Комментарии:
S tier is trash, if google decides they don't like who you voted for, they remove your account. no good having a password on there then.
ОтветитьReally makes you appreciate public-key cryptography. Alas, the average human is not very good with this concept, and struggles to even use passwords correctly. :(
ОтветитьAnother way to not need a password is a private key (either a file on you disk or a ubikey). Especially for ssh the recommendation is to not use a password, but just a private key
ОтветитьAnother way to stop dictionary attacks is to not allow users to pick their shitty passwords, but just give them a randomly generated string that they should remember/store
ОтветитьI would say two-factor authentication (2FA) is S tier?
ОтветитьWhat music is this? I really like it!
ОтветитьThe "S tier" is terrible. I would never use a website where I HAVE to use google/fb to log in.
ОтветитьWhat about using a private key / public key algorithm where the public key is computed from the private key, and the private key is the result of a slow salted hash. This would have the benefit that even at login, the password and private key wouldn't even have to leave the user's device.
ОтветитьIs there a reason you didn't mention peppering?
That's quite an important technique, as it renders dictionary attacks completely useless, even with really bad passwords.
S Tier can be most vulnerability when user use there nickname+birthday as 8 digits password for Google Account and no 2-factor auth. Also you have to pay for using there API.
ОтветитьVery good, short and informative video
Ответитьheh, correct horse battery staple. Nice reference
ОтветитьTrusting google & Facebook is the end solutions... oh, ok... Oo
ОтветитьFor S tier, there's also WebAuthn
ОтветитьProblem with S tier is possibly losing access to the third party account. Big Tech Company might do something stupid like Nymwars again. Compartmentalization is nice; I'd rather have to respond to the occasional website breach than risk everything. Though, that depends on using a password manager right...
ОтветитьI was on board until you recommended login with Google or Facebook
Ответитьabsolutely unclear what's the difference between Dictionary attack and Rainbow table?
ОтветитьWhat stops hackers from just grabbing the entire raw table, and decrypting it on their end in their leisure?
ОтветитьSRP aka secure remote password is an option if you want oauth level security without oauth providers.
ОтветитьReally amazing video! It's so clear that everyone could understand it, but still gives the intendend information. Congratulations! New susbscriber gained ;)
ОтветитьLegit question nobody asks. What do you do when an authenticator gets decomissioned and the user set no fallback password no nothing :D or what if it goes under some attack or is otherwise temporarily inaccessible. Is it supposed to be of no concern to small operations? Maybe but unfortunately I have my standards... Though I love paswordless world, there is nothing like exchange of the public key
ОтветитьWhat about secure remote password (SRP)? I think that's the real S tier.
ОтветитьLololol! Amazing. This is my life right now. It's not even an exaggeration.
ОтветитьAnother S tier would be cryptographic signing using key pairs.
ОтветитьOne more architectural way to store credentials (not necessarily passwords) is to store them in a separate database which is only accessible by other systems, so there are no credentials for the database to speak of. This requires a third "party" in communication between systems, which manages accounts and credentials and rotates them (generates new credentials) periodically, called Identity Authentication Service (IAS). This is widely used in cloud systems (AWS, Google Cloud Platform, Azure, etc).
ОтветитьI hate S tier honestly.
On Security: That means that your users will have one point of failure: Google, Facebook, etc. Not great. If their Google Account is hacked the hacker has their complete online identity with this method.
On Usability: You force your users to have one of these services and also tell these services that they use your service. Not great for user privacy.
My favorite solution to this problem: Don't try to reinvent the wheel. Use off-the-shelf password solutions for the environment you work in. There are many great and widely tested libraries that you can use.
So good. Great job
Ответитьthis is probably the first time I've understood what salting actually does, bravo
ОтветитьCongrats, this is an S tier video!
ОтветитьI'm working on an idea.
Your comments/input would be appreciated.
Basically, even if a password is breached it will still result in garbled or zero-byte files when used , unless the manipulated byte order is restored. For this, a BOMKey (Byte Order Manipulation Key) needs to be provided for the password to trigger the release of the files in their correct binary order, otherwise they simply remain in their corrupted state.
Because the BOM is not set to any algorithmic pattern, it remains random and therefore nearly impossible to guess.
I have tested this by attacking a simple 2-character password-protected zip archive with Hashcat and John the Ripper.
The password is easily discovered, but extracts garbled files due to the missing Byte Order Key.
How bout srp?
ОтветитьAnother point: Don't store the authentication data in the same database as the application data. That way if you have an SQL injection vulnerability in the application code, the attacker still can't read the authentication data (because the SQL doesn't run on that database).
ОтветитьUsing third-party login however has privacy issues. As user, I avoid that option wherever possible.
ОтветитьI think you were write about the “Don’t store passwords”, but you went about it the wrong way. The right way would be something like using the SRP (Secure Remote Password) algorithm, which doesn’t store the password or it’s hash, rather than making your application a hostage to these companies
Ответитьinsanely good content, keep it up! very very very underrated
Ответитьbest video for understanding how hashing works !!
Ответитьvery Informative and simple to understand.
ОтветитьExcellent video with a simple explanation, the simple example you talked about Hashing is AMAZING - the brown color - it's just a smooth, attention-grabbing and not boring at all video, keep up with your good stuff
Ответитьthis video was very helpful! I wanted to try making a hashing algorithm for something, but I didn't know how to make it until now. thanks!
edit: I was sucessfully able to make a slow hashing algorithm that takes like 3 seconds to complete on my slow laptop.
but during login how we know the salt because it already saved on server.
ОтветитьMaybe S tier is 2FA: PW + finger print / TAN generator / SMS / ...
ОтветитьWhat about sha512? Is it not sufficient to secure the passwords?
ОтветитьGreat video!
ОтветитьS Tier, make other people store passwords so you don't have to B)
ОтветитьCrystal clear and to the point explaination in a minimal time.Great work!
Ответитьlen(password) < len(hash), otherwise ...
pidgeon hole principle: if there are more pidgeons then holes, then at least one hole must have more then one pidgeon in it.
Doest that mean that longer passwords are less secure?
Awesome work, thanks for that clarifications! It's insanely easy to understand using this video. Will suggest everyone who needs to understand how it works.
ОтветитьThanks! Well explained differences.
Ответить