Password Cracking Explained | ReHacked
Skills:
Security Basics70%
Key Takeaways
Explains password cracking and hashing algorithms
Full Transcript
i make technical videos right and i edit my technical videos um so when i watch other technical videos i really pay attention to how they are editing their technical content so even though of course basic topic whatever we can be jealous that this person gets 11 million views for this basic video whatever doesn't matter but this video has you know is edited and stuff like this is this is the amount of editing i like of course design-wise can be more beautiful and stuff but but of course i don't do this for my videos as well in this video we'll see how passwords are really cracked passwords are not saved as plain texts any website of this age on the internet uses a hashing algorithm to encrypt and manage passwords there are many types of hashing algorithms like the sha-1 md5 etc as an example for this video let's consider facebook starting out with kind of like you know done with slides or something or in the clear stuff you know not a text editor not notepad or something like this and then even here when showing a website not just screen recording where you can see the the windows bar in the browser top bar is actually a good secret tip to not record the window of the of this browser window because that tells you how old a certain recording is obviously this website also looks a bit older already dated but and that's just because it's facebook um but i mean like you can't tell if this was like recorded on windows xp or if this was recorded on windows 10 right so it's easier to survive for a longer amount of time because it doesn't feel so outdated so i think that was a conscious decision to just record this you know this is editing efforts let's consider facebook in order to log into your facebook account now as an example for this video let's consider facebook now what's a bit lazy is i guess here having the but i mean that happens for me too sometimes i forget to delete the suggestion boxes from previous things i entered in order to log into your facebook account you enter your email and password and click on login here zooming in on the important things so the viewer know where to focus on this thing all these things is editing and i really appreciate that the first time you create a facebook account you are asked to fill in a form like this which contains your name your email address and it asks you to choose a password your birth date and your gender once you click on sign up this data is sent to the facebook's backend database in the facebook database your name your job look at this putting real effort into uh animating and visualizing how the database looks like that it looks like a table and so forth this is not a shitty you know low effort uh video and your age and your email or phone is saved as it is but what about the password as i told you a password will never be saved i like this uh it's not just telling us how the password is done but posing a question okay so the data is in here but what to do with the password saved as a plain text in a website's database so this password is given as input to a hashing algorithm and the output given by this hashing algorithm is the encrypted form of the password which appears to be random but is not this hashed password is saved in the facebook database but not the plain text which means the password which you entered will never be saved on facebook's database as a plain text instead only it's encrypted or in other words the hashed password so he uses here the words encrypted but then says in other words hashed i think it's totally fine of course it's not encryption and i would i would my expectation is that this person who says that knows that because obviously they are generally technical kind of like accurate with everything but regular users obviously don't understand the word hashing i think it's still important to mention it and generally use the word hashing and he does that he mentions hashing algorithms and that this is hashing that this is called hashing there's md5 and like still mentioning that but then also throws in one time it's like it's encrypted well what's technically wrong a person who does not understand hashing the whole time now they hear encryption and they understand that it's like scrambled differently right i i've done this in i do this in videos sometimes as well where i say something that's technically not quite accurate but i say it because it helps me better [Music] make something understandable and it's like only half true or something you know so uh yeah i mean here uh here's food for thought if your password is shorter than the half hash bit length could you maybe even call this encryption it's a one-time pad matching entire strings to a certain hash and that hash so to say vice versa if you have a one-time we we call one-time paths to be encryption can we here say that this is a one-time pad between a password and a hash and if you have the one-time pad you know the the mappings between those things no just saying what i'm just saying is i wouldn't criticize this in this case to call this encryption just because he is mentioning um hashing all the time and is just using it one time here i guess or using here for the first time now just to emphasize for people who are not technical that this password is not in plain text anymore it's encrypted you know it is saved in the facebook's database now suppose facebook had a data breach and hackers managed to gain access to facebook's user info which included their name age gender email and password though hackers have this information they will not be able to login to any specific user account because the password is encrypted if the hacker tries to login to any specific user account with the hashed password he will not be provided access he only needs to enter the password here this is also good just to visualize that this doesn't work you know this person could just sit there and just mention this or not mention it at all but it might help to further solidify what it means to have a hash password that if they steal now this password obviously that doesn't work to log in and creating footage for all of this and recording it now here this he was lazy i just realized look at this app bar uh here i mean everything still displayed here terrible editing word which is in the plain text form so what do the hacker do now in youtube i like this i like asking questions so what does the hacker do now this is the way how i like to think about my scripts and stuff as well the only possible way is to reverse the hash into its plain text form but this is highly impossible because a hash is a one-way function and the plain text see the terminology one-way function so yeah this person i mean has a certain you know base education level of i.t for sure um yeah i mean it's a it's it's a it's a technical term but um it's also understandable for common people just because it's very descriptive i guess this form of a hash cannot be obtained from the hash itself that is how hashing algorithms are designed so what now this is when the strength of the password comes into the play if you are using a common password like test123456 which i used earlier to sign up for facebook then the hacker will easily able to know the plain text form of your password from the hash string there is something known as rainbow tables these rainbow tables contain the password hashes of numerous commonly used passwords along with their plain text forms so the hacker will be able to do a simple search with the password hash that he has and if the password hash exists in the rainbow table that means that the password is successfully cracked and we now have the password in a plain text form remember that rainbow tables contain the password hashes of only the passwords which are commonly used as a reference you can try it yourself at crackstation.net but what if the password is not a commonly used password in that case rainbow tables are of no use so there comes dictionary attack and brute force attack both are quite similar in dictionary attack you have a word list a word list is nothing but a huge text file with loads of passwords in this attack the hacker writes a code which compares the password has to be cracked with the password hash of each and what's happening here with this editing sometimes stuff is like flickering in and out and then i don't know there was here just on which combat here i have it sorry i'm going here frame by frame writes a code which hash is matched ah okay compares the password has to be cracked with the password hash of each and every password that exists in the word list file if any hashes match then it means that the tracking is successful and we now have the plain text of the hashed password now this attack can be target specific as well which means you can actually create your own word list targeting a specific individual provided that you know some basic details about him and assuming that he used his basic details to frame his password this attack can be a success or a failure based on the quality of the word list that you are using in a brute force attack each and every combination of letters symbols and numbers are converted into their hash forms and are then compared with the password hash which is to be cracked in other words you are literally taking every possible password that can exist convert it into its hash and check if the hashes match so yes it literally takes forever to crack a strong password using this method however if the computer's processing speed is fast enough then yep simple passwords can be cracked easily by this method a new technique called salting is introduced by security analysts to give hackers a hard time in cracking passwords in this technique a specific combination of characters are inserted at specific positions of the plain text password before hashing every company has its own salting algorithm and they don't make their salting algorithm public nah that is wrong there are some very well defined ways how salting is done or should be done just because when you do your own salting maybe it's ineffective or not ideal or something like this so it's not true that this needs to be secret in what needs to be secret is maybe the value you salt with uh but generally no no not even that is a secret you usually store you have to store the salt next to the password of course because you need to obviously do this to verify the hash i'm an idiot but yeah so this is um yeah there are industry standards so to say like typical salt and hash algorithm combinations for example let's say facebook salting algorithm inserts a string f ampersand two p at the beginning after the third character and at the end after the third character but then does it after the fourth must feel bad in a 11 when 11 million people see your horrible mistakes of the plain text password after sorting the password the started password is then hashed by a hashing algorithm so when assault is used rainbow tables are of no use even if the password to be cracked is a weak and commonly used password because the hash of the password without salting do not match the hash of the password which is salted also brute force attack and dictionary attack are not effective to crack salted passwords unless the hacker already knows the salting algorithm employed by a company so that is it for this video thanks for watching leave a like if you liked this video and also don't forget to subscribe for more awesome videos comment down below if you have any doubts regarding this video cool yeah i like it because it was um you know well-edited it wasn't a lazy technical video um i wish more people would invest into editing the technical videos oh my god see it's full comments full of these kind of spams bro we got hash cat hash passwords aren't the problem getting into the database is the problem see spam again after series of searching for help i finally found someone blah blah blah for instagram sagehek full full everywhere everywhere this kind of spam on these hacking videos terrible [Music] you
Original Description
Original Video: https://www.youtube.com/watch?v=YiRPt4vrSSw
→ Twitch Subscription: https://www.twitch.tv/products/liveoverflow
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 📄 Info. ]=-
Main Channel: https://youtube.com/LiveOverflowCTF
Twitch: https://twitch.tv/LiveOverflow
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
#liveoverflow
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveUnderflow · LiveUnderflow · 18 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
▶
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
Hacking Skills Perspective
LiveUnderflow
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
Password Cracking Explained | ReHacked
LiveUnderflow
HTTP Desync Attack Explained With Paper
LiveUnderflow
Better than Stack Overflow for Development
LiveUnderflow
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
How To Exploit a Heap Overflow
LiveUnderflow
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
Analytics from 7 Years on YouTube...
LiveUnderflow
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
"Remove the video as soon as possible"
LiveOverflow
Arm®-based Video
LiveOverflow
How to make good HACKING videos
LiveOverflow
LEEROY fällt auf HACKER rein?
LiveOverflow
Hacking for an Intelligence Agency
LiveOverflow
Tier List of My Worst Tweets
LiveOverflow
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
Hacker Reacts to 23andme Data Leak
LiveOverflow
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
A lightweight workflow for keeping up with AI conference papers
Dev.to · Daniel
Why CitedEvidence Believes Great Researchers Read Less Than You Think
Medium · AI
How to Write a Literature Review That Actually Argues Something
Medium · Machine Learning
I Built a Personal Paper Engine to Stop Losing Research Papers
Dev.to · Ethan
🎓
Tutor Explanation
DeepCamp AI