you just were being absent minded. 656 00:33:00,110 --> 00:33:01,250 You were half asleep. 657 00:33:01,250 --> 00:33:04,680 Maybe you weren't really focusing on it, and you locked yourself out. 658 00:33:04,680 --> 00:33:08,900 And so there, too is, again, a trade off between usability and security. 659 00:33:08,900 --> 00:33:12,290 But the higher probability event after 10 wrong attempts 660 00:33:12,290 --> 00:33:16,010 probably tends to be that it's an adversary trying to get in and not you. 661 00:33:16,010 --> 00:33:17,960 But what's the point of this? 662 00:33:17,960 --> 00:33:21,650 Beyond annoying the adversary and maybe more significantly, 663 00:33:21,650 --> 00:33:25,970 really annoying you when it happens by accident, what this effectively does 664 00:33:25,970 --> 00:33:28,290 is it slows the adversary down. 665 00:33:28,290 --> 00:33:32,060 In other words, it increases the cost of this attack to the adversary. 666 00:33:32,060 --> 00:33:32,600 Why? 667 00:33:32,600 --> 00:33:35,480 Well, we saw a moment ago that a smart adversary 668 00:33:35,480 --> 00:33:38,240 who knows a little bit of Python code and steals your phone 669 00:33:38,240 --> 00:33:43,260 can try 10,000 possible passwords in just less than a second. 670 00:33:43,260 --> 00:33:46,400 However, if you now slow them down by having this feature 671 00:33:46,400 --> 00:33:50,820 on your iPhone or Android device that pumps the brakes, so to speak, 672 00:33:50,820 --> 00:33:54,690 that lets the adversary try no more than 10 at a time, 673 00:33:54,690 --> 00:33:57,390 that's significantly slows them down. 674 00:33:57,390 --> 00:34:02,340 Now they might have to spend at least 10 seconds, 20 seconds, an hour, a day, 675 00:34:02,340 --> 00:34:06,090 or longer, especially since what Android and iPhone also 676 00:34:06,090 --> 00:34:09,120 do is they tend to increase this time limit. 677 00:34:09,120 --> 00:34:11,010 The first time you mess up, it's 1 minute. 678 00:34:11,010 --> 00:34:15,239 If you mess up another 10 times, it's now 2 minutes, maybe 5 minutes, 679 00:34:15,239 --> 00:34:16,260 maybe 10 minutes. 680 00:34:16,260 --> 00:34:19,590 Maybe the phone even deletes itself, wipes itself, 681 00:34:19,590 --> 00:34:22,860 if that, too, is a feature that you or your company has enabled. 682 00:34:22,860 --> 00:34:26,850 So again, the right way to think about this, beyond the usability trade off, 683 00:34:26,850 --> 00:34:29,610 is that we're just trying to raise the bar to the adversary. 684 00:34:29,610 --> 00:34:32,219 We're trying to make it more expensive, more costly, 685 00:34:32,219 --> 00:34:35,790 maybe more risky to the adversary by slowing them down. 686 00:34:35,790 --> 00:34:38,520 And by more risky I mean if this is like a Hollywood moment, 687 00:34:38,520 --> 00:34:42,147 and someone's just stolen the phone from your table at Starbucks or a coffee 688 00:34:42,147 --> 00:34:43,980 shop, they've plugged it into their laptop-- 689 00:34:43,980 --> 00:34:47,909 they're trying desperately to crack into it before you come back to the table-- 690 00:34:47,909 --> 00:34:50,639 well, by slowing them down, it's going to significantly 691 00:34:50,639 --> 00:34:54,960 increase the risk, too, that they are the act while doing it. 692 00:34:54,960 --> 00:34:57,420 And hopefully, too, the goal is to just get 693 00:34:57,420 --> 00:35:00,600 them to lose interest in your phone, lose interest in your account, 694 00:35:00,600 --> 00:35:04,440 and have them move on to ideally no one else's, but at least, barring that, 695 00:35:04,440 --> 00:35:07,680 someone else's instead of yours. 696 00:35:07,680 --> 00:35:13,110 So what are other defenses against these kinds of brute force attacks, 697 00:35:13,110 --> 00:35:14,850 or even these dictionary attacks? 698 00:35:14,850 --> 00:35:20,490 Well, this is a system that you and I are increasingly being able to turn on, 699 00:35:20,490 --> 00:35:23,040 but also increasingly are being required to turn on 700 00:35:23,040 --> 00:35:27,750 as well, which is, in general, probably a good thing, 2-Factor Authentication, 701 00:35:27,750 --> 00:35:32,100 or 2FA more generally known as multifactor authentication, 702 00:35:32,100 --> 00:35:36,870 is a technology whereby in addition to having one factor that you use 703 00:35:36,870 --> 00:35:39,600 to log in, like your password, as is tradition, 704 00:35:39,600 --> 00:35:42,660 you also have a second or maybe more factors 705 00:35:42,660 --> 00:35:45,720 that you additionally have to use in order to log in. 706 00:35:45,720 --> 00:35:49,500 But these factors don't just generally mean one password, two passwords, 707 00:35:49,500 --> 00:35:50,790 three passwords, or the like. 708 00:35:50,790 --> 00:35:53,670 They're fundamentally different types of factors. 709 00:35:53,670 --> 00:35:56,770 And in general, they're broken down into these three categories. 710 00:35:56,770 --> 00:35:59,160 One is a knowledge category. 711 00:35:59,160 --> 00:36:02,640 A knowledge factor is just something like your password 712 00:36:02,640 --> 00:36:05,290 that ideally you keep secret, no one else knows, 713 00:36:05,290 --> 00:36:08,100 and that's why it enables you to authenticate yourself, 714 00:36:08,100 --> 00:36:12,780 prove that you because you and only you, hopefully, have that knowledge. 715 00:36:12,780 --> 00:36:16,020 But a second type of factor would be a possession factor, 716 00:36:16,020 --> 00:36:17,730 something that you physically have. 717 00:36:17,730 --> 00:36:20,280 So you might be in the habit at work of carrying around 718 00:36:20,280 --> 00:36:23,622 one of those little key fobs that has a little code on it that changes. 719 00:36:23,622 --> 00:36:25,080 Now, those things can be expensive. 720 00:36:25,080 --> 00:36:29,170 So increasingly the world is just using our own phones, your own Android phone, 721 00:36:29,170 --> 00:36:32,820 your own iPhone, that maybe has SMS support on it, 722 00:36:32,820 --> 00:36:35,460 text messaging, or maybe a specific app that 723 00:36:35,460 --> 00:36:38,340 displays a short code that you type in. 724 00:36:38,340 --> 00:36:42,960 The presumption is if that you challenge the user not only for a knowledge 725 00:36:42,960 --> 00:36:46,710 factor, like their password, but a second factor, like something 726 00:36:46,710 --> 00:36:51,690 they possess, you significantly decrease the probability that an adversary is 727 00:36:51,690 --> 00:36:53,490 going to be able to get into that account. 728 00:36:53,490 --> 00:36:57,210 Because whereas anyone on the internet, millions of people 729 00:36:57,210 --> 00:37:01,680 can be a threat to you by just figuring out or finding your password, 730 00:37:01,680 --> 00:37:04,170 a possession factor really narrows the scope 731 00:37:04,170 --> 00:37:07,830 of the threat to only the other customers in Starbucks or the coffee 732 00:37:07,830 --> 00:37:10,680 shop, only the other people physically near you 733 00:37:10,680 --> 00:37:14,340 because they would have to physically obtain that second possession factor. 734 00:37:14,340 --> 00:37:16,650 And then a third type of factor nowadays might 735 00:37:16,650 --> 00:37:20,250 be an inherence, something that is unique to you 736 00:37:20,250 --> 00:37:23,220 specifically, more generally described as biometrics. 737 00:37:23,220 --> 00:37:24,810 So maybe it's your fingerprints. 738 00:37:24,810 --> 00:37:26,640 Maybe it is your face nowadays. 739 00:37:26,640 --> 00:37:29,880 Something that's inherent to you can be a third factor 740 00:37:29,880 --> 00:37:34,170 nowadays because the presumption is that only you, ideally, in the world 741 00:37:34,170 --> 00:37:36,452 have exactly that factor as well. 742 00:37:36,452 --> 00:37:38,160 Now, this is a little different from what 743 00:37:38,160 --> 00:37:42,840 some companies, some websites, some apps describe as two-step authentication, 744 00:37:42,840 --> 00:37:46,930 where two steps might actually just be two passwords of some sort. 745 00:37:46,930 --> 00:37:51,100 But two factor more technically refers to two or more 746 00:37:51,100 --> 00:37:55,420 of these types of fundamentally different factors, that 747 00:37:55,420 --> 00:37:58,160 being the most common in our case here. 748 00:37:58,160 --> 00:38:01,300 Now, when it comes to those possession factors, those key fobs 749 00:38:01,300 --> 00:38:03,190 or the apps or the codes that you receive, 750 00:38:03,190 --> 00:38:05,290 specifically what you're receiving in those models 751 00:38:05,290 --> 00:38:09,280 is generally known as a One-Time Password, or OTP. 752 00:38:09,280 --> 00:38:11,680 The idea being that this is not a password 753 00:38:11,680 --> 00:38:15,290 that you know and keep remembering and keep using again and again. 754 00:38:15,290 --> 00:38:18,160 It's literally one time because it's texted to you, 755 00:38:18,160 --> 00:38:20,950 or it's sent via an app via push notification, 756 00:38:20,950 --> 00:38:26,590 or it's actually sent to something on your keychain, like this here key fob, 757 00:38:26,590 --> 00:38:27,250 for instance. 758 00:38:27,250 --> 00:38:29,060 Nowadays, your company can buy these. 759 00:38:29,060 --> 00:38:32,800 And what happens is on the screen here, this one-time password 760 00:38:32,800 --> 00:38:35,260 constantly changes every few seconds. 761 00:38:35,260 --> 00:38:37,330 And it's synchronized somehow with a server 762 00:38:37,330 --> 00:38:40,480 so that the presumption is if I am carrying around this device, 763 00:38:40,480 --> 00:38:44,180 and I type in when prompted, this particular code, 764 00:38:44,180 --> 00:38:47,470 and that code matches the synchronized code that's on the server, 765 00:38:47,470 --> 00:38:50,180 I should be allowed into the account because the presumption is 766 00:38:50,180 --> 00:38:53,270 that it's indeed David carrying this around and not necessarily 767 00:38:53,270 --> 00:38:54,110 some adversary. 768 00:38:54,110 --> 00:38:58,430 It might also be possible to plug it in as via USB or some other technology, 769 00:38:58,430 --> 00:39:01,080 thereby removing the human from the formula 770 00:39:01,080 --> 00:39:03,560 so that the device itself can just authenticate using 771 00:39:03,560 --> 00:39:06,230 special software on the system instead. 772 00:39:06,230 --> 00:39:08,882 Nowadays, though, you can download special apps, 773 00:39:08,882 --> 00:39:11,090 whether it's one from Google or other companies, that 774 00:39:11,090 --> 00:39:15,320 allow you to manage, all in one place, all of these one-time passwords 775 00:39:15,320 --> 00:39:18,080 that you might automatically see updating on the screen. 776 00:39:18,080 --> 00:39:20,750 And you can type any or all of them in when you're actually 777 00:39:20,750 --> 00:39:23,180 prompted by a website or app. 778 00:39:23,180 --> 00:39:28,790 But even in this space of one-time passwords and possession factors, 779 00:39:28,790 --> 00:39:31,640 it's worth keeping in mind that some of these technologies 780 00:39:31,640 --> 00:39:33,720 are more secure than others. 781 00:39:33,720 --> 00:39:35,720 Now, it's very common for websites or apps 782 00:39:35,720 --> 00:39:39,350 nowadays to want to send you one of these one-time passwords via text 783 00:39:39,350 --> 00:39:40,670 message, for instance. 784 00:39:40,670 --> 00:39:42,470 And you receive it via SMS. 785 00:39:42,470 --> 00:39:46,490 And then you can type in that six-digit code, as is often the case. 786 00:39:46,490 --> 00:39:50,300 More secure, though, would be something like an actual app 787 00:39:50,300 --> 00:39:52,610 that you install from the App Store or the Google Play 788 00:39:52,610 --> 00:39:55,550 store that actually talks directly to some server 789 00:39:55,550 --> 00:39:58,700 and does not just go over the cellular phone network. 790 00:39:58,700 --> 00:39:59,580 Why is that? 791 00:39:59,580 --> 00:40:02,870 Well, as you might know, in your phone is typically 792 00:40:02,870 --> 00:40:06,497 a SIM card, either a physical card, a little chip, or nowadays 793 00:40:06,497 --> 00:40:08,580 it might actually be built into the phone as well. 794 00:40:08,580 --> 00:40:11,190 But that SIM card has a unique identifier. 795 00:40:11,190 --> 00:40:14,240 And when you sign up for phone service, typically, with a company, 796 00:40:14,240 --> 00:40:18,380 they need to know what the unique identifier is of your SIM card, 797 00:40:18,380 --> 00:40:22,200 be it something physical or something wired, hardwired into your device. 798 00:40:22,200 --> 00:40:22,700 Why? 799 00:40:22,700 --> 00:40:26,600 Because that's how they associate your phone number with that specific device. 800 00:40:26,600 --> 00:40:32,000 The catch is that it's all too possible, and in some cases, all too easy, 801 00:40:32,000 --> 00:40:36,950 to trick, even the phone companies, into swapping your SIM not necessarily doing 802 00:40:36,950 --> 00:40:39,920 it physically per se, but convincing the mobile phone 803 00:40:39,920 --> 00:40:42,980 carriers to update their system to say, oh, 804 00:40:42,980 --> 00:40:47,030 David now has this SIM card and not that original one. 805 00:40:47,030 --> 00:40:49,100 That is to say, if I'm an adversary and I just 806 00:40:49,100 --> 00:40:51,140 have any old phone with any old SIM card, 807 00:40:51,140 --> 00:40:54,170 and I figure out what the unique ID is, and maybe I call up 808 00:40:54,170 --> 00:40:58,520 David's mobile phone provider, and I somehow convince them 809 00:40:58,520 --> 00:41:04,790 that I am David by tricking them into believing it's me, as by telling them 810 00:41:04,790 --> 00:41:06,960 all of that personal information about myself, 811 00:41:06,960 --> 00:41:10,640 I might be able to convince them to swap my SIM card, 812 00:41:10,640 --> 00:41:13,670 the adversary's, with what is already on file. 813 00:41:13,670 --> 00:41:18,680 The implication of that is that when David subsequently gets text messages, 814 00:41:18,680 --> 00:41:21,230 they don't actually go to me, the real David. 815 00:41:21,230 --> 00:41:26,310 They go to the adversary's phone as well because they're tied to that SIM card. 816 00:41:26,310 --> 00:41:28,940 So in general nowadays, if you have a choice, 817 00:41:28,940 --> 00:41:33,920 using some website or app to use SMS or text-based messaging 818 00:41:33,920 --> 00:41:37,160 versus a native application that you install 819 00:41:37,160 --> 00:41:40,400 onto your phone or other device, you should generally 820 00:41:40,400 --> 00:41:43,760 prefer the latter, some first-class piece of software 821 00:41:43,760 --> 00:41:46,430 that actually uses push notifications or your data plan 822 00:41:46,430 --> 00:41:52,260 and does not rely on SMS text messaging because of this potential threat. 823 00:41:52,260 --> 00:41:57,420 So what are still other threats when it comes to these systems? 824 00:41:57,420 --> 00:42:01,100 Well, it turns out that it's very possible, unfortunately, 825 00:42:01,100 --> 00:42:04,790 for adversaries to somehow get software, malicious software, 826 00:42:04,790 --> 00:42:07,940 otherwise known as malware, onto your Mac, onto your PC, 827 00:42:07,940 --> 00:42:09,770 perhaps even onto your phone . 828 00:42:09,770 --> 00:42:12,170 This might be because you installed a piece of software 829 00:42:12,170 --> 00:42:13,640 that you shouldn't have trusted. 830 00:42:13,640 --> 00:42:15,950 This might be because your phone or your device 831 00:42:15,950 --> 00:42:18,530 is infected with something like a virus or a worm. 832 00:42:18,530 --> 00:42:21,860 But in general, you might be vulnerable to malware, 833 00:42:21,860 --> 00:42:25,190 including software that logs all of your keystrokes. 834 00:42:25,190 --> 00:42:28,430 Key logging refers to exactly that, some piece of software 835 00:42:28,430 --> 00:42:32,750 that most likely maliciously is literally recording everything you type 836 00:42:32,750 --> 00:42:35,090 or everything you tap into that device. 837 00:42:35,090 --> 00:42:37,400 And what is this software do with those keystrokes? 838 00:42:37,400 --> 00:42:39,110 Very often it will upload them. 839 00:42:39,110 --> 00:42:41,480 If there's an internet connection, maybe to a server 840 00:42:41,480 --> 00:42:43,130 that the adversary controls. 841 00:42:43,130 --> 00:42:46,010 Now, what's the implication of this key logging threat? 842 00:42:46,010 --> 00:42:49,222 Well, if you're typing in your username, that's not such a big 843 00:42:49,222 --> 00:42:50,680 because those are generally public. 844 00:42:50,680 --> 00:42:53,010 But if you're typing in your password, and that's 845 00:42:53,010 --> 00:42:55,470 being automatically uploaded to the adversary's server, 846 00:42:55,470 --> 00:42:57,750 now they know your username and your password. 847 00:42:57,750 --> 00:43:00,930 Worse, if the adversary also sees you typing 848 00:43:00,930 --> 00:43:04,440 in that six-digit code, your one-time password 849 00:43:04,440 --> 00:43:07,470 that you might have received even from your phone or some other device, 850 00:43:07,470 --> 00:43:11,040 if they are fast enough and smart enough and figure out 851 00:43:11,040 --> 00:43:15,720 how to log what you're typing, send it to the server, perhaps even before you 852 00:43:15,720 --> 00:43:19,800 yourself hit Enter, maybe they can use not only your username 853 00:43:19,800 --> 00:43:23,160 and your password, but even that one-time password 854 00:43:23,160 --> 00:43:28,170 by pretending to be on their own phone or their own laptop or desktop, 855 00:43:28,170 --> 00:43:31,350 typing in or more realistically, automatically 856 00:43:31,350 --> 00:43:34,170 through software typing in those same values 857 00:43:34,170 --> 00:43:39,760 and accessing your account even before you had a chance to do so as well. 858 00:43:39,760 --> 00:43:42,690 Now what are the defenses against that particular threat? 859 00:43:42,690 --> 00:43:47,400 Really just to be generally paranoid about what computers you yourself use. 860 00:43:47,400 --> 00:43:50,530 For instance, nowadays I will rarely, if ever, 861 00:43:50,530 --> 00:43:55,480 actually use an internet cafe's computer or even a lab computer 862 00:43:55,480 --> 00:43:58,780 here on Harvard's campus, or frankly, even a friend's computer 863 00:43:58,780 --> 00:44:03,100 because I don't know just how safe they are when it comes to best practices 864 00:44:03,100 --> 00:44:05,150 using their device on the internet. 865 00:44:05,150 --> 00:44:08,260 I will in general only log into websites and apps 866 00:44:08,260 --> 00:44:12,370 on my own personal devices, which isn't to say that I, too, am perfect, 867 00:44:12,370 --> 00:44:15,520 but rather at least I'm reducing the probability 868 00:44:15,520 --> 00:44:20,290 that I lose control over my data by using some other device that I myself 869 00:44:20,290 --> 00:44:24,010 don't oversee by that person, that owner, 870 00:44:24,010 --> 00:44:26,920 not themselves adhering to best practices. 871 00:44:26,920 --> 00:44:30,700 Now, even then, I will admit, that using key logging 872 00:44:30,700 --> 00:44:33,010 and getting it up to an adversary's server 873 00:44:33,010 --> 00:44:38,320 and inputting it faster than you might is a pretty sophisticated and difficult 874 00:44:38,320 --> 00:44:38,860 threat. 875 00:44:38,860 --> 00:44:43,900 But it's worth keeping in mind and realizing that these are certainly 876 00:44:43,900 --> 00:44:46,000 theoretical attacks. 877 00:44:46,000 --> 00:44:48,790 And if you yourself are targeted for some reason, 878 00:44:48,790 --> 00:44:51,680 these are absolutely things you should be mindful of. 879 00:44:51,680 --> 00:44:55,450 So in general, if you have the luxury of only using your own device 880 00:44:55,450 --> 00:45:01,720 and not some shared device that, too, tends to be best practice, I would say. 881 00:45:01,720 --> 00:45:05,860 Any questions on these here attacks? 882 00:45:05,860 --> 00:45:08,110 AUDIENCE: Regarding using long passwords, 883 00:45:08,110 --> 00:45:13,600 do you recommend using Google passwords or Apple passwords for the system 884 00:45:13,600 --> 00:45:15,400 to remember the passwords for us? 885 00:45:15,400 --> 00:45:16,900 DAVID MALAN: A really good question. 886 00:45:16,900 --> 00:45:18,608 Short answer, yes, but we'll come to that 887 00:45:18,608 --> 00:45:20,390 in more detail in just a few minutes. 888 00:45:20,390 --> 00:45:23,598 So what are other attacks that we should be mindful of? 889 00:45:23,598 --> 00:45:26,140 So this one has kind of a funny name, but there's this attack 890 00:45:26,140 --> 00:45:27,970 known as credential stuffing. 891 00:45:27,970 --> 00:45:32,830 And we've come across reference to this already in this discussion thus far. 892 00:45:32,830 --> 00:45:35,710 Credential stuffing-- a credential is something like a username 893 00:45:35,710 --> 00:45:39,490 and password-- refers to the process of an adversary 894 00:45:39,490 --> 00:45:43,210 having found a whole bunch of usernames and passwords, maybe online, 895 00:45:43,210 --> 00:45:45,580 maybe in some database that they or someone else 896 00:45:45,580 --> 00:45:48,520 attacked and posted for the whole world to download. 897 00:45:48,520 --> 00:45:53,380 Credential stuffing means not using dictionaries, not using brute force, 898 00:45:53,380 --> 00:45:57,950 but just literally using a list of already known usernames and passwords, 899 00:45:57,950 --> 00:46:00,430 maybe from some other application or website, 900 00:46:00,430 --> 00:46:03,490 to try to stuff them into a different website 901 00:46:03,490 --> 00:46:07,420 to see if, well, maybe if David's using this username and password over here, 902 00:46:07,420 --> 00:46:10,420 with high probability, he's probably using the same username 903 00:46:10,420 --> 00:46:11,750 and password over here. 904 00:46:11,750 --> 00:46:15,400 So credential stuffing is the threat that, I daresay, many of you 905 00:46:15,400 --> 00:46:16,600 are vulnerable to. 906 00:46:16,600 --> 00:46:19,670 Now, you don't need to raise your hands and admit to this right now. 907 00:46:19,670 --> 00:46:23,740 But if you are using the same username and the same password 908 00:46:23,740 --> 00:46:28,390 on 2 websites, 3 websites, 30 websites, all 909 00:46:28,390 --> 00:46:31,630 websites you are today vulnerable to this attack. 910 00:46:31,630 --> 00:46:34,900 To be clear, if any one of those websites or apps 911 00:46:34,900 --> 00:46:39,220 is compromised by some adversary and they figure out all of the usernames 912 00:46:39,220 --> 00:46:42,520 and passwords on that system, what a smart adversary is going to do now 913 00:46:42,520 --> 00:46:44,840 is to try that same username and password, 914 00:46:44,840 --> 00:46:49,900 they found for you on Amazon, on Gmail, on any other website or app 915 00:46:49,900 --> 00:46:53,530 that you with high probability might be using just because those services are 916 00:46:53,530 --> 00:46:54,220 popular. 917 00:46:54,220 --> 00:46:55,780 So what's the takeaway? 918 00:46:55,780 --> 00:47:00,103 Ideally, if you want to be immune to this kind of credential stuffing 919 00:47:00,103 --> 00:47:02,770 attack, where someone takes your credentials over here and tries 920 00:47:02,770 --> 00:47:05,380 to stuff them into these other services over here, 921 00:47:05,380 --> 00:47:09,760 you have to use different credentials on each and every website, 922 00:47:09,760 --> 00:47:10,900 on each and every app. 923 00:47:10,900 --> 00:47:16,720 You cannot, should not be reusing the same password on multiple websites 924 00:47:16,720 --> 00:47:17,320 or apps. 925 00:47:17,320 --> 00:47:18,040 Username? 926 00:47:18,040 --> 00:47:20,300 Yes, especially if it's your email address. 927 00:47:20,300 --> 00:47:21,640 But passwords, no. 928 00:47:21,640 --> 00:47:23,630 Now, this is admittedly easier said than done. 929 00:47:23,630 --> 00:47:27,790 So we'll see soon how we can try to achieve this, avoiding credential 930 00:47:27,790 --> 00:47:30,820 stuffing by having unique passwords, by at least having some help 931 00:47:30,820 --> 00:47:32,740 when it comes to managing the same. 932 00:47:32,740 --> 00:47:35,620 But there's another attack too that's come up indirectly here 933 00:47:35,620 --> 00:47:38,420 already known as social engineering. 934 00:47:38,420 --> 00:47:42,880 Social engineering isn't a technical attack per se, but rather 935 00:47:42,880 --> 00:47:45,580 a social one, an attack among humans. 936 00:47:45,580 --> 00:47:47,930 For instance, let me go ahead and suggest the following. 937 00:47:47,930 --> 00:47:51,820 If you have a piece of paper near you and a pen or pencil, 938 00:47:51,820 --> 00:47:54,640 go ahead and write down, if you could, on that piece 939 00:47:54,640 --> 00:47:57,160 of paper one of your passwords. 940 00:47:57,160 --> 00:47:59,210 Any of them is fine. 941 00:47:59,210 --> 00:48:02,650 Just go ahead on this piece of paper in front of you 942 00:48:02,650 --> 00:48:06,490 and write down one of your passwords, including 943 00:48:06,490 --> 00:48:11,810 any letters or digits or punctuation. 944 00:48:11,810 --> 00:48:14,870 Now, I'm seeing in the chat some resistance. 945 00:48:14,870 --> 00:48:17,420 I'm seeing some heads down though and some scribbling, 946 00:48:17,420 --> 00:48:18,890 which is exactly the point. 947 00:48:18,890 --> 00:48:22,580 Why would you take my suggestion and write down your password 948 00:48:22,580 --> 00:48:25,580 on a piece of paper, even though I'm presumably 949 00:48:25,580 --> 00:48:28,370 someone you should trust in a cybersecurity class? 950 00:48:28,370 --> 00:48:31,010 Those of you who reached for a pen or pencil, just 951 00:48:31,010 --> 00:48:33,200 wrote down one of your passwords on a sheet 952 00:48:33,200 --> 00:48:37,850 of paper were just socially engineered because a circumstance was created 953 00:48:37,850 --> 00:48:41,540 where you believed or trusted the person that was asking or telling 954 00:48:41,540 --> 00:48:43,910 you to do something, and you took at face value 955 00:48:43,910 --> 00:48:45,650 that you should do that thing. 956 00:48:45,650 --> 00:48:49,520 Moving forward, if any teacher ever asks you to write down 957 00:48:49,520 --> 00:48:54,530 a password on a piece of paper, one takeaway for today is just don't do it. 958 00:48:54,530 --> 00:48:56,300 That would be social engineering. 959 00:48:56,300 --> 00:49:00,350 And in general, if someone calls you on the phone, sends you an email 960 00:49:00,350 --> 00:49:05,600 and tries to get information from you, even if it seems and sounds legitimate, 961 00:49:05,600 --> 00:49:08,360 moving forward after today, especially, should always 962 00:49:08,360 --> 00:49:12,510 have a healthy skepticism, if not just enough paranoia 963 00:49:12,510 --> 00:49:15,750 to be healthy in the interests of protecting your account. 964 00:49:15,750 --> 00:49:17,970 Moving forward, if you had someone ask you 965 00:49:17,970 --> 00:49:20,160 something like that or even a little more nefarious, 966 00:49:20,160 --> 00:49:23,250 trying to figure out what your first pet was 967 00:49:23,250 --> 00:49:26,880 or something should kind of perk your ears up. 968 00:49:26,880 --> 00:49:30,300 Your Spidey senses should go up, so to speak, in the context of Spider-Man. 969 00:49:30,300 --> 00:49:34,470 And you should wonder, wait a minute, why do they need that information? 970 00:49:34,470 --> 00:49:38,730 Let me see how this plays out before I share anything about myself. 971 00:49:38,730 --> 00:49:41,380 And indeed, if you were, bless your hearts. 972 00:49:41,380 --> 00:49:44,800 But if you did jot down your password with a pen or pencil, 973 00:49:44,800 --> 00:49:47,850 remember that feeling of being duped because you do not 974 00:49:47,850 --> 00:49:50,100 want that to happen when it actually matters. 975 00:49:50,100 --> 00:49:52,890 Now, after this, now, I know you'll believe nothing I say. 976 00:49:52,890 --> 00:49:56,490 But go shred or tear up or flush whatever piece of paper 977 00:49:56,490 --> 00:49:57,730 has that password on it. 978 00:49:57,730 --> 00:49:59,460 The point is not to share it with anyone, 979 00:49:59,460 --> 00:50:01,870 just to prove that particular point. 980 00:50:01,870 --> 00:50:05,520 Now, beyond social engineering, there's another threat 981 00:50:05,520 --> 00:50:08,425 that's a variant of that, but is more technical in nature. 982 00:50:08,425 --> 00:50:09,300 And that is phishing. 983 00:50:09,300 --> 00:50:12,900 And most of you probably have heard about phishing in this context. 984 00:50:12,900 --> 00:50:15,900 And you can think about it sort of physically like going fishing, 985 00:50:15,900 --> 00:50:19,830 but trying to hook a sucker, someone like me or you who is duped 986 00:50:19,830 --> 00:50:22,470 into providing information that they shouldn't. 987 00:50:22,470 --> 00:50:24,600 And this very often happens via emails. 988 00:50:24,600 --> 00:50:26,970 Odds are, if you go through your spam folder sometime, 989 00:50:26,970 --> 00:50:31,260 you will see emails that seem to be coming from paypal.com 990 00:50:31,260 --> 00:50:35,610 or seem to be coming from Google or maybe a politician or the like. 991 00:50:35,610 --> 00:50:40,080 And very often those emails are encouraging you to click a link 992 00:50:40,080 --> 00:50:44,790 and maybe make a donation, click a link, maybe change your password, 993 00:50:44,790 --> 00:50:48,270 click a link, and verify your information. 994 00:50:48,270 --> 00:50:51,660 Phishing is all about trying to use social engineering, 995 00:50:51,660 --> 00:50:54,810 in this case in a technical way, to try to convince you 996 00:50:54,810 --> 00:50:58,320 through very convincing looking emails and even websites that it 997 00:50:58,320 --> 00:51:01,440 is a legitimate email from paypal.com or it 998 00:51:01,440 --> 00:51:05,130 is a legitimate email from a politician or it is a legitimate email 999 00:51:05,130 --> 00:51:07,410 or request from a teacher here at Harvard. 1000 00:51:07,410 --> 00:51:08,430 But it's not. 1001 00:51:08,430 --> 00:51:10,920 What they're trying to do, the adversaries in this case, 1002 00:51:10,920 --> 00:51:15,690 are prey on your trust for those certain companies or persons. 1003 00:51:15,690 --> 00:51:21,090 They're trying to prey on your comfort with familiar user interfaces, things 1004 00:51:21,090 --> 00:51:22,410 that you've seen before. 1005 00:51:22,410 --> 00:51:26,040 But unfortunately, it's all too easy for an adversary 1006 00:51:26,040 --> 00:51:29,940 to make a very official-looking email, to make a very legitimate-looking 1007 00:51:29,940 --> 00:51:33,570 website, even one that looks identical to paypal.com, 1008 00:51:33,570 --> 00:51:36,210 identical to Gmail or other services. 1009 00:51:36,210 --> 00:51:38,535 And frankly, if you take some of CS50's other courses, 1010 00:51:38,535 --> 00:51:43,260 it kind of boils down to copy and paste in the simplest of scenarios, 1011 00:51:43,260 --> 00:51:45,510 just copying and pasting some legitimate website 1012 00:51:45,510 --> 00:51:47,550 and pretending that you own it too. 1013 00:51:47,550 --> 00:51:50,260 So how might phishing manifest itself in the real world? 1014 00:51:50,260 --> 00:51:52,540 Well, consider one of those social media posts 1015 00:51:52,540 --> 00:51:56,310 online that tend to invite you to comment with your favorite song 1016 00:51:56,310 --> 00:51:57,330 from childhood. 1017 00:51:57,330 --> 00:51:59,730 Sometimes those posts have a million responses 1018 00:51:59,730 --> 00:52:01,740 from people you know and don't even know. 1019 00:52:01,740 --> 00:52:05,340 But more than being interested in what your childhood favorite song was, 1020 00:52:05,340 --> 00:52:09,240 those posts are very often phishing for personal information 1021 00:52:09,240 --> 00:52:12,540 because suppose that you, or at least someone among those comments 1022 00:52:12,540 --> 00:52:16,350 is actually using their favorite childhood song as their answer 1023 00:52:16,350 --> 00:52:18,540 to some website or app secret question. 1024 00:52:18,540 --> 00:52:21,570 Now the author of that post, not to mention everyone else, 1025 00:52:21,570 --> 00:52:24,280 knows the answer to the same. 1026 00:52:24,280 --> 00:52:27,450 So how else might phishing manifest itself in the real world? 1027 00:52:27,450 --> 00:52:29,790 If you were to visit a screen later today that 1028 00:52:29,790 --> 00:52:32,370 looks a little something like this, well, this 1029 00:52:32,370 --> 00:52:36,780 looks like Gmail's login page, at least here in the US when using English. 1030 00:52:36,780 --> 00:52:38,940 And frankly, I've seen this so many times 1031 00:52:38,940 --> 00:52:42,240 that I might be inclined to just blindly type into the form 1032 00:52:42,240 --> 00:52:46,230 my email address and then after that probably my password. 1033 00:52:46,230 --> 00:52:50,370 But it's important to begin to develop an intuition or a suspicion 1034 00:52:50,370 --> 00:52:54,690 for when and when these sites might not be legitimate. 1035 00:52:54,690 --> 00:52:55,840 How might you do that? 1036 00:52:55,840 --> 00:52:58,410 Well, you should minimally be looking at the URL bar 1037 00:52:58,410 --> 00:53:03,600 and making sure that it is gmail.com or probably google.com 1038 00:53:03,600 --> 00:53:06,210 or whatever google dot country code, depending 1039 00:53:06,210 --> 00:53:09,630 on where you live in the world, making sure that it looks legitimate 1040 00:53:09,630 --> 00:53:11,790 and that you've actually been there before for. 1041 00:53:11,790 --> 00:53:15,000 When you hover over links, you can very commonly in your browser 1042 00:53:15,000 --> 00:53:18,460 look at the bottom, left-hand corner or some corner of your screen. 1043 00:53:18,460 --> 00:53:22,830 And you can see what URL a link will actually take you to. 1044 00:53:22,830 --> 00:53:25,710 Even though the words on the screen might say something, 1045 00:53:25,710 --> 00:53:28,380 the actual link might take you somewhere else. 1046 00:53:28,380 --> 00:53:32,020 Now, even then, it's hard sometimes to discern these kinds of things. 1047 00:53:32,020 --> 00:53:35,220 But these are just best practices. 1048 00:53:35,220 --> 00:53:38,520 You don't need to be so worried that you don't go anywhere on the internet. 1049 00:53:38,520 --> 00:53:41,410 But you should learn to keep an eye out for these kinds of things. 1050 00:53:41,410 --> 00:53:45,280 And in general, with phishing, rather than trust any link in an email 1051 00:53:45,280 --> 00:53:47,280 that you receive, especially when it's something 1052 00:53:47,280 --> 00:53:50,940 private like a bank account, something medical, something personal, 1053 00:53:50,940 --> 00:53:51,810 well, that's fine. 1054 00:53:51,810 --> 00:53:55,620 Open a new tab and manually go to paypal.com, 1055 00:53:55,620 --> 00:53:58,830 Enter, or manually go to gmail.com, Enter. 1056 00:53:58,830 --> 00:54:00,840 Don't just blindly trust these links. 1057 00:54:00,840 --> 00:54:04,570 Now, here again, we see a trade off between usability and security. 1058 00:54:04,570 --> 00:54:07,290 It's a little annoying if I can't just click on a link 1059 00:54:07,290 --> 00:54:09,030 and go to the place I want to go. 1060 00:54:09,030 --> 00:54:12,890 You have to manually open the page, type it in manually, and so forth. 1061 00:54:12,890 --> 00:54:15,460 But again, it depends on what's now more important to you, 1062 00:54:15,460 --> 00:54:21,910 the usability of that service or the security of your account therein. 1063 00:54:21,910 --> 00:54:25,420 This is even more worrisome when it comes to two-step verification. 1064 00:54:25,420 --> 00:54:27,670 And Google takes some liberties with the wording here. 1065 00:54:27,670 --> 00:54:31,120 This is usually best described as two-factor authentication. 1066 00:54:31,120 --> 00:54:33,790 But again, the most sophisticated of adversaries, 1067 00:54:33,790 --> 00:54:37,270 theoretically, if they sent you a phishing email, 1068 00:54:37,270 --> 00:54:41,560 tricked you into a visiting a website that looks like Gmail but is not Gmail. 1069 00:54:41,560 --> 00:54:46,540 They could theoretically even prompt you for a two-factor code like this. 1070 00:54:46,540 --> 00:54:48,940 And then if they're smart and savvy enough with code, 1071 00:54:48,940 --> 00:54:52,240 they could automatically now send your username, your password, 1072 00:54:52,240 --> 00:54:57,700 and a two-factor code maybe to the real gmail.com, log into your account, 1073 00:54:57,700 --> 00:55:01,787 change your password before you even get up and running therein. 1074 00:55:01,787 --> 00:55:04,120 It's a more sophisticated threat, and it's not something 1075 00:55:04,120 --> 00:55:05,530 you need to worry about as much. 1076 00:55:05,530 --> 00:55:10,600 But it's this principle of not just trusting screens and requests that 1077 00:55:10,600 --> 00:55:12,010 are presented in front of you. 1078 00:55:12,010 --> 00:55:15,370 You should have this healthy skepticism and at least some technical savvy 1079 00:55:15,370 --> 00:55:18,190 to know how you can decide for yourself, yes, I 1080 00:55:18,190 --> 00:55:21,530 am comfortable with proceeding with this step. 1081 00:55:21,530 --> 00:55:24,940 Now, there's another type of attack, too, that's more sophisticated 1082 00:55:24,940 --> 00:55:28,940 and not one you need to worry about as frequently as some of the earlier ones. 1083 00:55:28,940 --> 00:55:32,290 But they're generally known as a machine-in-the-middle attack. 1084 00:55:32,290 --> 00:55:35,590 Whereby, if you're on the internet, there are, suffice it to say, 1085 00:55:35,590 --> 00:55:40,090 many other machines on the internet, very often, between you and whatever 1086 00:55:40,090 --> 00:55:42,310 website or app you're visiting. 1087 00:55:42,310 --> 00:55:45,190 Often those machines might be things like routers, 1088 00:55:45,190 --> 00:55:48,910 servers that internet service providers companies, universities, 1089 00:55:48,910 --> 00:55:51,460 maybe even your own home owns and controls. 1090 00:55:51,460 --> 00:55:54,460 But all of your data is passing through those machines 1091 00:55:54,460 --> 00:55:55,930 in the middle, so to speak. 1092 00:55:55,930 --> 00:55:59,920 If any of them are malicious and are maybe storing your data, 1093 00:55:59,920 --> 00:56:03,160 looking at your data, it's possible that you might not 1094 00:56:03,160 --> 00:56:06,040 be having secure communications with the other end 1095 00:56:06,040 --> 00:56:08,410 unless you are using certain defenses. 1096 00:56:08,410 --> 00:56:10,810 And in our focus in this class on data, we'll 1097 00:56:10,810 --> 00:56:14,460 talk about cryptography and encryption and building blocks 1098 00:56:14,460 --> 00:56:16,680 via which we can mitigate attacks like these. 1099 00:56:16,680 --> 00:56:18,810 But it's worth knowing about this general idea 1100 00:56:18,810 --> 00:56:22,770 that even though it feels like it's only you and amazon.com, 1101 00:56:22,770 --> 00:56:26,490 it's only you and paypal.com, it's only you and WhatsApp, 1102 00:56:26,490 --> 00:56:29,680 there are many other machines in the middle. 1103 00:56:29,680 --> 00:56:32,280 And if you're not using the best practices, 1104 00:56:32,280 --> 00:56:35,310 and if you're not keeping an eye out for those things, suspicious 1105 00:56:35,310 --> 00:56:39,120 those machines in the middle might actually be there to attack you, 1106 00:56:39,120 --> 00:56:45,910 to take your data, to access your accounts or something more as well. 1107 00:56:45,910 --> 00:56:48,198 So there's a lot of attacks out there. 1108 00:56:48,198 --> 00:56:50,490 And at this point, you might be feeling a bit defeated. 1109 00:56:50,490 --> 00:56:53,880 But hopefully, we've presented at least enough defenses thus far, 1110 00:56:53,880 --> 00:56:55,680 and there are still a few more to come. 1111 00:56:55,680 --> 00:56:59,430 But let's consider now kind of the source of a lot of these problems. 1112 00:56:59,430 --> 00:57:02,280 Unfortunately, it's you, and it's me. 1113 00:57:02,280 --> 00:57:05,040 Like, the whole story here today started with you 1114 00:57:05,040 --> 00:57:07,140 and I are not very good at choosing passwords. 1115 00:57:07,140 --> 00:57:10,860 And we generally meet the minimal requirements, not necessarily 1116 00:57:10,860 --> 00:57:12,280 the best practices. 1117 00:57:12,280 --> 00:57:14,940 But again, there's these sociological side effects 1118 00:57:14,940 --> 00:57:18,450 of certain corporate policies or technical policies 1119 00:57:18,450 --> 00:57:22,140 that do induce this trade off between security and usability. 1120 00:57:22,140 --> 00:57:25,420 And it's one thing for me to preach here, so to speak, 1121 00:57:25,420 --> 00:57:29,220 and say, yes, you should use long, complicated passwords that are really 1122 00:57:29,220 --> 00:57:35,190 hard to guess with letters and digits and punctuation still, maybe even 64 1123 00:57:35,190 --> 00:57:39,450 characters if you want to be really secure, even if it's a longer phrase. 1124 00:57:39,450 --> 00:57:43,380 But honestly, there are also these pressures on me not doing that. 1125 00:57:43,380 --> 00:57:46,200 It's annoying to type in 64 characters. 1126 00:57:46,200 --> 00:57:48,780 It's annoying to type in eight characters if a lot of them 1127 00:57:48,780 --> 00:57:51,720 require uppercase, lowercase, punctuation, and the like. 1128 00:57:51,720 --> 00:57:56,580 And honestly, I have dozens, I have hundreds, maybe thousands of accounts 1129 00:57:56,580 --> 00:57:59,550 nowadays on the internet that have accumulated over time. 1130 00:57:59,550 --> 00:58:02,880 What am I going to do if it just gets difficult to remember these things? 1131 00:58:02,880 --> 00:58:07,740 Well, like you yourself might in your company, you might walk by their desk 1132 00:58:07,740 --> 00:58:11,840 and see on their monitor, the familiar yellow post-it note with one or more 1133 00:58:11,840 --> 00:58:13,280 of their passwords actually on it. 1134 00:58:13,280 --> 00:58:16,880 Maybe worse, you open their desk drawer, and there's a whole printout 1135 00:58:16,880 --> 00:58:18,590 of all of their username and passwords. 1136 00:58:18,590 --> 00:58:23,550 Or even beyond that, maybe they actually have a text file or an Excel file, 1137 00:58:23,550 --> 00:58:26,510 a CSV file on their computer thinking, well, at least it's all digital. 1138 00:58:26,510 --> 00:58:28,940 But it's just sitting there on their desktop. 1139 00:58:28,940 --> 00:58:32,930 And worse maybe it's called passwords.txt or the like. 1140 00:58:32,930 --> 00:58:35,330 But that's a very real side effect of having 1141 00:58:35,330 --> 00:58:39,270 policies and technical constraints that make it harder to use systems. 1142 00:58:39,270 --> 00:58:42,350 So what are some other defenses that either you can use 1143 00:58:42,350 --> 00:58:45,660 or maybe companies can use or offer to make things better? 1144 00:58:45,660 --> 00:58:47,990 Well, a solution to some of these problems 1145 00:58:47,990 --> 00:58:50,990 might be this, Single Sign On, or SSO. 1146 00:58:50,990 --> 00:58:55,070 So single sign on refers to an ability to sign up for, 1147 00:58:55,070 --> 00:58:59,300 to log in to one's website using an account that you already 1148 00:58:59,300 --> 00:59:00,890 have on another website. 1149 00:59:00,890 --> 00:59:04,020 And very often the account that you use is one of the big ones, 1150 00:59:04,020 --> 00:59:06,630 one of the popular websites or applications out there. 1151 00:59:06,630 --> 00:59:09,860 So for instance, if you log in to this representative website 1152 00:59:09,860 --> 00:59:12,930 here, what you might see is, yes, a form field 1153 00:59:12,930 --> 00:59:16,860 via which you can type in your own email address and your password to log in. 1154 00:59:16,860 --> 00:59:20,070 Or if you prefer, you can just log in with Google, 1155 00:59:20,070 --> 00:59:22,350 or you can just log in with Facebook, or you can just 1156 00:59:22,350 --> 00:59:26,680 log in with any number of other services if this website or application supports 1157 00:59:26,680 --> 00:59:27,180 it. 1158 00:59:27,180 --> 00:59:28,720 Now, what's the motivation here? 1159 00:59:28,720 --> 00:59:31,420 Well, one, it's still backwards compatible, 1160 00:59:31,420 --> 00:59:34,320 so to speak, with the very familiar approach of just let 1161 00:59:34,320 --> 00:59:36,240 me register with my own email address. 1162 00:59:36,240 --> 00:59:38,190 Let me come up with my own password and be 1163 00:59:38,190 --> 00:59:42,480 done with it, especially if I don't use Google or Facebook as a customer. 1164 00:59:42,480 --> 00:59:45,360 But the upside of offering these solutions, especially 1165 00:59:45,360 --> 00:59:48,990 for popular websites like Google and Facebook and others, 1166 00:59:48,990 --> 00:59:53,040 is that if I already have an account with Google or Facebook, 1167 00:59:53,040 --> 00:59:56,138 and hopefully I already have a good password for both 1168 00:59:56,138 --> 00:59:57,930 of those because those are important to me, 1169 00:59:57,930 --> 01:00:01,710 and better yet, I ideally have two-factor authentication enabled 1170 01:00:01,710 --> 01:00:05,460 on one or both of those, because again they're important accounts to me, 1171 01:00:05,460 --> 01:00:09,090 wouldn't it be nice for this new website to let me, one, 1172 01:00:09,090 --> 01:00:11,850 just log in with my existing account so that I 1173 01:00:11,850 --> 01:00:15,300 don't have to waste time signing up for yet another internet account? 1174 01:00:15,300 --> 01:00:18,660 Two, I don't have to remember a new password that's 1175 01:00:18,660 --> 01:00:20,740 going to be difficult to remember and so forth. 1176 01:00:20,740 --> 01:00:22,830 And so it decreases friction. 1177 01:00:22,830 --> 01:00:25,350 It increases usability of the system. 1178 01:00:25,350 --> 01:00:29,680 And ideally, it increases the security of the system in this case as well. 1179 01:00:29,680 --> 01:00:30,180 Why? 1180 01:00:30,180 --> 01:00:33,420 Because if you're doing a good job protecting at least these most 1181 01:00:33,420 --> 01:00:36,150 important personal accounts, then this website 1182 01:00:36,150 --> 01:00:39,900 stands to benefit from those same best practices on your part. 1183 01:00:39,900 --> 01:00:41,700 Now, what is actually happening here? 1184 01:00:41,700 --> 01:00:44,370 When you click Log in with Google, Log in with Facebook, 1185 01:00:44,370 --> 01:00:48,660 you should see the Google login screen or the Facebook login screen 1186 01:00:48,660 --> 01:00:49,380 respectively. 1187 01:00:49,380 --> 01:00:53,370 You should literally be redirected in your browser to google.com 1188 01:00:53,370 --> 01:00:58,140 or facebook.com or one of their international domain names instead. 1189 01:00:58,140 --> 01:01:01,230 There, you'll type in your same username and password 1190 01:01:01,230 --> 01:01:02,970 as usual for Google or Facebook. 1191 01:01:02,970 --> 01:01:09,030 But that password is not given to this new website or this third-party website 1192 01:01:09,030 --> 01:01:11,280 you're visiting, rather using a technique 1193 01:01:11,280 --> 01:01:15,330 known as cryptography and encryption and some fancy math, essentially. 1194 01:01:15,330 --> 01:01:19,680 The username with which you log in is sent back 1195 01:01:19,680 --> 01:01:23,040 to this third-party website, but not your password, just 1196 01:01:23,040 --> 01:01:26,730 a confirmation that yes, David's successfully logged into Google, 1197 01:01:26,730 --> 01:01:28,830 or David successfully logged into Facebook. 1198 01:01:28,830 --> 01:01:33,930 Therefore you can trust that his username is malan@harvard.edu, 1199 01:01:33,930 --> 01:01:37,480 or whatever it is I typed in, to log in there. 1200 01:01:37,480 --> 01:01:40,920 So using single sign on benefits not only you 1201 01:01:40,920 --> 01:01:43,620 potentially but also the website or application 1202 01:01:43,620 --> 01:01:49,690 by making it easier for you to register and/or log in subsequently as well. 1203 01:01:49,690 --> 01:01:52,500 Now, where does this leave us ultimately? 1204 01:01:52,500 --> 01:01:54,430 Some of you might already be thinking, well, 1205 01:01:54,430 --> 01:01:56,190 what about using a password manager? 1206 01:01:56,190 --> 01:01:58,860 And some of you might be thinking, what is a password manager? 1207 01:01:58,860 --> 01:02:01,590 So let's emphasize this one perhaps the most. 1208 01:02:01,590 --> 01:02:06,600 Increasingly, best practice is to use a piece of software 1209 01:02:06,600 --> 01:02:08,932 that manages your passwords for you. 1210 01:02:08,932 --> 01:02:11,640 Thankfully, there's going to be an even better solution than this 1211 01:02:11,640 --> 01:02:12,670 on the horizon. 1212 01:02:12,670 --> 01:02:16,390 But for now, minimally, if you're not using a password manager, 1213 01:02:16,390 --> 01:02:17,850 you probably should be. 1214 01:02:17,850 --> 01:02:21,420 If you're using the same password on multiple sites or applications, 1215 01:02:21,420 --> 01:02:23,910 and thus you're vulnerable to credential stuffing, 1216 01:02:23,910 --> 01:02:26,130 you should probably be using a password manager 1217 01:02:26,130 --> 01:02:28,590 instead so that you can change all of those accounts 1218 01:02:28,590 --> 01:02:30,180 to have unique passwords. 1219 01:02:30,180 --> 01:02:32,850 But this piece of software known as a password manager 1220 01:02:32,850 --> 01:02:35,640 can remember those passwords for you. 1221 01:02:35,640 --> 01:02:39,240 If you are in the habit of choosing very easy passwords because it's 1222 01:02:39,240 --> 01:02:41,550 just better for you to remember, you should probably 1223 01:02:41,550 --> 01:02:45,210 start using a password manager because beyond remembering your passwords, 1224 01:02:45,210 --> 01:02:49,260 these password managers also make it easy to generate new passwords. 1225 01:02:49,260 --> 01:02:51,240 You click a button, and essentially it will 1226 01:02:51,240 --> 01:02:54,030 generate a password that's however short or long that you 1227 01:02:54,030 --> 01:02:57,300 want with some uppercase, lowercase, symbols, numbers, 1228 01:02:57,300 --> 01:02:59,280 whatever it is a website requires. 1229 01:02:59,280 --> 01:03:01,230 It will just generate it for you. 1230 01:03:01,230 --> 01:03:05,080 And better yet, it will then save that generated password for you. 1231 01:03:05,080 --> 01:03:06,947 So you the human do not need to memorize it, 1232 01:03:06,947 --> 01:03:09,030 and you the human certainly don't need to write it 1233 01:03:09,030 --> 01:03:12,690 down on a post-it note or any the other file somewhere else. 1234 01:03:12,690 --> 01:03:15,230 So password managers literally do just that. 1235 01:03:15,230 --> 01:03:17,480 And they have even more features than that. 1236 01:03:17,480 --> 01:03:19,880 Generally, if you're using a password manager 1237 01:03:19,880 --> 01:03:23,720 and you go visit a website for the second time or the third time, 1238 01:03:23,720 --> 01:03:27,110 you can typically hit an automatic keystroke that 1239 01:03:27,110 --> 01:03:28,710 will just automatically log you in. 1240 01:03:28,710 --> 01:03:30,710 It will fill in your username and your password. 1241 01:03:30,710 --> 01:03:34,460 But better yet, it will only do so if you're 1242 01:03:34,460 --> 01:03:40,580 on the real gmail.com or the real facebook.com or the real paypal.com. 1243 01:03:40,580 --> 01:03:46,040 These password managers also remember the URL at which you created or last 1244 01:03:46,040 --> 01:03:50,000 used that username and password so that if you are somehow subject 1245 01:03:50,000 --> 01:03:53,725 to a phishing attack-- you've been tricked into clicking a link and going 1246 01:03:53,725 --> 01:03:56,100 to a website that looks like Google looks, like Facebook, 1247 01:03:56,100 --> 01:04:00,530 but actually isn't-- the password manager will ignore your keystrokes 1248 01:04:00,530 --> 01:04:05,450 and not actually log you in, pasting into that form your actual username 1249 01:04:05,450 --> 01:04:08,810 and password because it doesn't recognize that same URL. 1250 01:04:08,810 --> 01:04:12,350 So there are a lot of upsides of these password managers. 1251 01:04:12,350 --> 01:04:20,360 The one catch is that the onus is on you to remember one primary password that 1252 01:04:20,360 --> 01:04:23,330 protects your password manager itself. 1253 01:04:23,330 --> 01:04:25,610 That is to say, if this is a piece of software that 1254 01:04:25,610 --> 01:04:30,350 stores all of the dozens, hundreds, thousands of usernames and passwords 1255 01:04:30,350 --> 01:04:34,010 that you have, you are putting proverbially all of your eggs 1256 01:04:34,010 --> 01:04:36,050 in one basket, so to speak. 1257 01:04:36,050 --> 01:04:41,030 That is you want to protect this password manager with probably the best 1258 01:04:41,030 --> 01:04:43,310 password you've ever come up with. 1259 01:04:43,310 --> 01:04:45,080 This should probably be long. 1260 01:04:45,080 --> 01:04:47,120 It should have some complexity. 1261 01:04:47,120 --> 01:04:49,400 It should be a little annoying perhaps to type 1262 01:04:49,400 --> 01:04:53,090 in because you don't want an adversary to get in and get access 1263 01:04:53,090 --> 01:04:54,260 to everything else. 1264 01:04:54,260 --> 01:04:56,810 But it's just one password that we're really 1265 01:04:56,810 --> 01:05:00,530 asking you to pick really well and reasonably long 1266 01:05:00,530 --> 01:05:03,710 so that you're protecting everything else. 1267 01:05:03,710 --> 01:05:06,950 Now, these password managers are a little different 1268 01:05:06,950 --> 01:05:09,680 than what you're probably familiar with in your own browser. 1269 01:05:09,680 --> 01:05:13,880 It's been common for years for browsers to remember your username and password 1270 01:05:13,880 --> 01:05:17,100 by just showing you, like, bullets like, dot, dot, dot, in the form field. 1271 01:05:17,100 --> 01:05:18,230 So you can just hit Enter. 1272 01:05:18,230 --> 01:05:19,190 That's fine. 1273 01:05:19,190 --> 01:05:23,360 But that information is often associated only with that one browser. 1274 01:05:23,360 --> 01:05:27,620 It doesn't propagate to your phone or another device that you're logged into. 1275 01:05:27,620 --> 01:05:29,448 It's not easy to share it with someone else 1276 01:05:29,448 --> 01:05:32,240 if you have a family account, for instance, or something like that. 1277 01:05:32,240 --> 01:05:36,860 So password managers often offer additional features beyond that 1278 01:05:36,860 --> 01:05:39,800 and really protect all of the things that you're using, 1279 01:05:39,800 --> 01:05:42,260 and also help you generate those same passwords. 1280 01:05:42,260 --> 01:05:46,640 Fortunately, thankfully nowadays, these are increasingly standard. 1281 01:05:46,640 --> 01:05:51,390 There are third-party options that you can find online or even purchase. 1282 01:05:51,390 --> 01:05:54,770 But they're increasingly built into our own operating systems, which 1283 01:05:54,770 --> 01:05:57,530 if I had to choose, especially for a less-technical audience, 1284 01:05:57,530 --> 01:06:01,040 using what comes with your computer from the major manufacturers 1285 01:06:01,040 --> 01:06:04,250 is probably a good thing as opposed to going 1286 01:06:04,250 --> 01:06:07,370 third party unless third parties offer you additional features 1287 01:06:07,370 --> 01:06:11,040 that might be especially beneficial in companies and families or the like. 1288 01:06:11,040 --> 01:06:15,290 So Apple has what they call their iCloud Keychain via which you can not only 1289 01:06:15,290 --> 01:06:19,310 save passwords on one device, they can propagate securely 1290 01:06:19,310 --> 01:06:21,440 to your other device, like your phone. 1291 01:06:21,440 --> 01:06:23,270 Google has its password manager. 1292 01:06:23,270 --> 01:06:25,280 Microsoft has its credential manager. 1293 01:06:25,280 --> 01:06:27,540 And there's certainly other options as well. 1294 01:06:27,540 --> 01:06:29,540 The takeaway for today, though, should be 1295 01:06:29,540 --> 01:06:32,300 that if you're not using a password manager, 1296 01:06:32,300 --> 01:06:37,100 it's probably time to start doing so, at least for your most important accounts, 1297 01:06:37,100 --> 01:06:41,540 maybe things that are particularly personal, medical, financial, anything 1298 01:06:41,540 --> 01:06:45,380 where you or your family would really be upset if that account were somehow 1299 01:06:45,380 --> 01:06:46,160 compromised. 1300 01:06:46,160 --> 01:06:49,670 At least figure out how to start migrating those kinds of accounts 1301 01:06:49,670 --> 01:06:53,750 to a password manager and also enable some of our other best practices, 1302 01:06:53,750 --> 01:06:55,430 like two-factor authentication. 1303 01:06:55,430 --> 01:06:57,890 Better yet, don't just enable two-factor authentication. 1304 01:06:57,890 --> 01:06:59,870 Don't use SMS if you can. 1305 01:06:59,870 --> 01:07:04,580 Instead use like a native application on your phone or even a physical key fob 1306 01:07:04,580 --> 01:07:06,947 just to decrease the probability of those threats. 1307 01:07:06,947 --> 01:07:08,780 And I would encourage you, too, because it's 1308 01:07:08,780 --> 01:07:11,405 one thing to sit in on a class like this and be like, oh, yeah, 1309 01:07:11,405 --> 01:07:12,140 I should do that. 1310 01:07:12,140 --> 01:07:16,340 But then it just feels like so much work to go and change all hundreds 1311 01:07:16,340 --> 01:07:17,930 or thousands of my accounts. 1312 01:07:17,930 --> 01:07:19,310 Again, take baby steps. 1313 01:07:19,310 --> 01:07:22,580 Bite off the easiest, most important accounts first. 1314 01:07:22,580 --> 01:07:26,660 And over time, the next time you log in to that other website, 1315 01:07:26,660 --> 01:07:29,120 OK, go ahead and change the password to something better, 1316 01:07:29,120 --> 01:07:31,400 put it in the password manager, and be done with it. 1317 01:07:31,400 --> 01:07:33,920 The next time you go to another website, do it that one. 1318 01:07:33,920 --> 01:07:37,370 You can do these things incrementally because, again, with this advice, 1319 01:07:37,370 --> 01:07:41,390 I'm just trying to help you personally strike this balance between usability 1320 01:07:41,390 --> 01:07:43,730 and security because if your takeaway is I 1321 01:07:43,730 --> 01:07:46,070 have to go change 1,000 passwords tonight, 1322 01:07:46,070 --> 01:07:48,050 you might not realistically do it. 1323 01:07:48,050 --> 01:07:50,690 So better would be to change a few of them and chip 1324 01:07:50,690 --> 01:07:53,550 away at this problem over time. 1325 01:07:53,550 --> 01:07:57,110 Let me pause here and see if there are any questions. 1326 01:07:57,110 --> 01:08:00,410 AUDIENCE: If a password manager tool is so helpful, so 1327 01:08:00,410 --> 01:08:04,100 why we are using antivirus for websites? 1328 01:08:04,100 --> 01:08:07,665 DAVID MALAN: Oh, so you should certainly be using antivirus for other reasons 1329 01:08:07,665 --> 01:08:09,290 that we'll talk about in another class. 1330 01:08:09,290 --> 01:08:13,230 Viruses, worms, and malware can do any number of bad things, 1331 01:08:13,230 --> 01:08:16,040 including encrypting your data, deleting your data, 1332 01:08:16,040 --> 01:08:17,510 sending spam from your computer. 1333 01:08:17,510 --> 01:08:19,760 There's many reasons you want to run it instead. 1334 01:08:19,760 --> 01:08:23,270 However, if you have malware, like a virus on your computer, 1335 01:08:23,270 --> 01:08:26,840 and it's logging all of your keystrokes, theoretically you 1336 01:08:26,840 --> 01:08:31,100 could still be vulnerable to attack if they are also 1337 01:08:31,100 --> 01:08:34,370 logging your two-factor code maybe because you 1338 01:08:34,370 --> 01:08:37,609 get distracted you don't hit Enter fast enough, and they can use that too. 1339 01:08:37,609 --> 01:08:40,399 It's a lower probability threat. 1340 01:08:40,399 --> 01:08:41,930 It's a theoretical one. 1341 01:08:41,930 --> 01:08:43,727 But also in the interest of best practices, 1342 01:08:43,727 --> 01:08:45,560 you don't want any software on your computer 1343 01:08:45,560 --> 01:08:47,210 that could be doing bad things anyway. 1344 01:08:47,210 --> 01:08:50,390 You just want to raise the bar as much as you can to these adversaries 1345 01:08:50,390 --> 01:08:54,050 without making your own accounts unusable. 1346 01:08:54,050 --> 01:08:54,937 Another question. 1347 01:08:54,937 --> 01:08:55,729 AUDIENCE: Oh, yeah. 1348 01:08:55,729 --> 01:08:58,189 I had a question about social engineering, if that's fine. 1349 01:08:58,189 --> 01:09:02,960 And we know that the rise of the AI technology, now AI 1350 01:09:02,960 --> 01:09:05,279 can record your voice and sample it. 1351 01:09:05,279 --> 01:09:08,450 And that could be a real threat in social engineering 1352 01:09:08,450 --> 01:09:11,310 because now someone can mimic your boss and call you 1353 01:09:11,310 --> 01:09:13,770 or someone can mimic your voice and call your bank. 1354 01:09:13,770 --> 01:09:15,450 So is there a way to combat this? 1355 01:09:15,450 --> 01:09:18,529 Or is there any technology to prevent this from happening? 1356 01:09:18,529 --> 01:09:21,029 DAVID MALAN: That's a really good question and another piece 1357 01:09:21,029 --> 01:09:22,560 of advice I should reflect back. 1358 01:09:22,560 --> 01:09:25,410 If on any of your accounts, particularly bank accounts, 1359 01:09:25,410 --> 01:09:28,770 you are using voice recognition technology, whereby 1360 01:09:28,770 --> 01:09:30,810 when you set up the account, you were prompted 1361 01:09:30,810 --> 01:09:34,649 to say a phrase into the phone, for instance, to evoke an old movie 1362 01:09:34,649 --> 01:09:38,040 called Sneakers-- my voice is my password-- you should 1363 01:09:38,040 --> 01:09:40,710 disable those features and stop using them, 1364 01:09:40,710 --> 01:09:45,359 assuming there's an alternative, like two-factor authentication, whereby 1365 01:09:45,359 --> 01:09:48,510 they send you a push notification to an app or the like. 1366 01:09:48,510 --> 01:09:52,529 Reason being, exactly that, is you've probably seen in this age of AI, 1367 01:09:52,529 --> 01:09:56,680 there are technologies called deepfakes whereby you can generate video, 1368 01:09:56,680 --> 01:09:58,380 but also audio of people. 1369 01:09:58,380 --> 01:10:01,560 This is very commonly done for celebrities, for politicians, 1370 01:10:01,560 --> 01:10:03,720 and voices that you see a lot on the internet. 1371 01:10:03,720 --> 01:10:08,340 But it would not be that hard if someone has access to voice recordings of you 1372 01:10:08,340 --> 01:10:11,910 to use some software or some app to generate 1373 01:10:11,910 --> 01:10:16,260 saying, my voice is my password, even though you might not 1374 01:10:16,260 --> 01:10:19,510 have said that since the time you set up the account. 1375 01:10:19,510 --> 01:10:21,580 And so your accounts, too, might be compromised. 1376 01:10:21,580 --> 01:10:27,090 So my own advice there would be don't use voice-based recognition anymore, 1377 01:10:27,090 --> 01:10:31,230 if there's a better alternative available. 1378 01:10:31,230 --> 01:10:32,850 Other questions? 1379 01:10:32,850 --> 01:10:35,760 AUDIENCE: Doesn't having one password manager, 1380 01:10:35,760 --> 01:10:40,320 so figuratively keeping all your keys in one safe, 1381 01:10:40,320 --> 01:10:43,260 defeat the purpose of having different passwords? 1382 01:10:43,260 --> 01:10:49,640 Because if you lose that one key to your key safe, all is gone. 1383 01:10:49,640 --> 01:10:51,390 DAVID MALAN: It's a really good intuition, 1384 01:10:51,390 --> 01:10:53,850 and that's exactly the trade off to think about. 1385 01:10:53,850 --> 01:10:56,070 I would consider in deciding for yourself, 1386 01:10:56,070 --> 01:10:59,070 if you want to take that advice, what the alternative is. 1387 01:10:59,070 --> 01:11:03,090 Because if you're using pretty easy-to-guess passwords everywhere, 1388 01:11:03,090 --> 01:11:06,690 this is probably a net positive to move to a password manager instead. 1389 01:11:06,690 --> 01:11:10,050 If you're reusing the same password on a lot of websites and apps, 1390 01:11:10,050 --> 01:11:15,150 this is probably a net positive to switch to a password manager instead. 1391 01:11:15,150 --> 01:11:19,050 If, however, though, you've actually been a very good internet citizen, 1392 01:11:19,050 --> 01:11:22,185 and you've been choosing hard-to-guess, unique passwords 1393 01:11:22,185 --> 01:11:24,810 for all different sites-- they're not written down on a post-it 1394 01:11:24,810 --> 01:11:27,660 or easily accessible-- then this might be a net negative 1395 01:11:27,660 --> 01:11:30,360 for you to put all of those eggs, so to speak, in one basket, 1396 01:11:30,360 --> 01:11:33,480 thereby making them more vulnerable. 1397 01:11:33,480 --> 01:11:36,540 From experience and from the head nods and admissions 1398 01:11:36,540 --> 01:11:38,320 that we get from students over the years, 1399 01:11:38,320 --> 01:11:41,130 I guess that most of us in this room would 1400 01:11:41,130 --> 01:11:43,980 benefit as a net positive from a password manager. 1401 01:11:43,980 --> 01:11:46,302 But there, too, you should decide for yourself. 1402 01:11:46,302 --> 01:11:48,510 And again, one of our lessons for today is don't just 1403 01:11:48,510 --> 01:11:51,150 believe something some guy on the internet told you. 1404 01:11:51,150 --> 01:11:55,890 Decide for yourself based on these trade offs, these upsides and. downsides. 1405 01:11:55,890 --> 01:11:58,830 Now, password managers are not all upside. 1406 01:11:58,830 --> 01:12:02,730 Indeed, if you lose or forget that primary password, 1407 01:12:02,730 --> 01:12:05,880 you might lose access to all of your other accounts. 1408 01:12:05,880 --> 01:12:08,010 Fortunately, there is an alternative that's 1409 01:12:08,010 --> 01:12:11,640 increasingly available on websites and apps known as passkeys. 1410 01:12:11,640 --> 01:12:14,510 And what's nice about passkeys is that moving forward, 1411 01:12:14,510 --> 01:12:16,960 it will be your Mac, your PC, or your phone 1412 01:12:16,960 --> 01:12:19,750 that generates a passkey for a new website 1413 01:12:19,750 --> 01:12:21,370 or app for which you're registering. 1414 01:12:21,370 --> 01:12:24,280 You yourself don't have to remember what that passkey is, 1415 01:12:24,280 --> 01:12:26,290 and indeed it isn't even just one value. 1416 01:12:26,290 --> 01:12:30,220 Rather it's a pair of values, a private value and a public value, 1417 01:12:30,220 --> 01:12:33,220 that have a mathematical relationship between the two. 1418 01:12:33,220 --> 01:12:35,420 And those two values are used. 1419 01:12:35,420 --> 01:12:39,170 The next time you try to access that website or application, your Mac, 1420 01:12:39,170 --> 01:12:43,060 your PC, or your phone will use those values to automatically authenticate 1421 01:12:43,060 --> 01:12:43,870 you thereafter. 1422 01:12:43,870 --> 01:12:45,940 And better yet those values are synchronized 1423 01:12:45,940 --> 01:12:49,900 as needed across your devices so that you can use your Mac and your PC 1424 01:12:49,900 --> 01:12:52,960 and your phone or any other such devices to authenticate. 1425 01:12:52,960 --> 01:12:55,180 But to better understand these passkeys, we'll 1426 01:12:55,180 --> 01:12:58,700 need to know a little something about the world of cryptography. 1427 01:12:58,700 --> 01:13:02,420 And so for that, we'll wait for our discussion of securing your data. 1428 01:13:02,420 --> 01:13:05,610 So more on that next time. 1429 01:13:05,610 --> 01:13:07,000