Skip to main content

Password hysteria

It seems to me that at least once every year, the password discussion boils up again. One fraction demands passwords to become increasingly complex and long, while the other is already overtaxed with remembering their present, simple passwords.

It's interesting that neither of these fractions actually know what they are talking about. What is a "good" password? How can I know for sure? And when do I need it?

Surely, that is a good password. Or is it? No, it isn't. First, never take passwords from the interwebs, even if they look as trustworthy as Steve Gibson's page, the well-known seller of snake oil. Second, the 63 characters offered there are much too long for purposes as a password — they are rather suitable as passphrase for wifi access (for this purpose, however, I recommend haui's scripts). As password, you can't possibly remember it.

Rule No. 1: You must be able to remember your password.

I'm really fed up with people forgetting their password. Resetting forgotten passwords easily amounts to 80% of the time I spent on my temporary admin job. I'm also fed up with people who have chosen a password which is so "difficult to type" that they need 12 min to complete the login process (try AltGr-H vs. AltGr-h).

Rule No. 2: Length is more important than "difficulty".

For maximum entropy, the complexity C of a password is simply given by the product of its length $\lambda$ with the binary logarithm of the character space $\Psi$:

$\mathcal{C} = \lambda \log_2(\Psi)$

The following diagrams visualize this relation:

image

As you see, the complexity increases linearly with λ but sublinearly with ψ. Shouldn't this graph convince everybody to simply use longer passwords, instead of increasingly cryptic ones? Yes, it should, but a logarithm is a thing not understood by the common man politician.

Rule No. 3: Check your passwords

The security lobby wants you to believe that selecting a 'secure' password amounts to rocket science. Well...that is not entirely untrue. The simple method given by the equation above works only for the idealized case of maximum entropy. In reality, however, passwords do not have maximum entropy, and that affects their strength dramatically.

Stay away from intransparent password checkers such as those integrated into several applications (firefox, for example). A "password quality meter" in the form of a bar doesn't tell you anything.

John Walker wrote code to determine the entropy of a given string or file.

image

I've compiled a 64-bit version of John's program which you can find here. The bash script which created the above output is available here. The script performs a crude check for dictionary words, and then analyzes the supplied password (i) with the maximum entropy approximation (simple analysis), and (ii) with John's entropy code (advanced analysis).

For short passwords, the simple method vastly overestimates the actual complexity of the password. However, this overestimate may be relevant also for long passwords. Try 'aaaaaaaaaaaaaaaaaaa' as example.

You may also compare passwords such as '9g/<\_6?!>0' and 'HerrRasmussensAra'. Draw your own conclusions. ;)

Through the park

Yesterday, on my daily way to the lab, I had one of these rare moments of insight.

You know, I'm commuting between the western and eastern centers of Berlin. The main axis connecting these centers from west to east, apart from the Straße des 17. Juni, consists of the Budapester-, followed by the Tiergartenstraße. The latter hosts several embassies, while the former is home for a few five-star hotels.

The park inbetween these axes is called the Tiergarten and is almost devoid of people at early hours. When you enter the park at the south-west, you'll experience the smell of wild beasts in the form of camels, rhinos and hippos. There's a beer garden 100 m to the west, built right on top of a sluice to complete the adventurous feeling.

Siegessäule   Tiergarten

At the time I was driving, however, there was not a single soul frequenting the beer garden, and all the beasts were still tightly asleep. I thus tried to enter the park noiselessly, to awake neither beast nor man. And indeed: the transmission of my bike is so silent that even birds won't blink.

A brilliant sun was rising, and a fine mist rose from the trees and meadows. I was flying through the park, self-propelled but effortless. A fox strolled across the clearing ahead. He heard my silent approach, turned, and watched me attentively but fearlessly. A magic moment: our eyes locked, and it almost seemed we had an understanding, me and the fox.

I exited the park, as usual, close to Potsdamer Platz. Thanks to the early hour, there was none of the buzzing activity surrounding this location otherwise. When passing Gendarmenmarkt, I noticed a lonely Rolls-Royce Phantom with royal insignia in front of the Hilton. The driver stood at attention and radiated arrogance. I couldn't help to be amused.

On my way back ten hours later, the Phantom driver was surrounded by Bentleys and Ferraris and looked more dignified than ever. Traffic at Tiergartenstraße was, as usual at that time, standing. There was a bunch of rattling Harleys and a Lamborghini gang which seemingly tried to settle the question about the loudest exhaust once and for all. In their book, this stunt is probably fun, but the ordinary peoples' faces in that traffic jam signaled frustration and anger to no small degree.

When entering the park, the sounds as well as the anger of the outside world subside. All people here seem to be quite content and even happy.

People create their own hell. And yes: the best things in life are free. ;)

Poor man's strongbox - and beyond

For ordinary (aka: non-nerdy) people, encryption of any kind is still something to be associated with intelligence agencies only. Talking about encryption to these ordinary people serves no purpose other than building up a solid reputation as a delusional paranoiac. Don't try to defuse the situation by explaining that yesterday's internet shopping by the ordinary guy's wife relied on the use of encryption. On the ordinary people's scale, you are just talking yourself right into the realm of strait jackets and funny farms. :D

Personally, I'm an avid user of encryption. My communication (e-mail, irc, icq/jabber) is mostly encrypted, and connections to remote servers (ssh/vpn) always are. But what about local files? Don't they deserve a little security?

Well, when cryptoloop was published in 2003, I was probably among the first enthusiastic users. Unfortunately, cryptoloop was found to be severly flawed just two years later. Since then, dm-crypt/LUKS (aka cryptsetup) has emerged as the official successor. For me, however, cryptsetup represents the proverbial sledgehammer for cracking a nut. What I need is far more simple, and should operate preferably in user space and at the file level. The latter is particularly important to me: files I encrypt tend to be not entirely irrelevant, and thus should be included in the incremental backup I'm running every few hours. That's cumbersome if the encryption software leaves monolithic containers of megalithic size.

What alternatives exist? Well, if it's just about a secure way to store your various passwords, I'd recommend keepassx.

If all you consider to be "hideworthy" can be fit into a single file not larger than a few kB, try steghide:

steghide embed -e rijndael-256 -z 9 -cf $1 -ef $2
steghide extract -sf $1 -xf $2

A directory with several subfolders and files can be handled with gpg. However, this is an awkward and clumsy workaround at best, and I do not recommend it. One needs to fiddle around with tar and wipe to account for the fact that gpg itself doesn't handle folders directly. The performance of this often recommended "solution" is, well, mediocre.

A scalalable and fast way of encrypting files and folders is provided by encfs. I find it refreshingly simple and entirely satisfactory for my humble needs.

encfs -i 10 ~/.treasure ~/treasure
fusermount -u ~/treasure

No internet plugin

newyorktimes

Well, what do you think? No internet plugin, no internet. :D

Besides being a browser for dummies, Safari is at least a fast browser for dummies:

Midori 0.1.7
ArchLinux, Virtualbox 2.2
712\.0ms +/- 2.0%
Safari 4.0.2
Windows 7, VirtualBox 2.2
767\.0ms +/- 1.3%
Chromium 3.0.19
Windows XP SP3, VirtualBox 2.2
985\.4ms +/- 1.9%
Opera 10.00b2
Windows 7, VirtualBox 2.2
3489\.2ms +/- 3.0%
Firefox 3.5
ArchLinux, VirtualBox 2.2
4153\.2ms +/- 1.7%

Concerning Javascript, webkit rulez da world (not only in this benchmark). In this respect, Opera and Mozilla have just nothing to offer anymore. :( Of course, Firefox is still the better browser compared to Midori, and Opera compared to Safari (and to Firefox ;) ). And every security-conscious person has Javascript off by default anyway, using Noscript for Firefox, or the site specific rules in Opera.

Of course. Yet, the web of the future will rely heavily on Javascript, and browsers not mastering this discipline will eventually be superseded. Mark my words.

Notes and more

Over the last days, I've looked for a software which would help me to recall facts, organize my ideas and to develop new ones. In other words, I was looking for a desktop wiki.

Yes, basket would be the canonical software for KDE users such as me, and I've indeed used it sporadically. It is, however, quite buggy and a real resource hog since version 1.0.3. Despite this fact, it has not been updated since one year.

Alternatives are, at first glance, not rare. Well ... ;)

I've finally settled for Zim. It has just what I need, and not here and there and finally a thousands of gadgets more.

a view at zim

The screenshot shows the most recent version 0.28. I've installed the Fedora binary as Mandriva only offers 0.26. *shrug*

Consequence

Remember the Cisco vpnclient?

urpme vpnclient-4.8.01.0640-3mdv2009.0 dkms-vpnclient-4.8.01.0640-3mdv2009.0

Oh yes.

And on the other hand:

cisco on windows

If you think about it, that's the only way to go. Gutter to gutter, trash to trash.

PS: After one day of usage, I actually like it. My main system is unaffected, and runs the "normal" connection. In parallel and a VirtualBox, Windows offers the encrypted connection to my office. Not bad at all.

Texify

There are many applications and commands with this name, but the one I mean here is the perl script for irssi. It substitutes statements such as 'E=\hbar\omega' by the appropriate UTF-8 characters. Pretty neat. :)

Uber tables

It's really interesting: most of the questions I'm being asked about LaTeX nowadays center around tables. Figures are still a topic, but tables remain the big great mysterium. :D

I've briefly described tables in my old and outdated LaTeX crash-course:

\begin{verbatim}
\begin{table}[t!]
\begin{center}
\caption{Eine sehr einfache Tabelle.}
\begin{tabular}{lcc}\\
\hline
Bit &amp; A &amp; B\\
\hline
on  &amp; 1 &amp; 0\\
off &amp; 0 &amp; 1\\
\hline
\end{tabular}
\label{Tab1}
\end{center}
\end{table}
\end{verbatim}

;)

\begin{table}[b!]
\begin{center}
\caption{Eine einfache Tabelle. Man beachte die vielen hübschen Zahlen.}
\begin{tabular}{cccccc}\\
\hline
&amp; \multicolumn{2}{c}{(11$\overline{2}$4) FWHM (deg)}
&amp; \multicolumn{3}{c}{$\alpha$ (deg)} \\
\hline
&amp;   $o \cdot \kappa = 0$    &amp;
       $o \cdot \kappa \neq 0$  &amp;   XRD &amp;   TEM  &amp; GIXD\\
\hline
\#A &amp;   0.072    &amp;0.24   &amp;  0.36    &amp;   ---     &amp;---\\
\#B &amp;   0.047    &amp;0.367  &amp;      0.6 &amp;   ---     &amp;---\\
\#C &amp;   ---  &amp;0.344  &amp;      0.56    &amp;   0.63    &amp;---\\
\#D &amp;       ---      &amp;0.109  &amp;      0.16    &amp;   0.15    &amp;---\\
\#E     &amp;       ---      &amp;0.249  &amp;      0.38    &amp;       ---     &amp;0.31\\
\#F     &amp;       ---      &amp;0.37   &amp;      0.57    &amp;       ---     &amp;0.55\\
\hline
\end{tabular}
\label{tab:Tab2}
\end{center}
\end{table}

;)

But what did I say about bigger tables?

;)

Well, it's really not that bad. What I found amusing is the name I found in the net for these multidimensional monstrosities: uber-huge tables. Let's see how they work:

\begin{landscape}       %if your table is too wide - use begin{center} otherwise
% (requires \usepackage{pdflscape})
\scriptsize             %if nothing else helps
\begin{longtable}{llllllll} %if your table spans several pages
% (requires \usepackage{longtable})

\caption[Monstertable]{An uber-huge table.}
\label{MT1} \\

%This is the header for the first page of the table...
\hline \hline \\
   \multicolumn{1}{c}{Sample} &amp;
   \multicolumn{1}{c}{Gna} &amp;
   \multicolumn{1}{c}{Gnu} &amp;
   \multicolumn{1}{c}{Gne} &amp;
   \multicolumn{1}{c}{Gno} &amp;
   \multicolumn{1}{c}{Gnä} &amp;
   \multicolumn{1}{c}{Gnö} &amp;
   \multicolumn{1}{c}{Gnü} \\
   \hline
\\
\endfirsthead

%This is the header for the remaining page(s) of the table...
\multicolumn{8}{c}{{\tablename} \thetable{} -- Continued} \\[0.5ex]
\hline \hline \\
   \multicolumn{1}{c}{Sample} &amp;
   \multicolumn{1}{c}{Gna} &amp;
   \multicolumn{1}{c}{Gnu} &amp;
   \multicolumn{1}{c}{Gne} &amp;
   \multicolumn{1}{c}{Gno} &amp;
   \multicolumn{1}{c}{Gnä} &amp;
   \multicolumn{1}{c}{Gnö} &amp;
   \multicolumn{1}{c}{Gnü} \\
   \hline
\\
\endhead

%This is the footer for all pages except the last page of the table...
  \multicolumn{8}{l}{{Continued on next page\ldots}} \\
\endfoot

%This is the footer for the last page of the table...
  \\
  \hline \hline
\endlastfoot

%Now the data...

%Please copy this line a hundred thousand times ...
0 &amp; (1, 11, 13725) &amp; (1, 12, 10980), (1, 13, 8235), (3, 1, 0) &amp; 0 &amp;
(1, 11, 13725) &amp; (1, 12, 10980), (1, 13, 8235), (2, 2, 0), &amp; 0 &amp; (1, 11, 13725)\\

\end{longtable}
\end{landscape}

Now, look at this little beauty:

uber table, page1

... and finally, 3546 pages down:

uber table, last page

Nanoblogger 3.4 is out

I know I'm late, but I'd almost given up. Get it here! Compared to 3.3, you'll notice a speedup by a factor of at least one thousand!

Just kidding. :D

It seems, however, that I found a small bug which haui fixed right away. Line 19 in plugins/shortcode/baseurl.sh should read:

shortcode_baseurl_sedscript='s/\%base\_url\%/'$shortcode_baseurl_output'/g'

Note the '/g' at the end of the line.

Ich weiß immer, was ich tue

Where did I write that? When? And WHY?

Calm down: questions like that can once again be answered on KDE, this time using the Nepomuk search service:

search in dolphin

Even easier than that: just type in your search term in krunner after issuing alt+F2:

search in krunner

In this example, Nepomuk/Strigi finds more than above. That's just because I created a blog entry in the meantime, and all related folders/files are found ... basically in real time. That's pretty neat.

PS: It's official home page claims that strigi is the fastest and smallest desktop searching program. Hm ... on startup it uses more than 100 MB, and after one day of usage, 400 MB. Small is different.

PPS: Yes, the title is an insider. It refers to this story. ;)

Contents © 2018 Cobra · About · Privacy · Powered by Nikola · Creative Commons License BY-NC-SA