Photo credit: cheers @laimagendelmundo
I’ve been having a look at passwords again as the WooCommerce/WordPress password strength meter has been causing problems.
The password meter actually likes the method popularised by XKCD – which assuming random words seems to have had it’s maths checked and re-checked and is based on a lower bound assumption (worst case scenario) that someone knows that you are using that method – is still a very good method.
i.e. ‘correct horse battery staple’ (550 years to crack) vs ‘Tr0ub4dor&3’ (3 days to crack).
It’s just the random bit in the XKCD definition which needs to be repeated to people again and again.
Also don’t forget the spaces – as even Bruce Schneier and an Ars article on password cracking ignore this. You can use dashes/underscores instead as some places (I’m looking at you Microsoft) refuse spaces. They’re handy extra bits of entropy for no extra (human) memory. We’re talking about exponentially increasing the length of time with each bit of entropy.
One of the attacks mentioned in the Ars article talks about specifically targetting the XKCD method where two random long strings from two dictionaries are put together.
“Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.”
The problems you hit are if someone else has used the same four words and their password gets hacked. Or if two halves of the password you select are commonly used.
The problem comes that people pick their own words and don’t generate random ones. And humans are more likely to pick words that other humans pick.
So what can be done for people to select random easily remembered words?
The simplest way is to add a suggestion of randomly created words as their password, using for example passphra.se. I’ve had a look at the source code to it and it the randomness of the selection seems to be pretty comprehensive, but I’m not a security expert.
However what I like about passphrase is that you can just use the example as a ‘seed’ for your password. Then you can tailor it slightly from the output to more relevant words for you.
How important is randomness?
What I see the point of the XKCD method being is to raise the bar that the weakest people choose.
We’re not talking about the passwords that security experts should use, we’re talking about regular people who don’t care about security.
I think even the inbuilt Firefox/Chrome password manager locked with an xkcd password is great for normal users based on this Super User answer. Even if they don’t have a password to lock the password manager – it’s still better that they’re using more secure passwords, it moves the point of weakness to their password manager which requires much more personal attacks.
Possible unproven minor improvements
To try and work with the kind of passwords that the weakest people will use. As per the XKCD, we want to produce passwords that are hard for computers to guess but easy for people to remember.
Here I’m assuming that someone doesn’t want to choose a properly random set of words. Are there words that people can think of that will be inherently more random?
I think that local slang is a good way of choosing words. Every community will have their own words – often unwritten, so no common spelling. Anyone who’s read an Irving Welsh novel (Train Spotting) will know some of the glorious Scottish slang that he writes. This means your source material gets more obscure, so less and less likely that it’s in a dictionary somewhere.
But obviously those examples are still written down and can be included into dictionaries.
What about the rather silly porn star names? e.g. first pet + street you grew up on / middle name.
You need words that are definitely obscure, but relevant to you.
Changing your password
Also what I like about the XKCD method is that for those who are force to change their work password every 90 days you can change one of the middle words (to another randomly chosen one). This only makes a minor change to the remembering but avoids the trick that the password crackers use here which is to cut off the last 4 characters and try all possible random sequences.
Keep it simple
I’ve also seen people suggesting that you should combine upper and lower and symbols with the XKCD passwords. But from what I understand that’s missing the point. Security minded developers keep wanting to make the words more complex – but that always makes it harder to remember. The point of lower case with spaces is that it looks completely natural and there is nothing else to remember. You just hold the image of what the four random words are in your head. You don’t have to remember the four words and then try thinking what kind of substitution did you do to those words. XKCD picks up on this from the hover text of the cartoon:
To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.
1) Python + functional programming in Python
Python is hardly a pure functional language, but it’s lovely and simple and has all the core concepts including list comprehensions. This leads you on to…
If you want to find a pure functional solution to a Python problem, first search for the Haskell one and translate it. Then read Learn You a Haskell which was the funniest programming book I ever read and almost, almost taught me about monads (I had it for a second, then tried to explain it in Python and all was lost)
Now you can relax cause the hard bit is done.
Only pay attention to the functional programming bits. Suddenly mentions of currying aren’t so scary.
4) Work your way through the funfunfunction videos
Then you’ve got map, reduce, filter all completely under control. Now immutability makes more sense, arrow functions don’t look so strange, promises are just friendly monads really and we all love those.
Now you’ve got Immutable.js, lodash, underscore all reasonable to understand.
React’s moaning about state and pure functions makes reasonable sense.
5) Following the Meteor + React tutorial
Babel really isn’t that hard, the Meteor + React tutorial got that all working without me really noticing. Then, holy moly you’re all reacted up, with JSX and pure sweet smelling functions.
Follow some of Dan Abramov’s excellent blog posts such as about getting eslint working in Sublime Text.
Yeah that’s as far as I’ve got, but adding in Redux to this mix doesn’t seem so scary, at least I understand the language now. Angular will just have to wait.
Firstly install the haskell-stack chocolatey package:
choco install -y haskell-stack
For me that perfectly installed haskell and meant that I could run
stack commands and have
stack ghci running in a DOS prompt.
Chocolatey has an Emacs package:
choco install -y emacs
This puts the emacs binaries into the chocolatey bin directory. Then the
.emacs file and the
.emacs.d directory go into
This installs an Emacs windows program. I wondered if there was a DOS version similar to Vim. There is an Emacs For DOS – but this isn’t part of the Chocolatey package, which comes from the GNU Emacs FTP directory.
The haskell project have a new integration with Emacs. I have to say this installed remarkably easy. The only problem I had was that I’d put a bad config into
%APPDATA%\stack\config.yaml and this created errors – that were well explained in Emacs.
It’s not 100% clear how you get things to work though. Bare in mind I’ve never used Emacs before today.
I have managed to get Haskell setup and working, which came with
Following the Intero guide, the installation of the package was easy enough – just edit the
%APPDATA%\emacs.d file. I restarted Emacs and the Intero package installed itself without errors.
Following the guide further I ran the
stack new intro-demo command in a directory. This created the
intero-demo directory and put everything in it. If you then ‘File > Open Directory’ in Emacs to open the
intero-demo directory. Opening
Setup.hs had the affect of getting Intero to install itself.
At this point things were actually working – but it wasn’t obvious the the error as you type checking was happening because it was erroring at the very first command of the Setup.hs
However if you open up a new Haskell file in the directory it should start doing error checking on the fly.
Containerization has taken IT automation to a whole new level, and docker is my favourite party pal. The Docker Hub and the huge community are some of its most valuable features.
A little graph I made. The racists are leaving. Can the last one out please turn off the lights.
Source: 2016 EU Ref Lord Ashcroft Polls
The only positive I hope from this is that the Brexit vote was a protest vote.
So I’m hoping the majority of ‘leavers’ aren’t siding with Farage, they don’t care about Boris – they just want to say Fuck You to all politicians and leaders.
This is probably the first and only time that the entire population have been given a protest vote. This is not a choice between one dodgy politician or another politician. This is not choosing between Trump or Clinton.
This is a chance to say fuck you to every single party. This is fuck you to the leaders of both the Conservative and Labour parties.
When this chance comes along – you don’t care about the consequences. You don’t care if the ‘leave’ campaign is spouting lies, you don’t care about the doom spouted by the ‘remain’ campaign. You just want a chance to say fuck you. You know the system is wrong and this is the only tool you’ve got to say so.
I certainly respect the people who protest for what they believe in. Perhaps I’m wrong for thinking all the pensioners don’t care about the consequences. Perhaps they know better than me that the pain of leaving is worth it.
There are some heart felt comments from leavers, not based on the crap spouted by the leave campaign, in this blog post Dear Brexiteer. What we need you to do now.:
“I voted leave , There its out there .. I trusted DC to come back from Brussels with a list of pledges that would let us have some tools to work with to make me feel that improvements could be made to the way we live..
Be it a better NHS ,Schools ,social care services,security. ..
He came back with nothing and nothing was offered .. in fact we were told that it would never change..
So people who have had enough like myself and 17 million others voted with our feet in the only way we know .. a very British revolt ..
Now we are being called racist and xenophobic but this is just so untrue for the masses.. we just need change .
The EU is a broken antique of a monster that isn’t up to listening to the working classes..
We have been called inward looking but again that is not true. . I concider myself Global I want to be able to talk with anyone across the world’s economy. .
Things will never be the same again and for that I feel that my cross mattered.
The first time I think the working class has ever mattered…”
So I hope when all the dust settles that we’re all still willing to tell Farage and Johnson to go fuck themselves (I’m pretty sure not many people care about what Gove says).