TLDR;
This video challenges the conventional wisdom of complex passwords, arguing that they are less secure than many people believe. It explains how brute force attacks are often not the primary threat, and that password reuse, phishing, and spear phishing are more common and dangerous. The video offers a practical password strategy involving a combination of unique, long passphrases for high-security sites and a limited reuse approach for lower-risk sites, along with tips on phone unlocking and pass keys.
- Complex passwords are not as effective against hacking as commonly believed.
- Password reuse and phishing attacks are major threats.
- A combination of unique passphrases and limited reuse is a practical strategy.
Introduction [0:00]
The video starts by questioning the effectiveness of complex passwords, suggesting that they might not be as secure as people think. It challenges the notion that complex passwords with special characters are the ultimate defence against hacking. The presenter aims to demonstrate a more effective system that works now and in the future, highlighting that simple, easy-to-remember passwords without special characters can be safer. The core message is that understanding the actual threats is more important than blindly following the complex password trend.
Brute Force Attacks [1:14]
The presenter explains brute force attacks, where hackers try every possible password combination. While a six-digit PIN has one million possibilities, modern computers can try them quickly. The video then presents a calculation: a 40-character password with mixed cases, numbers, and symbols would take longer than the age of the universe to crack, making it virtually impossible to brute force. However, an eight-character password using the same rules could be cracked in a few years with enough machines working in parallel. A 15-character password with random letters is essentially uncrackable by brute force.
Rate Limits and Attempts Limits [3:29]
The video discusses rate limits, which introduce delays in password entry, making brute force attacks much slower. Many platforms also have attempt limits, locking accounts after a certain number of failed tries. Two-factor authentication adds another layer of security, making brute force attacks even less appealing to hackers. The presenter argues that most normal people are not targets for brute force attacks, which are more likely to be used against high-profile individuals.
Have I Been Pwned? (HIBP) and Password Reuse [5:51]
The primary source of hacks comes from data breaches, tracked by the website Have I Been Pwned? (HIBP). When platforms like 23andMe or Ticketmaster are hacked, user credentials get exposed. The presenter criticises identity protection services offered after such hacks as largely ineffective. The real issue is password reuse, where the same email and password combination is used across multiple platforms. Hackers use these stolen credentials to attempt logins on other sites, bypassing the need for brute force. The video suggests using different email addresses for each platform to mitigate this risk.
Phishing and Spear Phishing [8:30]
Phishing involves tricking users into revealing their passwords through fake links and social engineering. The presenter advises against clicking links in unsolicited emails or SMS messages, suggesting users should instead navigate directly to the website in question. Spear phishing is a more targeted attack aimed at specific individuals, often involving personal information to gain trust. The presenter warns against revealing sensitive information over the phone, especially in response to unsolicited calls.
Password Strategy [10:50]
The video shifts to developing a practical password strategy. Since brute force is less of a concern due to rate limiting and 2FA, the focus should be on avoiding password reuse. The presenter suggests two password types: one for high-security sites and another for low-security sites. It's crucial to start fresh, assuming past passwords have already been compromised.
Six Random Words [12:20]
For high-security sites like banks and email, the most secure password consists of six random words, creating a long passphrase. These passphrases should be unique to each platform and stored in a password manager. The presenter cautions against using this format everywhere due to password length limits on some sites, but emphasises its importance for email accounts.
Limited Reuse [13:54]
For low-risk sites like social media, streaming services, and shopping platforms, the presenter suggests a limited reuse strategy. These sites are grouped into three categories: social media, streaming/gaming, and shopping/random. A four-word passphrase is used for each category, reducing the risk of a widespread hack. This compartmentalisation ensures that a breach in one category does not affect the others.
Phone Unlock [15:31]
The video discusses the best methods for unlocking phones, recommending fingerprint recognition as the most secure and least observable method. PINs and patterns can be easily observed, while Face ID is based on facial shapes that could be retrieved. The presenter notes that biometrics can be compelled, so it may be wise to disable fingerprint unlock when travelling.
Pass Keys [16:24]
Pass keys are presented as an alternative to passwords and two-factor authentication. These are managed by an exchange of certificates, not biometrics. The presenter prefers hardware-based keys like a UB key over software-based authenticators, as they are less prone to being lost or compromised when devices are changed or reset.
Final Thoughts and Action Plan [17:16]
The video concludes by reiterating that password complexity is a lie and provides a five-minute action plan: check your emails on Have I Been Pwned?, change passwords for critical accounts to six-word passphrases, add a UB key or pass key, create three-word passphrases for the three low-risk site buckets, and never click login links from emails or texts. Following these steps makes you significantly harder to hack. The presenter invites viewers to join the Braxme community for more privacy tips and to explore their privacy-focused tools.
