Hi, do you remember the password the credential basting password something I know is the most common way of a credential in Internet now days? We'll all discuss about why we consider these dangerous, and you should take some measures to protect yourself, okay? If you remember, most of the passwords are quite easy to remember. And the bad thing here is that they are quite easy to discover. Because many times you cannot talk service, or even the goal for the credentials in a computer, and retrieve them, and collect these passwords using dictionaries, and other complex attacks. And bad news the most typical passwords are very well known, because there are a lot of databases where you can have a list, a dictionary to attack them. If you see, here you have the top 10, the top 100 password list in Internet, they are very easy to discover. And it is really sad to see that someone is using 123456, or 12345678, or password as passwords. Don't ever use this kind of passwords because they are really easy to discover. Using a dictionary, a dictionary attack and very specialized tool to crack passwords, you can go and get the puzzles in few seconds. Let's see a demo of how using the hashcat, we can crack the puzzles and retrieve then in really, really, really, really very few seconds, okay? [MUSIC] Okay, let's see hashcat is a very powerful tool to crack a password, has a lot of several techniques to do so. With hashcat what we will do is to take a look over a list of passwords that are encrypted in a hash weight, okay? This is something that almost impossible to reverse a hash. This is the version of the password that is encrypted. And what we are going to do is to test with hashcat. If you can retrieve the password just making approved of all the possibilities of the possible combination to get directly what they say exactly the same hash that we install for example, for another database of server, or whatever. If you see with this hashcat parameters, what we are going to test is a eight possible length in the question marks a, question mark eight with the list of stolen-hashes we got, with an attack against MD5 that is the MO parameter, and direct brute-force attack a3, okay? We launch the attack, we are taking advantage of our graphic card the NVIDIA, if you see my Quadro, and if you see, we already cracked this password in the past. So what we're having to do is to remove from the history, the list of the passwords, and then launching again. Now it's cracking, remember brute-force attack. Using a brute-force attack, in few seconds, we got the 12345678 password, okay? We are testing another combination so if you see candidates it is testing a lot. We will stop this, and we're moving to a new specific attack that is using a very interesting dictionary, and attack rules, okay? We will delete again the already character passwords just to start again. And now we're using the top passwords shortlist. Remember the slide where we show the most common passwords. Okay, we'll have a dictionary for this. And then this is the back 64 rule to attack the passwords using exactly the same tool on exactly the same as stolen hashes. Let's see, we are going to launch the attack. And if you see testing several combinations now it's finished in four seconds, okay? This is not brute-force is attacking using the most common dictionary of the typical passwords and an attack rule. If you see the passwords are password 123456, or 12345678, okay? Really useful tool. If you see, there are many dictionaries in Internet you can download where you have details about languages, cultures, several, for example, fandom things, like Star Trek, Star Wars. So many of the passwords that are in us today can be found in very specialized dictionaries made to attack specific people who like that or this, or they belong to a specific culture, or nationality, or whatever. Even if you see in the second point here what we can do is to investigate a lot about you. And get a lot of details about the the name of your dog, or your family, the benefits of your sons and daughters, even your wife, or your anniversary, or whatever. So you can build a custom dictionary attack on a specific person. So be careful with passwords because you have no escape from these kind of attacks, okay? So we are doomed. >> Okay, okay, come on, I know, it's not so bad. We can create complex passwords is just about to define a proper method to rate this password in order to remember that. For example, imagine in your favorite group, in your favorite missy group. And I'm thinking about one song, one specific song, whatever. And you can take for example the first letter of every word of the title of the song. And we can create a new word. When you have the new word, we can start to modify the word, for example, with substitution of the vowels with numbers, and add in some numbers. And at the end, we have a quasi-random password that is very complex and is very difficult to guess. And if you remember the method, and you remember the title of the song, you can create the password. Of course, maybe at the beginning you are thinking, every time I type the password, I have to put these words. These very difficult because of course, I can create the word because I know the method, but it's very difficult to remember. Okay, no worries in just one, two weeks, these is how to monetize your brain. So you can type it very, very, very fast. But right now, we have the way to create complex password but we have a problem that realize that it's not enough. We also have to create long passwords. The complexity is not the only variable. We also need long password because if the password is short, even if it is very complex, even if it is random, completely random is very easy for a program to start to make some calculations, and with brute-force attack obtain the password. So we need also long passwords. So here maybe you think, we are in a program, we need two different things. Complicated password and long password, it's impossible for me. Okay, no worries, we have tools that support us in there in this task of creating proper passwords. We can use password managers, a password manager DB will all the aspect of the password and you only have to remember the master password of everything. So just remember one password for all the services you have individually divide your digital life. And what password manager can you use this very easy, just Google it, and you will have a lot of different password managers, very good ones. >> Remember with passwords are a huge concern in terms of identity theft and credential theft. If you see you can check that whenever someone gets your credentials, at the end what they are getting access is to your items, your digital items. So in turn they argue, in terms of whatever the service you are accessing on the Internet, Gmail, Facebook, whatever, okay? So take care, because the most typical attacks are based in dictionaries. Whenever someone gets a big dictionary with a nice tool, they can crack your password. So this is a real concern for you, okay? Then very important, you can mitigate this threat using two best strategies in this area. The very first one is to have long, remember, long password that has some complexity. As Sevan said in the past comments, you saw that even a very complex password that is small is not very secure. So you need a combination of complexity but very important a very long password, okay? And this is when the second strategy enters, using a password manager, this is the best thing to do. You just have to remember one long password for the main credentials for the password manager. And then you can have a lot of very random uncomplex and long passwords within that are managed by the passwords manage, not by your memory, okay? So remember, long passwords, very important, and used password managers.
