Segments

" War."

" This time on the show keeping your password safe and secure with KeePass and keeping your -- here with past salty. All that and more on this episode of Hak5. This episode -- Hak5 has brought to you by godaddy. Squarespace. Game flags and viewers like you."

" Thorough look and Hak5 mining is Darren Kitchen I can't aren't and this is your weekly dose of technolust."

" We are here in topsail island North Carolina yet we're visiting my family this week so we decided it and not just ad here against my cousin and it is accurate. It adds all that hackers need to -- each and every now and then -- and three and keep it -- sweep this week. But what's happened pretty sweet spot where we're talking about soul to."

" Just click on -- here."

" Then delicious thought."

" And keep passed right so we're talking basically about passwords whether beef hash is the war on the user and actually entering them parade passwords it's like. -- dental hygiene right but it's important stuff. As yet. And we have found Internet here -- we are actually making things work. -- Little earlier -- have a little too much fun that let me say that San Francisco and we'll talk about. Oh right yeah who have come enough."

" segments about KeePass which is basically -- huge database a huge place we can store all your passwords and you just have to memorize. Them and I will be talking about --"

" But first let's take a quick break and find out what's going on with our meet up. In Williamsburg Virginia which gardens right --"

" Don't forget about our first ever Hak5 need -- that Busch Gardens Williamsburg August 15. He can out ride roller coasters drinking beer have a good time and you are officially invited. It all the details Hak5 mean that's Squarespace dot com -- sponsored Squarespace dot com."

" With Squarespace you can build beautiful looking blogs -- web sites in a fraction of the time it would take for the traditional content management system. They're intuitive drag and drop interface is a snappy and powerful as a desktop publishing app. The best of all there's no software to install new database to configure -- patches -- applied and no code to fiddle with. -- yourself a simple and powerful it can be with a two week free trial that's -- space dot com and use promo code hack. Five to support the show and save 10% off the life of your service -- Squarespace dot com."

" And."

" It's it's an -- to have this thing where I would use the same password. On every sender would have like levels of security is banking isn't really tough one but like for my slash static coming -- counts up like that. This is really stupid password. And then I got thinking and when I was doing research about the pals for hashing in one not that if any of those on the back and aren't secured properly. And if you know they were to be easily cracked and use the same thing. Like me this is showed us with maltego it's super simple to be like a MySpace to accomplish your kitchen is the same thing it's FaceBook dot -- let's -- attending care yeah right so. Any neatly at the same password that. And the reason being it's just so hard to remember all this passwords what what can I do so. You know I don't drive myself crazy and don't just put -- sticky notes and undermine monitor."

" Well you could do that and then have somebody coming into your room and find out passwords to your entire life yeah or you could use a system like KeePass. Which is a really nifty program that lets you stick all of your passwords every single one of them into this quick little database. And then you just have one master password -- master password in key key file and that can protect all of them. And keep an encrypted."

" You mentioned. That it's encrypted and that the key file at picked up on a case that that sounds a lot like TrueCrypt -- can talk yet there are -- that can use keep files. So how is how what's a similar is there."

" Well encryption you can do either AES Ortiz says those weren't choices that I had when I was running he had a portable mention -- KeePass."

" I'm not sure there's satellites it as well those -- good that's pretty cool I mean I guess he really wanted to get crazy humans noted portable app that's beautiful Kazan."

" You know very well you can just stick it on USB and rock out all sorts of different computers and never have to memorize all the -- house where it's just always get I sticking it in there and."

" Great another and then right after this -- your your. To pass from the last week. I love that idea and if you wanna get ridiculously secure and fun with that. You go ahead and actually TrueCrypt the portable up."

" yeah you can hit."

" if you can't forget the past retreated TrueCrypt blindness -- your password safe that would anyway and it."

" I don't know if you put your TrueCrypt password into -- Well oh we're running -- that area right now so yeah."

" And what about what about lake features within the program that's the thing is I've got a on a different passwords that -- work for Hak5 for personal stuff how to organize all this and is any better than just like front and had I mean you know."

" Question. It's really really user friendly it's so easy completely crazy -- do you like I was able to go in there I didn't even read any directions and that's just like create new database and your password new master -- keep and then I went to. Grips and which. It's so cool can you can hear different passwords since the different groups like this one for home banking and there's 14. You know Internet email pretty much every single type of different password that you might have you put it into a different screen I would have to select the main web servers all -- that you could create your own -- don't have to use the default ones that against you who. And then there it'll just fill out the form premier does that work. There's a form that you have to fill out you have the choice between ES and you've finished and you put in the title of the past where that you and like. One of mine was columns adams' FaceBook. And then happening in the username. And email write the password. And then. Consulate to do an expiration date stamp. Yes I can say -- like a year expiration date -- sixty days pretty much whatever I want."

" It's good accounting gets you in the encourages you to to do that policy that everybody should be doing is actually changing their password every two months and that's. And not just putting a different number on the and that it. And -- sixteen except for the -- yeah. You mentioned that it's cross platform so I'm assuming you know it is across -- and it's portable so it run and when it back and it's no problem. What about my browser that's where do you all might have -- for the most part."

" There are plug ins for it there's Firefox plug -- and Internet Explorer plug -- as well as like. 3040 different other kind of and there's a toolbar -- on there which is pretty nifty I'd try it out -- bit like plants are things that there's tons of different things that you can use. --"

" Thanks. And definitely gonna get in the habit of doing this because. And I'm always making my a my -- more more secure. I just adding that conference to them but it's been a little cumbersome now I might -- death. Thank you and of course if people have questions about this."

" They can check out the KeePass I was black I haven't -- ads as well as some extra information about it and email -- or yours."

" let's go ahead and find that was going on this week in trivia them. This week's trivia is a bit of a scavenger hunt."

" Now based on what you've heard on this episode of what you seen was the address of the hack beach house clear answers up on Hak5 dot org slash trivia. And for your chance with Hak5 flags so right now we're gonna go thank our sponsor on godaddy."

" Keep your personal information away from spammers hackers inning you're crazy ex roommate private domain registration from godaddy.com protects your privacy by keeping your address phone number and more out of the public database. Check out revision3.com. Slash go daddy's for all of our godaddy coats in offers."

" You may remember from episode 119 when we started talking about. Brute forcing. And we're using technology from Nvidia card could so that we can actually do somewhere like four to five billion password attempts per second. Which makes brute forcing. As -- is kind of trivial when you've got enough horsepower like that. And I thought that it would be apt of course to talk about ways to protect those hashes and particularly a technology called faulting. Which is kind of opt for this Margarita that are having here on the beach. So. First we should have a basic understanding of what a hash is and why it's important to salt. So for instance my password if it was just the word password. When it's stored in a database it's not stored as just that. In what we call clear tax because then anybody being the database would be able to see that -- we actually. You what's called we we hash it with an algorithm like MD five or SHA one or -- one if you will. And and many other different algorithms but we used those to create a cryptographic hash a an equivalent. Of that password where we took the text we run it through this and we get this sequence numbers. That way when I ask you you know on the server and ask you for your password I'm not actually asking you. To tell me your password because anybody listening in between would actually be able let's say hey I describes password -- what am asking you to do is send me. That hatch and and taking a look at that and comparing it to watch I have my I'll ask your question maybe that's the Scarborough assaults say. If I take your hash and run it through this you get that. And it's it's number of challenges and responses and fun stuff but essentially. This way we don't have to pass our. Our text our password in the -- tax if you will so hashes are very important. And so many ways and what we talked about deficit for nineteen was how we could say great. If only. I could just come up with the table at that only I could use raw horsepower to come up with every cash equivalent. For every tax equivalent and then match them up with your -- and say oh. This hash. It means this ASCII equivalents and that's when your -- was this your password so what I'd like to talk about is assaulting. Now -- is basically using random bits and -- them to the password. When you create the hash is salted hashes. Don't look like. Normal passes so for example if I have to passwords if they -- and I both have the same password. They're not going to have the same hash because the salt is going to be different this salt is what makes it more secure and you can consider this whole homeless like. Another password because it needs to be kept secure as well. And when you mix these two together you get a much stronger -- what does that do for use the attacker well. A dictionary attack is going to be foiled by this. Because you would have to run your your dictionary of all the words and their cash equivalents. Against all the words and all be possible. Salts and their equivalents. And in the case of a 32 bit salt you're talking about the difference between hundreds of thousands and trillions. So it turns things like rainbow tables or pre -- did. And time memory trade off tables. Basically makes them impractical to use when you're dealing with a big enough salt. Of course that is to say we could brute force. A password -- that has been salted. And that could take forever or in the case of older Unix systems. It could not take -- long at all. -- give you an example. And then this comes straight from like a -- article that -- read back. When I was like twelve or something. That. Back then it was all popping Unix systems was pretty much just a matter of getting a guest log in or any log into the Unix box and copying a file called ETC slash password. Capacity. And and this is where the -- get this is before satirist okay before Patrick shadows but. But this is where your house would be sort and of course it was limited to eight characters and we use a twelve -- salt. Well nowadays. Twelve that salt an -- character password. There's only. 4096. You know possibilities for the salts so using rainbow tables and brute forcing especially with like -- or. Or other video card technology which would make it for -- actually -- so. You know and just you don't copy that passed the media that's you know back then. Any user on Unix system could you know see that file so it was just a matter grabbing that running it through John the ripper but of course now that's not the case anyway. So that is. Essentially. What salt are they are another password on top of your password they get mixed together to make your -- more secure to let you passers of the same. Would not have the same -- It's a lot more difficult force to crack and it's important to keep in mind if you're building a want to build a secure authentication mechanism. So. Of course that with a topic like this that is in a practical cures have you know run these commands in and pass it through this. I of course and very interested in your feedback. On on what. You consider secure and and what you use in practice whether your systems administrator programmer and other topics like this you might. Be interested in go ahead and hit the up."

" backpack Hak5 dot org. I wanna let everybody knows that. -- His -- service. They are the largest online video game rentals service and offer a choice over 6000 new and classic titles across all councils and -- we plants are you 15951. Game plan members can rent one to four games at a time and keep them for as long. It's like you can also purchase a game if you fall in love with it. Into the box and manual. Pornography. And on over to gain slide dot com slash Hak5 to get. Two week free trial version. -- dot com slash."

" That is about rats at this episode of Hak5."

" Ferris that want to mention that next week."

" We are finally going to San Francisco I'm so stoked about this occasionally they'll be she'd never rectory and I've gotten. You and your camera that I'm playing with rental and calls -- madness while doing some fun stuff with digital SLRs. Some -- stuff so the next episode going to be somewhat of a project. --"

" Washington an episode and it got so excited. An op that's actually going to be our last episode of the season can you believe. We're pretty bad with even that's -- Scott but I am gonna be so completely ignored he hears it if like us yeah does."

" When year Hulu now the so of course that doesn't mean that we're going on -- or anything we will be back with the premiere of season six the following Wednesday. So stay -- that that's actually going. After our meet up with gardens Williamsburg."

" You guys definitely matrix about I mean this up. I mean we're going to be you know doing everything broadcasters --"

" And immediate time yeah also don't forget to meet up with us -- we haven't we got in San Francisco so we know already telling us on Twitter. That back. I'm via twitter.com slash Hak5 --"

" Planned all of us it was fun all of us right onto -- twitter.com slash Hak5 and we also got the FaceBook fan page FaceBook dot com slash. Tech it's right now. We could get appliances to lower sixty's aren't yet I've -- character isn't it and get dated -- Hak point five and Atlantis that I have. That's happening to me and it's."

" And so of course what Mark Zuckerberg made that's. -- don't -- it. No gimmicks to get at number four. That's Netanyahu. I lately that's pretty much it for this week's episode packed -- as always you backpack buy dot org it best way to get a hold of us let us know what you think about the show this -- what you would like to see in the future. At this point we're gonna go back Margarita. If you next week. --"

" It's."

" We have hired -- intern. The -- Michael and send submissions and thought our mind."

" It's ridiculous."

" War."

" This time on the show keeping your password safe and secure with KeePass and keeping your -- here with past salty. All that and more on this episode of Hak5. This episode -- Hak5 has brought to you by godaddy. Squarespace. Game flags and viewers like you."

" Thorough look and Hak5 mining is Darren Kitchen I can't aren't and this is your weekly dose of technolust."

" We are here in topsail island North Carolina yet we're visiting my family this week so we decided it and not just ad here against my cousin and it is accurate. It adds all that hackers need to -- each and every now and then -- and three and keep it -- sweep this week. But what's happened pretty sweet spot where we're talking about soul to."

" Just click on -- here."

" Then delicious thought."

" And keep passed right so we're talking basically about passwords whether beef hash is the war on the user and actually entering them parade passwords it's like. -- dental hygiene right but it's important stuff. As yet. And we have found Internet here -- we are actually making things work. -- Little earlier -- have a little too much fun that let me say that San Francisco and we'll talk about. Oh right yeah who have come enough."

" segments about KeePass which is basically -- huge database a huge place we can store all your passwords and you just have to memorize. Them and I will be talking about --"

" But first let's take a quick break and find out what's going on with our meet up. In Williamsburg Virginia which gardens right --"

" Don't forget about our first ever Hak5 need -- that Busch Gardens Williamsburg August 15. He can out ride roller coasters drinking beer have a good time and you are officially invited. It all the details Hak5 mean that's Squarespace dot com -- sponsored Squarespace dot com."

" With Squarespace you can build beautiful looking blogs -- web sites in a fraction of the time it would take for the traditional content management system. They're intuitive drag and drop interface is a snappy and powerful as a desktop publishing app. The best of all there's no software to install new database to configure -- patches -- applied and no code to fiddle with. -- yourself a simple and powerful it can be with a two week free trial that's -- space dot com and use promo code hack. Five to support the show and save 10% off the life of your service -- Squarespace dot com."

" And."

" It's it's an -- to have this thing where I would use the same password. On every sender would have like levels of security is banking isn't really tough one but like for my slash static coming -- counts up like that. This is really stupid password. And then I got thinking and when I was doing research about the pals for hashing in one not that if any of those on the back and aren't secured properly. And if you know they were to be easily cracked and use the same thing. Like me this is showed us with maltego it's super simple to be like a MySpace to accomplish your kitchen is the same thing it's FaceBook dot -- let's -- attending care yeah right so. Any neatly at the same password that. And the reason being it's just so hard to remember all this passwords what what can I do so. You know I don't drive myself crazy and don't just put -- sticky notes and undermine monitor."

" Well you could do that and then have somebody coming into your room and find out passwords to your entire life yeah or you could use a system like KeePass. Which is a really nifty program that lets you stick all of your passwords every single one of them into this quick little database. And then you just have one master password -- master password in key key file and that can protect all of them. And keep an encrypted."

" You mentioned. That it's encrypted and that the key file at picked up on a case that that sounds a lot like TrueCrypt -- can talk yet there are -- that can use keep files. So how is how what's a similar is there."

" Well encryption you can do either AES Ortiz says those weren't choices that I had when I was running he had a portable mention -- KeePass."

" I'm not sure there's satellites it as well those -- good that's pretty cool I mean I guess he really wanted to get crazy humans noted portable app that's beautiful Kazan."

" You know very well you can just stick it on USB and rock out all sorts of different computers and never have to memorize all the -- house where it's just always get I sticking it in there and."

" Great another and then right after this -- your your. To pass from the last week. I love that idea and if you wanna get ridiculously secure and fun with that. You go ahead and actually TrueCrypt the portable up."

" yeah you can hit."

" if you can't forget the past retreated TrueCrypt blindness -- your password safe that would anyway and it."

" I don't know if you put your TrueCrypt password into -- Well oh we're running -- that area right now so yeah."

" And what about what about lake features within the program that's the thing is I've got a on a different passwords that -- work for Hak5 for personal stuff how to organize all this and is any better than just like front and had I mean you know."

" Question. It's really really user friendly it's so easy completely crazy -- do you like I was able to go in there I didn't even read any directions and that's just like create new database and your password new master -- keep and then I went to. Grips and which. It's so cool can you can hear different passwords since the different groups like this one for home banking and there's 14. You know Internet email pretty much every single type of different password that you might have you put it into a different screen I would have to select the main web servers all -- that you could create your own -- don't have to use the default ones that against you who. And then there it'll just fill out the form premier does that work. There's a form that you have to fill out you have the choice between ES and you've finished and you put in the title of the past where that you and like. One of mine was columns adams' FaceBook. And then happening in the username. And email write the password. And then. Consulate to do an expiration date stamp. Yes I can say -- like a year expiration date -- sixty days pretty much whatever I want."

" It's good accounting gets you in the encourages you to to do that policy that everybody should be doing is actually changing their password every two months and that's. And not just putting a different number on the and that it. And -- sixteen except for the -- yeah. You mentioned that it's cross platform so I'm assuming you know it is across -- and it's portable so it run and when it back and it's no problem. What about my browser that's where do you all might have -- for the most part."

" There are plug ins for it there's Firefox plug -- and Internet Explorer plug -- as well as like. 3040 different other kind of and there's a toolbar -- on there which is pretty nifty I'd try it out -- bit like plants are things that there's tons of different things that you can use. --"

" Thanks. And definitely gonna get in the habit of doing this because. And I'm always making my a my -- more more secure. I just adding that conference to them but it's been a little cumbersome now I might -- death. Thank you and of course if people have questions about this."

" They can check out the KeePass I was black I haven't -- ads as well as some extra information about it and email -- or yours."

" let's go ahead and find that was going on this week in trivia them. This week's trivia is a bit of a scavenger hunt."

" Now based on what you've heard on this episode of what you seen was the address of the hack beach house clear answers up on Hak5 dot org slash trivia. And for your chance with Hak5 flags so right now we're gonna go thank our sponsor on godaddy."

" Keep your personal information away from spammers hackers inning you're crazy ex roommate private domain registration from godaddy.com protects your privacy by keeping your address phone number and more out of the public database. Check out revision3.com. Slash go daddy's for all of our godaddy coats in offers."

" You may remember from episode 119 when we started talking about. Brute forcing. And we're using technology from Nvidia card could so that we can actually do somewhere like four to five billion password attempts per second. Which makes brute forcing. As -- is kind of trivial when you've got enough horsepower like that. And I thought that it would be apt of course to talk about ways to protect those hashes and particularly a technology called faulting. Which is kind of opt for this Margarita that are having here on the beach. So. First we should have a basic understanding of what a hash is and why it's important to salt. So for instance my password if it was just the word password. When it's stored in a database it's not stored as just that. In what we call clear tax because then anybody being the database would be able to see that -- we actually. You what's called we we hash it with an algorithm like MD five or SHA one or -- one if you will. And and many other different algorithms but we used those to create a cryptographic hash a an equivalent. Of that password where we took the text we run it through this and we get this sequence numbers. That way when I ask you you know on the server and ask you for your password I'm not actually asking you. To tell me your password because anybody listening in between would actually be able let's say hey I describes password -- what am asking you to do is send me. That hatch and and taking a look at that and comparing it to watch I have my I'll ask your question maybe that's the Scarborough assaults say. If I take your hash and run it through this you get that. And it's it's number of challenges and responses and fun stuff but essentially. This way we don't have to pass our. Our text our password in the -- tax if you will so hashes are very important. And so many ways and what we talked about deficit for nineteen was how we could say great. If only. I could just come up with the table at that only I could use raw horsepower to come up with every cash equivalent. For every tax equivalent and then match them up with your -- and say oh. This hash. It means this ASCII equivalents and that's when your -- was this your password so what I'd like to talk about is assaulting. Now -- is basically using random bits and -- them to the password. When you create the hash is salted hashes. Don't look like. Normal passes so for example if I have to passwords if they -- and I both have the same password. They're not going to have the same hash because the salt is going to be different this salt is what makes it more secure and you can consider this whole homeless like. Another password because it needs to be kept secure as well. And when you mix these two together you get a much stronger -- what does that do for use the attacker well. A dictionary attack is going to be foiled by this. Because you would have to run your your dictionary of all the words and their cash equivalents. Against all the words and all be possible. Salts and their equivalents. And in the case of a 32 bit salt you're talking about the difference between hundreds of thousands and trillions. So it turns things like rainbow tables or pre -- did. And time memory trade off tables. Basically makes them impractical to use when you're dealing with a big enough salt. Of course that is to say we could brute force. A password -- that has been salted. And that could take forever or in the case of older Unix systems. It could not take -- long at all. -- give you an example. And then this comes straight from like a -- article that -- read back. When I was like twelve or something. That. Back then it was all popping Unix systems was pretty much just a matter of getting a guest log in or any log into the Unix box and copying a file called ETC slash password. Capacity. And and this is where the -- get this is before satirist okay before Patrick shadows but. But this is where your house would be sort and of course it was limited to eight characters and we use a twelve -- salt. Well nowadays. Twelve that salt an -- character password. There's only. 4096. You know possibilities for the salts so using rainbow tables and brute forcing especially with like -- or. Or other video card technology which would make it for -- actually -- so. You know and just you don't copy that passed the media that's you know back then. Any user on Unix system could you know see that file so it was just a matter grabbing that running it through John the ripper but of course now that's not the case anyway. So that is. Essentially. What salt are they are another password on top of your password they get mixed together to make your -- more secure to let you passers of the same. Would not have the same -- It's a lot more difficult force to crack and it's important to keep in mind if you're building a want to build a secure authentication mechanism. So. Of course that with a topic like this that is in a practical cures have you know run these commands in and pass it through this. I of course and very interested in your feedback. On on what. You consider secure and and what you use in practice whether your systems administrator programmer and other topics like this you might. Be interested in go ahead and hit the up."

" backpack Hak5 dot org. I wanna let everybody knows that. -- His -- service. They are the largest online video game rentals service and offer a choice over 6000 new and classic titles across all councils and -- we plants are you 15951. Game plan members can rent one to four games at a time and keep them for as long. It's like you can also purchase a game if you fall in love with it. Into the box and manual. Pornography. And on over to gain slide dot com slash Hak5 to get. Two week free trial version. -- dot com slash."

" That is about rats at this episode of Hak5."

" Ferris that want to mention that next week."

" We are finally going to San Francisco I'm so stoked about this occasionally they'll be she'd never rectory and I've gotten. You and your camera that I'm playing with rental and calls -- madness while doing some fun stuff with digital SLRs. Some -- stuff so the next episode going to be somewhat of a project. --"

" Washington an episode and it got so excited. An op that's actually going to be our last episode of the season can you believe. We're pretty bad with even that's -- Scott but I am gonna be so completely ignored he hears it if like us yeah does."

" When year Hulu now the so of course that doesn't mean that we're going on -- or anything we will be back with the premiere of season six the following Wednesday. So stay -- that that's actually going. After our meet up with gardens Williamsburg."

" You guys definitely matrix about I mean this up. I mean we're going to be you know doing everything broadcasters --"

" And immediate time yeah also don't forget to meet up with us -- we haven't we got in San Francisco so we know already telling us on Twitter. That back. I'm via twitter.com slash Hak5 --"

" Planned all of us it was fun all of us right onto -- twitter.com slash Hak5 and we also got the FaceBook fan page FaceBook dot com slash. Tech it's right now. We could get appliances to lower sixty's aren't yet I've -- character isn't it and get dated -- Hak point five and Atlantis that I have. That's happening to me and it's."

" And so of course what Mark Zuckerberg made that's. -- don't -- it. No gimmicks to get at number four. That's Netanyahu. I lately that's pretty much it for this week's episode packed -- as always you backpack buy dot org it best way to get a hold of us let us know what you think about the show this -- what you would like to see in the future. At this point we're gonna go back Margarita. If you next week. --"

" It's."

" We have hired -- intern. The -- Michael and send submissions and thought our mind."

" It's ridiculous."