I was skeptical of watching this video , but then after watching this video can I say "Today I learned". It is really good techinique I never thought of. Awesome , thank you Gary

'Peppering' is a good mitigation (for those in the 'know'). Not only is it tricky to incorporate, it is neigh impossible to implement or teach company-wide. Best (albeit weak) practice is (imho) long passwords (e.g. 14 characters or more) using spaces and/or ASCII characters. This will (semi) force users to use sentences. A combination of words will reduce the 'brute-force'-likelihood of a breach (especially if there is BF-mitigation implemented). All said, Gary, you're a great source for security knowledge.

Good stuff, thank you!

Simple but great tip. Thanks.

Excellent information, thank you.

Gary I wanna give you a hug for this one mate

This is great and helpful. You are a genius!

Simple and Effective. A really Helpful Explanation too. Great !

Great advice! I watched another KZfaqr who called it a "double blind" password. The password manager never has the full password stored for your high valued sites.

smart clever trick!!

Good idea, I already do this. 👍

Peppering, or double-blind, I add mine at the beginning instead of at the end.

Interesting technique.

I have been using a mnemonic style where I replaces a word with a character and forms a short sentence combined with what you call peppering. So for example: ~

This is brilliant! Thanks for sharing, I never thought about this

Thanks, great idea but you need to peppering all your passwords. If no, you may forget which have the pepper

Brilliant.

Great and simple technique ❤

Chuck Norris doesn’t use passwords. He is the password.

give this a thumbs up, although I do know that this technique should be said ultimately in the end the length of your password is critical.

I used to do it myself, the 3 letters I added at the end: the first letter of the month the account was created, the last letter of the site capitalized, the second letter of the site. I don't do it anymore but this allows to have no need to remember these 3 letters. The general idea is to memorize a mental algorithm that you can follow to calculate your password instead of memorizing the password itself.

Thank you 😅

GREAT idea .. I have a system of my own that is like this. I will incorporate this method with mine. Thanks Gary

Very informative!

*GARY!!!* GOOD MORNING PROFESSOR! GOOD MORNING FELLOW CLASSMATES! Stay safe out there everyone!

Really interesting video. Same as many commenters, I was skeptical before watching this, but I can say I learned something today.

My "cookie cutter password" is (very basically), Symbol,Uppercaseletter,Lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol,Uppercaseletter,lowercaseletter,number,Uppercaseletter,lowercaseletter,number,symbol. Works 100% and took me two tries to fully remember it. :^)

Clever but my swiss cheese brain will have trouble remembering the pattern 6 months from now. Awesome idea though.

I use an offline password manager, Keepass, No server to be hacked. Backing up the database to USB drives, portable storage, mobile phone and other computers and syncing manually. I do not know a single password to any of my accounts, only a pass phrase compiled with diceware, using an actual dice and a printed hard copy dictionary list.

In case of Peppering, one thing I'm anxious about, is the constant popups of password manager (esp browser-based like chrome's own built in) to Update the Password.

BRILLIANT! I should do this ASAP.

Pretty simple and makes a lot of sense!

Barefoot Contessa fan too 😅

Gary, Thanks for this video. Makes a lot of sense. As before, may I ask a stupid question? At one point, I was determined to write my own password generator based on hashing. I had the code working, but ran into a problem: websites had different rules on what kind of characters they would accept. The special characters I was generating would be considered invalid at some websites but not others. Is there any safe set of rules when generating random text for passwords? Thanks!

I always use 3rd method.

I'm going to do this with my 100 character bank password that I store in a local password manager that uses a key file as well as a master password , oh , and the bank also requires two factor authentication. Can't be too secure,you know. But I'm going to type 1 2 3 4 17 characters in ,instead of at the end. (at least that is what I'm saying I will do) Are you related to Veronica Explains?

I use the first way you told. Part is on password manager and part of it in my mind. Although that half part in my mind is common for all my passwords.. So easy to manage all passwords

What? Nothing beats changing passwords. Nothing beats passphrases or passsentences. I like lines of poetry with words mixed split with periods dashes and or underscores along with character substitution. with this technique I can use the same pass for many places just switching or trading the pass jumble rejumble unjumble. I only have to recall one coded pass. the main thing is I never use the same pass twice on the same place ever. I change every two to 4 months

Can we control the server-side salting?

👍🏼Class is in session, thank you professor👍🏼

Never delete characters. Password length is by far the biggest determinant in security. A 16 character password using nothing but random upper case letters will have a higher entropy rating than a 12 character password randomly generated using uppercase, lowercase, numeric, and special characters. Even a 16 all-numeric password rates nearly as high as the most complex 12 character password. Anyone can verify this using an online password evaluator.

Gaaaaaarrrryyyyy!!!!! 👋🏽

Salting just stops rainbow tables and really doesn't make it any harder for someone to crack an individual password. If a hacker can get the password file, it's likely they will also be able to known or have the salt as well.

Confusing

Pass the pepper

Safest place for Passwords are in your head and your home in a encrypted USB drive. Not in Password Managers. .. Do you trust other people with your money, your Business? LOL give your head a shake folks.

another one I use when using public computers or if I suspect my pc has a virus is using the onscreen keyboard to type it in that way keyloggers cant grab any input. Simpy in windows go to settings /accesibility/onscreen keyboard

Help for me

L3t M3 3xplain

I had already do peppering, but deleting characters in the saved password and adding my pepper is even better!

Might not be applicable to all. I tend to forget the entire password that's the reason i went with password manager.

You end up using the same password on multiple sites… not good!

That's actually pretty smart, it's like public/private key IRL

Good technique indeed! However, if one forgets about the pepper, then it will be as good as all the login credentials are lost. I don't think this technique is for everyone, especially those with poor memories.

Extremely informative, thank you professor

easy... write it down backwards

Sooo, i make a strong password like chocolate cookies and paper it with q1w2 so my password is chocolate cookie q1w2 and to bee extra cheeky iwill remove the last 4 characters. NO MY PASSWORD IS chocolate cookie AN UNSECURED EASY TO BREAK PASSWORD

I use a kind of peppering with my credit cards PIN numbers, I have only one four figure number to remember then I calculate the four numbers I have to add to it to to get a banking cards PIN code. I write these numbers on all my credit cards. When using I have to add my secret number. But I only have to remember this one secret number. I use the same everywhere where a four character PIN is required. A number apperaring to be the PIN written on the credit card may also confuse the wrong guys if stolen, they would first try to use it in an ATM, and there is a chance the card gets blocked, so it is more likely they can't use it also for online purchases afterwards.

My password is 8 asterisks. Every website knows my password when I type it. Weird.

This technique is all very well, however if the server is hacked and if the password database is not encrypted, then this method is of no use

I use a variant of this. My password manager stores a long random string, I know a long phrase, I combine the 2 and hash a number of times to produce my password. That way the password is never stored by me

CorrectHorseBatteryStapleq#W7

make a memorable weird and funny sentence drawn from your own life and use the letters in the sentences and then add 12 random numbers and 3 symbols. for example: my high school chemistry teacher Mary Lopez had an affair with the gym teacher Paul Watson. that would translate to mhsctMLhaawtgtPW#120925@961275!