Yet another monad explanation

Photo credit: cheers @laimagendelmundo


Password randomness and the UX of passwords

I’ve been having a look at passwords again as the WooCommerce/WordPress password strength meter has been causing problems.

The password meter actually likes the method popularised by XKCD – which assuming random words seems to have had it’s maths checked and re-checked and is based on a lower bound assumption (worst case scenario) that someone knows that you are using that method – is still a very good method.

i.e. ‘correct horse battery staple’ (550 years to crack) vs ‘Tr0ub4dor&3’ (3 days to crack).

It’s just the random bit in the XKCD definition which needs to be repeated to people again and again.

Also don’t forget the spaces – as even Bruce Schneier and an Ars article on password cracking ignore this. You can use dashes/underscores instead as some places (I’m looking at you Microsoft) refuse spaces. They’re handy extra bits of entropy for no extra (human) memory. We’re talking about exponentially increasing the length of time with each bit of entropy.


One of the attacks mentioned in the Ars article talks about specifically targetting the XKCD method where two random long strings from two dictionaries are put together.

“Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.”

The problems you hit are if someone else has used the same four words and their password gets hacked. Or if two halves of the password you select are commonly used.

The problem comes that people pick their own words and don’t generate random ones. And humans are more likely to pick words that other humans pick.

So what can be done for people to select random easily remembered words?

The simplest way is to add a suggestion of randomly created words as their password, using for example I’ve had a look at the source code to it and it the randomness of the selection seems to be pretty comprehensive, but I’m not a security expert.

However what I like about passphrase is that you can just use the example as a ‘seed’ for your password. Then you can tailor it slightly from the output to more relevant words for you.

How important is randomness?

What I see the point of the XKCD method being is to raise the bar that the weakest people choose.

We’re not talking about the passwords that security experts should use, we’re talking about regular people who don’t care about security.

I think even the inbuilt Firefox/Chrome password manager locked with an xkcd password is great for normal users based on this Super User answer. Even if they don’t have a password to lock the password manager – it’s still better that they’re using more secure passwords, it moves the point of weakness to their password manager which requires much more personal attacks.

Possible unproven minor improvements

To try and work with the kind of passwords that the weakest people will use. As per the XKCD, we want to produce passwords that are hard for computers to guess but easy for people to remember.

Here I’m assuming that someone doesn’t want to choose a properly random set of words. Are there words that people can think of that will be inherently more random?

I think that local slang is a good way of choosing words. Every community will have their own words – often unwritten, so no common spelling. Anyone who’s read an Irving Welsh novel (Train Spotting) will know some of the glorious Scottish slang that he writes. This means your source material gets more obscure, so less and less likely that it’s in a dictionary somewhere.

But obviously those examples are still written down and can be included into dictionaries.

What about the rather silly porn star names? e.g. first pet + street you grew up on / middle name.

You need words that are definitely obscure, but relevant to you.

Changing your password

Also what I like about the XKCD method is that for those who are force to change their work password every 90 days you can change one of the middle words (to another randomly chosen one). This only makes a minor change to the remembering but avoids the trick that the password crackers use here which is to cut off the last 4 characters and try all possible random sequences.

Keep it simple

I’ve also seen people suggesting that you should combine upper and lower and symbols with the XKCD passwords. But from what I understand that’s missing the point. Security minded developers keep wanting to make the words more complex – but that always makes it harder to remember. The point of lower case with spaces is that it looks completely natural and there is nothing else to remember. You just hold the image of what the four random words are in your head. You don’t have to remember the four words and then try thinking what kind of substitution did you do to those words. XKCD picks up on this from the hover text of the cartoon:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Attacking the modern JavaScript world

Learning all the JavaScript libraries that have come out in the past two years is hard work.

I attacked the modern Javascript approach through first focusing on functional programming.

1) Python + functional programming in Python

Python is hardly a pure functional language, but it’s lovely and simple and has all the core concepts including list comprehensions. This leads you on to…

2) Haskell

If you want to find a pure functional solution to a Python problem, first search for the Haskell one and translate it. Then read Learn You a Haskell which was the funniest programming book I ever read and almost, almost taught me about monads (I had it for a second, then tried to explain it in Python and all was lost)

Now you can relax cause the hard bit is done.

3) Read Javascript the Good Parts

Only pay attention to the functional programming bits. Suddenly mentions of currying aren’t so scary.

4) Work your way through the funfunfunction videos

The funfunfunction videos are brilliant, especially the functional playlist and for added bonus he has videos where he works through the first few chapters of Learn You a Haskell.

Then you’ve got map, reduce, filter all completely under control. Now immutability makes more sense, arrow functions don’t look so strange, promises are just friendly monads really and we all love those.

Now you’ve got Immutable.js, lodash, underscore all reasonable to understand.

React’s moaning about state and pure functions makes reasonable sense.

5) Following the Meteor + React tutorial

Babel really isn’t that hard, the Meteor + React tutorial got that all working without me really noticing. Then, holy moly you’re all reacted up, with JSX and pure sweet smelling functions.

6) Linting

Follow some of Dan Abramov’s excellent blog posts such as about getting eslint working in Sublime Text.

Yeah that’s as far as I’ve got, but adding in Redux to this mix doesn’t seem so scary, at least I understand the language now. Angular will just have to wait.

Installing Haskell ++ Emacs on Windows


Firstly install the haskell-stack chocolatey package:

choco install -y haskell-stack

For me that perfectly installed haskell and meant that I could run stack commands and have stack ghci running in a DOS prompt.


Chocolatey has an Emacs package:

choco install -y emacs

This puts the emacs binaries into the chocolatey bin directory. Then the .emacs file and the .emacs.d directory go into %APPDATA%.

This installs an Emacs windows program. I wondered if there was a DOS version similar to Vim. There is an Emacs For DOS – but this isn’t part of the Chocolatey package, which comes from the GNU Emacs FTP directory.


The haskell project have a new integration with Emacs. I have to say this installed remarkably easy. The only problem I had was that I’d put a bad config into %APPDATA%\stack\config.yaml and this created errors – that were well explained in Emacs.

It’s not 100% clear how you get things to work though. Bare in mind I’ve never used Emacs before today.

I have managed to get Haskell setup and working, which came with stack.

Following the Intero guide, the installation of the package was easy enough – just edit the %APPDATA%\emacs.d file. I restarted Emacs and the Intero package installed itself without errors.

Following the guide further I ran the stack new intro-demo command in a directory. This created the intero-demo directory and put everything in it. If you then ‘File > Open Directory’ in Emacs to open the intero-demo directory. Opening Setup.hs had the affect of getting Intero to install itself.

At this point things were actually working – but it wasn’t obvious the the error as you type checking was happening because it was erroring at the very first command of the Setup.hs

However if you open up a new Haskell file in the directory it should start doing error checking on the fly.

Hoping the Brexit vote was a protest vote, not a racist one

The only positive I hope from this is that the Brexit vote was a protest vote.

So I’m hoping the majority of ‘leavers’ aren’t siding with Farage, they don’t care about Boris – they just want to say Fuck You to all politicians and leaders.

This is probably the first and only time that the entire population have been given a protest vote. This is not a choice between one dodgy politician or another politician. This is not choosing between Trump or Clinton.

This is a chance to say fuck you to every single party. This is fuck you to the leaders of both the Conservative and Labour parties.

When this chance comes along – you don’t care about the consequences. You don’t care if the ‘leave’ campaign is spouting lies, you don’t care about the doom spouted by the ‘remain’ campaign. You just want a chance to say fuck you. You know the system is wrong and this is the only tool you’ve got to say so.

I certainly respect the people who protest for what they believe in. Perhaps I’m wrong for thinking all the pensioners don’t care about the consequences. Perhaps they know better than me that the pain of leaving is worth it.

There are some heart felt comments from leavers, not based on the crap spouted by the leave campaign, in this blog post Dear Brexiteer. What we need you to do now.:

“I voted leave , There its out there .. I trusted DC to come back from Brussels with a list of pledges that would let us have some tools to work with to make me feel that improvements could be made to the way we live..
Be it a better NHS ,Schools ,social care services,security. ..
He came back with nothing and nothing was offered .. in fact we were told that it would never change..
So people who have had enough like myself and 17 million others voted with our feet in the only way we know .. a very British revolt ..
Now we are being called racist and xenophobic but this is just so untrue for the masses.. we just need change .
The EU is a broken antique of a monster that isn’t up to listening to the working classes..
We have been called inward looking but again that is not true. . I concider myself Global I want to be able to talk with anyone across the world’s economy. .
Things will never be the same again and for that I feel that my cross mattered.
The first time I think the working class has ever mattered…”

So I hope when all the dust settles that we’re all still willing to tell Farage and Johnson to go fuck themselves (I’m pretty sure not many people care about what Gove says).