While on Vacation at the beach Darren and Shannon talk password security. Shannon covers her favorite free open source password safe, Keepass, and how it can take the nightmare out of remembering a different password for every site. Then, Darren goes over salting and what it does to protect your password’s hash on the back end.

Download HD Download MP4 Download XviD Download WMV

With the dozens–or in the case of many administrators hundreds–of passwords one must use and remember every day, how is one to ensure a secure and original password every time? Sure you could come up with some crazy algorythm that involves information in the WHOIS record of the domain you’re logging into, or you could live in normal land and get a password safe. Shannon goes over her favorite free open source offering KeePass.

Using industry standard encryption to keep your passwords safe, KeePass is the most full featured password safe we’ve tested. With versions for just about every OS under the sun, including many smart phones, there is no reason to ever reuse a password again.

If you’re a fan of KeePass and have a story or plugin you want to sare with us be sure to hit up feedback@hak5.org!

When it comes to storing passwords on the back end, whether they be in a database or flat file, it’s important to keep ‘em salted. In this episode Darren goes over what Hash salting is — what it means to users, administrators, and would-be password crackers.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

42 Comments

  • Gah! A couple of season’s back Wes and Darren tell me not to store my passwords in some sort of program like this so I did. Now suddenly it’s okay!

  • Edvardas 5 years ago

    I didn’t like the idea to store all passwords in a single place. I think this gives you a single point of failure, you should remember to backup the password database (in case your usb stick/hard drive dies).

    Regarding post-it notes. In one of my former workplaces I stuck like 50+ post-it notes around the monitors. The funny thing was that none of them was a password used :) Not sure if anyone tried them.

    P.S. Was the white balance off during the episodes, or you guys had sun burn?

  • JC Denton 5 years ago

    I agree with Edvardas. Single point of failure, not to mention a nice keylogger (hardware or software) snagging one password to get many passwords. *p00f* This just seems like a bad idea. get some form of biometric device with encryption on top of that if you want to go the storing of multiple passwords route.

  • joeypesci 5 years ago

    Wow sunburn!

  • Observer 5 years ago

    Or, the Hak5 crew got rooted because of a 0day WordPress vuln, but for some reason not related to security didn’t fess up to it. Instead, they decided to put a show out about how to not reuse passwords, especially between security zones. You mean, like your forumID and the root for your shell account?

    Google zf05.txt if you think I’m just making things up. There is always someone out there better than you, there’s no shame in it. There is shame in getting called out and pretending everything is fine.

  • Guy with new nickname 5 years ago

    Damn, my nickname and one of my passwords is in this file.
    I used to have 5 diffrent passwords, which I used for all my logins. But now as my password is that much close to my nickname on the internet, I changed every login and use diffrent passwords for all my logins.
    But I still write down all my passwords on a piece of paper and keep it hidden in my room, next to my credit-card-PIN and all that.

  • -=Boris=- 5 years ago

    not bad ep but have to say nothing better then paper and pen to write down your passwords :D

    Observer: ur rite i google it, found the file and it’s pretty funny to read they even talked about Mubix to lol

  • haxwithaxe 5 years ago

    OH GOD!! That file has my nick(hax) in the title. It’s not mine I swear.
    Also gotta say I don’t trust anyone including my self with passwords written or electronically stored. My first hacking experience was finding my mom’s passwords “hints” written on a piece of paper and typing variations into the dial-up login ’til I got it right.
    If I can’t remember it, it doesn’t work. I have my own character replacement systems for work and personal use so even my hacker coworker can’t use my crazy passwords to figure out my personal accounts.

  • @Observer, nobody is pretending everything is fine. In the same token we’ve been on vacation during the last two shoots and haven’t had a chance to put together a proper follow-up. Once I have something intelligent to say about it I will. Until then I’m still getting familiar with the situation.

  • @Observer

    Of course a show about hacking is going to be attacked more often than other sites. Even Mitnick got owned. However, I do recall a few episodes ago, Darren saying they were hacked, he wasn’t hiding it. Its just sad that people have to spend many sleepless nights trying to attack someone who has a 40-50 hour/week job, busts his ass trying to put together videos for us, and wants to take a lil vacation every once in a while. I can barely post a youtube video without getting distracted a million times.

    From zf05
    “Oh dear. See, Hak5 are a bunch of no mark wannabes. They contribute nothing to security but entertain people who own iPhones and macs and study CS. These people get their buzz from claiming to be hardcore, leet and hackers.”

    There are so few videos of iPhones and macs. Apparently someone didn’t actually watch the videos before complaining.

    Also, the whole “They contribute nothing to security” is completely false. There are so many IT admins/Security geeks out there that don’t have a decent grasp on whats really going on in the world. Hak5 is providing that insight to these IT Admins as well as the geeks that just love to play with stuff. While I don’t approve of companies hiring IT Admins with just a basic background, it is becoming increasingly popular in today’s world. They need more training. And, if Hak5 can provide some basic to advanced knowledge into the hacker community, that is a step in the right direction. Why would they post videos on how to reverse engineer a Microsoft patch? The people who would actually be able to do that, wouldn’t watch the show to learn. They would watch it for the entertainment. Who cares if they also throw a few vids up of a Wii hack. Everyone needs to have some fun.

    I used the “Multipass” video in a meeting to describe how easy it is to get attacked. I knew it, but no one would listen to me. I also used it to provide our own set of USB keys for our Tier 1 techs to be able to troubleshoot and resolve problems more efficiently. I added the Switchblade stuff as well so they can dump log files, net stats, hosts files, etc. so I can dig through the content without having to be at the machine. Hak5 was useful here.

    I’m also using the NetWitness/tcpdump/tcpextract stuff as a training session in security conference coming up. Hak5 was useful here as well.

    We’ve even used the OpenFire stuff.

    I am a Security Analyst for a higher education institution. I do not have time to figure out how to put things like the multipass together(just for clarification, not having time and not having knowledge are two completely different things). I’m too busy trying to perform internal audits and keep up with 0day attacks on all of our systems. Hak5 shows me new ways to better keep track of what the hell is really going on with my systems. They also show me how to have some fun when I go home and the g/f wants to play the Wii. She loves that “Move the pussy” game.

    So go ahead and continue to bitch while posting proof of your complaints. Everyone knows there is always someone better out there. No one is hiding anything. Its people like you that piss everyone off and make life less enjoyable.

    Grow up and stop posting shit that you had nothing to do with. Unless you’re willing to admit that you hacked them.

  • carl campbell 5 years ago

    Dont ever hate on HAK5; they do it for the love of the game. U watched the episode and used the forums to post, would’nt a “thank you” be more appropriate?

    Good episode..you said Matt would be back this week..oh well, keep up they good work

  • JC Denton 5 years ago

    Hear, Hear!

  • Observer 5 years ago

    Apologies to Darren, etc. L34n, point taken and you’re right. It’s a great show, and the first post wasn’t deserved or intended to be that pointed. The forums responsibly disclosed the original issue in a timely fashion.

    If I could revise the previous it would have been…
    Having a tool to store passwords should allow you to take advantage of policy generated random passwords, preventing predictability, and easily maintain a 1::1, password::site. The issue (mentioned in hak5) causes you to have 1 passphrase (to the vault) that is a single point of failure since it’s unlikely you’ll remember random strings.

    As an add on to snubs great suggestions, perhaps multiple keyfiles creating defense in depth is a workaround. Having all your passwords and the key to those passwords on a system is an issue. If your passfile is on a system with a keylogger (usb on public terminal), you’re in the same boat or worse than if you reused passwords. If you had a keyfile for banking, one for social sites, one for all others, you could protect those keyfiles differently, and in relation to how valuable they are to you. IE, the passphrase for the bank key file is never entered on an untrusted system, and is not predictable if another passphrase were compromised.

    To rephrase, you don’t have much control over a lot of the systems you use to save time or stay connected (some don’t even use salts), and we all fall victim at some point.


    Again, sorry for the out of character trolling, hope you had a restful time at the beach….

  • PapaBear 5 years ago

    Good episode lady and gentleman. Glad to see you guys relaxing and enjoying time with family and friends. Many props for even making an episode while you are on vacation (most wouldn’t have even bothered). Can’t wait for season 6.

  • rockstar 5 years ago

    pretty sad that the camera guy just HAS to keep fucking saggy boobs in the shot, at the expense of cutting off someones head in the shot, leaving the main focal point a neck. This is a hak show, not an excuse for snubs to fucking show off like a whore.

    sad.

  • JC Denton 5 years ago

    You cocksucker rockstar! How could you say that about her.
    Oh I know. because you are hidden behind a computer. If I was Darren and I knew who you were in real life I would knock the fuck out of ya for saying that.

  • When did everyone become so screwed up. Shannon is beautiful! Even my girl thinks so. Btw.. you know they’re loggin IPs rockstar.

    @Observer
    Thank you for changing your mind. Its very interesting to see someone who got slammed by so many actually man up and take it back. Very respectful.

  • [3w`Sparky] 5 years ago

    first off Rockstar you are a cock star

    15 mins into the episode the house in the background seems to have a face on it , sad i know i spot that kind of sad crap.

    and i’m thinking the red skin is one of two things , bad lighting or that shirt ;o)

    cheers guys, enjoy your hols

  • rockstar 5 years ago

    “When did everyone become so screwed up. Shannon is beautiful! Even my girl thinks so. Btw.. you know they’re loggin IPs rockstar.”

    OH NO, HE HAS MY IP

    srsly, who cares. cant get an address from an ip anyways.

  • haxwithaxe 5 years ago

    @ rockstar: actually you can get an address from an ip. i did that for a project a work.
    google geoip
    also the adjetives you used were 1) unnecisary 2) not appropriate 3) off topic and 4) fals. snubs is hot you’re wierd if you think otherwise.

  • Wetwork 5 years ago

    Is it just me or is Snubbs getting hotter and the shows getting shorter?? As far as passwords being stored in one place that is just like holding Satan in Pandora’s box….just a bad idea. for several shows this past season they have done quite a few epi’s that deal with cracking all sorts of encryption and even Darren eluded to it himself in this very episode with his blurbs on salting. I don’t care what program that you use and how great the encryption is on said programthe best way to store the passwords that you use is in your own head

    I have two sayings for you
    Security is a warm blanket of Mistrust and Safest safe can be cracked with a wisper

    Have a good vacation and lets try to put some more content in our content instead of rehashing the same things over and over again such as how to convert Physical to virutal VmWare Guests

    Kudos on the end of season 4

  • Hey hey,

    First of all: Snubs looks gorgeous.

    Besides that:
    I dont like to store all the passwords at one place either but this program kinda replaces all passwords by 1. Just make a program (or figure out, but we’re geeks arent we) a random password for each login and store it in that program…I think there are some ideas there.

    About the hashing: very intresting! Currently making a mailclient in java and I’m very excited about trying (yes trying) implementing it.

    Have fun guys!

  • rockstar 5 years ago

    @ rockstar: actually you can get an address from an ip. i did that for a project a work.
    google geoip

    That doesn’t give you the EXACT address of an IP, only a general area.

    Nice try.

  • Freyberger 5 years ago

    I give mega props to the hak5 Team!! You put on a show that is worth my time watching. I have just been in tune for the last year but have gone back and TiVo’d the old stuff too. I have been in the hacking and Phreaking game from way back. My first adventures were with TRS80 Model 1, Ti994a, C=64 & Amiga… Been trudging through it all for over 30+ years.

    Who ever crashed the site I say Thanks for nothing! :(

    To The TEAM at Hak5 thank you and keep up the great work.

    You inspire me to follow my technolust

  • crazzymoocow 5 years ago

    i love the keepass thing im tyred of forgetting usernames and passwords if i ever get back in to my netgear at least i can store my new name and password and maby i wont tair any more hair out because i locked my self out off my crap again

  • stephen 5 years ago

    @rockstar
    once somebody has your IP and you haven’t taken precations, one can then find out your service provider and then do a little social engineering to hack your service provider and get your exact location… and if you don’t think it is possible, you will be thinking twice when darren is at your front door about to shove his acer one up your… well you get the point…

    geoip may not be able to give an exact location it can give somebody a place to start looking…

    btw, I thought it was pretty nice to see snubbs wearing the blue dress… my gf even thought she looked very nice…

    can’t wait for next season… enjoy your vacation…

  • JC Denton 5 years ago

    So the moral of the story is, become a shell monkey and use a lot of proxy with jumps

  • Anon since that text file got out! 5 years ago

    Hi, i’m astounded that people such as the Hak5 crew let the forum passwords get stored in their original form!! Never heard of one-way hashing guys?

    I mean, if you were a first year at college programmer or something, maybe you might do something as stupid as that; but a show about security and hacking – should know better!

    I’ll continue to watch the show, I like it even though the past few I have skipped through parts. Keep making awesome shows, but maybe also look into your own security once in a while :D

  • Anon since that text file got out! 5 years ago

    Just read that the passwords were MitM’ed, not read from a file.

    Thats a bit more forgivable than passwords stored in plaintext :)

  • rockstar 5 years ago

    @rockstar
    once somebody has your IP and you haven’t taken precations, one can then find out your service provider and then do a little social engineering to hack your service provider and get your exact location… and if you don’t think it is possible, you will be thinking twice when darren is at your front door about to shove his acer one up your… well you get the point…

    I’ll give you $500 if you can do that. I know people like you, and darren, and none of you have the balls to do anything except hack a pc then snicker about it later. You’re skinny nerds with big brains, don’t say you’re going to do shit when you know you’ve never fought in your life.

    I worked for a cable/internet company before, and even in my position I wouldn’t be able to get an address from an IP.

  • @Rockstar – what’s sad is if your focal point was her neck.

  • Digitaldog 5 years ago

    Hak5 is Awesome; if this was my site I would have deleted the post from the idiots above. Hak5 chooses to let the comments stay where they lay and as a result we see how ignorant some of the points of view are. The show is Great you guys do the best job, keep up the good work!

  • Im sorry for saying this, but it looks im the only one to confess that I was unable to stop staring at Shannon cleaveage the whole ep. I know she’s not just a cleaveage, it’s a person, but the camerman did a “rare” job also, cutting her forehead and “centering” in the picture her cleaveage. I’ve said it.

  • disgusted 5 years ago

    Whoever the hacker was fits the description of an intelligent geek who is an outright COWARD…. with no balls.

    Those of us who appreciate what the hak5 team is doing share the commonality that we have full time jobs, work hard, and appreciate the hak5 team for sharing what we love must.
    You might think that you are all that and a bag of chips, but just like Darren mentioned even Mitniks site got owned so you haven’t proved anything but that you are a geek with no appreciation. Your day will come when someone will outsmart you and catch you in the act and you will be hung out to dry.

  • Darren , Long time no see buddy… I think you all should have a show in the works especially for Rockstar ;) I think you would have plenty of viewers on that one. And BTW Keep up the good work…

  • Whats up, haha I’m the camera guy (brown tank top first ad read) and sorry about the camera work, kinda windy, kinda just me not having experience with the camera… it was like a regular camera not a camcorder. Not really a hacker just showing some love.

  • Dreamglider 4 years ago

    So how are the passwords “salted” ?

  • Juan Cubillo 4 years ago

    Where did you got that “Pura Vida” Fish???

    I’m from Costa Rica and that phrase was like totally invented in here! :)

  • Nice Lady
    Dress was very worthy

  • Dobby 4 years ago

    I have Techno Lust for Shannon! What a Rack!

  • Dobby 4 years ago

    I have Techno Lust for Shannon! Great Rack.