Another take on passwords: entropy vs length

Shortly after writing about password strength, Linkedin managed to loose 6.5 million hashed passwords. The hashes have been made public by the crackers responsible for the attack. Posting so many password hashes in public is quite interesting. For starters, the hashes can be analyzed. Now we can read in the news what the most popular passwords for Linkedin are. After reading this list, it is pretty clear to me that there are many people who simply do not care about the security of their Linkedin accounts. Some companies were also extremely fast to provide extra tools such as  Linkedin password checker – I guess a case like this is good advertisement for LastPass.

As you can imagine, I was less-than-amused to find out my password was leaked, too. Granted, only the SHA-1 hash was leaked and my password was a random string. However, the geniuses at Linkedin forgot to salt the password hashes, making them easier to crack. I also do not quite understand why it took Linkedin longer to send me a warning email than Lastpass to write the password checker tool.

After changing my password and making sure I did not re-use this password on other sites, I started reading some more articles about password strength. One of the more interesting ideas was to pad random passwords with easy to remember strings. The article argues the password “D0g…………………” has the same length as the completely random “PrXyc.N(n4k77#L!eVdAfp9” but is much easier to remember. The latter has a much higher entropy which is usually considered as more secure. However, the author claims that padding passwords with easy to remember strings does not make them less safe unless the cracker knows the padding system. If the system used to pad the password is not known to the attacker, brute force is the only valid strategy to crack the password. The author concludes that password length beats entropy in most cases.

I agree with the basic conclusions of the GRC password strategy. However, looking at the most popular cracked passwords list cited above, I believe most people will just use very few padding strategies. Once these are known, password crackers can update the brute force algorithms to make guesses for the padding, effectively decreasing the security of these passwords.

Advertisements

Gapingvoid – On Mastery

Hugh McLeod is making an important point in his blog post On Mastery. He argues that truly successful people do not become successful by chance. They achieve success by becoming masters of their trade. Hugh McLeod concludes that mastery is nothing glamorous but rather stems from repetitive practice and continuous improvement until perfection.

We commonly think of success as getting promoted to the next rung of the corporate career ladder or becoming a media star. This “conventional” success depends a lot on luck and the goodwill of other people – external factors outside of our control.

Success based on mastery as described by Hugh McLeod, however, does not depend on luck nor people’s admiration. Less dependent on external influence, striving for mastery is a more reliable way to happiness than succumbing to the popular measures of success.

NYT – Can You Make Yourself Smarter?

The headline “Can You Make Yourself Smarter?” caught my attention in the New York Times. The article describes a game “N back” that can be used to train working memory. Working memory is “the capacity to manipulate the information you’re holding in your head”. Researcher Torkel Klingberg found a relationship between working memory and IQ test results. Consequently, IQ is not fixed but could be improved by training.

I never took an IQ test myself and have only limited knowledge on how these tests work. However, I believe that it is possible to train for pretty much any test. Therefore, I do not find these results very surprising. Nevertheless, I find the connection between working memory and IQ very interesting.

Sidenote: The article contains an info box explaining typical ranges of IQ test results. It says: “132+ 2 percent; borderline genius; average I.Q. of most Ph.D. recipients” and “143+ 1 percent; genius level; about average for Ph.D.’s in physics.” Does this mean that the average physics PhD recipient is a genius? I expect a bit more from a “true” genius. What makes physics PhDs special?

Are password policies promoting weak password choices?

Passwords are one of the most cumbersome parts of modern life. It used to be enough to have a password for the UNIX account at work and a four digit PIN code for the debit card. But not anymore. Nowadays, almost everybody has several email accounts, social network logins, home banking, login to the favorite online newspaper, and so on.

Many people use the same password for everything. If one site gets corrupted – it might be because this password was not strong enough or because the site got hacked – all other logins are open to the attacker. A solution is the use of a password manager. But in some cases this is not practical (and of course we need at least one password to unlock the password manager…). Therefore, finding a way to generate safe but easy to remember passwords is arguably a big challenge to computer security.

In many organizations, password policies are used to enforce a minimum level of password strength. In a recent blog post, John Fontana argues that most password policies actually decrease password security. He cites Cameron Morris who proposes password policy improvements and wrote a tool called Passfault to measure password strength.

After reading about weak passwords a few years ago, I started to use a small command line toll called pwgen to generate random passwords. as it turns out, 7 random characters is pretty much the most I can remember.  In fact, there were several embarrassing incidences where I had to call IT support only half an hour after choosing a new password because I forgot it. Passfault estimates that a random password generated with “pwgen 7” contains 78 billion pattern and can be cracked in about 1 day – sounds not bad to me.

The makers of webcomic xkcd propose an alternate way to make up strong passwords. They suggest to choose 4 random words which are easier to remember than random strings. Knowing my memory, I put this to the test with just 3 random words “garden dolphin dictionary” using the Passfault tool. result: 27 quadrillion pattern taking an estimated 9 centuries to crack – wow! And it is really easy to remember: I lost this paragraph while writing the post but was still able to remember my password while I typed it again later on.

Unfortunately, most password policies do not allow a password like “garden dolphin dictionary”. Some password policies do not allow use of common words. Users can get around this by “keyboard shifting”. For instance, “bird” becomes “notf” on an US keyboard shifting all key presses one position to the right. This does not significantly enhance password strength and some password cracking programs are optimized to detect this.They often require the inclusion of numbers and special characters like ‘&’. As a consequence, users tend to substitute some letters with numbers, a technique well known to password crackers.

A quick web search reveals that there are many opinions on this topic.  For instance, take a look at Per Thorsheim’s Security Nirvana, Schneier on Security who simply advocates to write the password on a piece of paper, and this discussion at Stack Exchange. Personally, I have to say that I like the idea of using a few simple random words – I seem to be able to remember this much better than other passwords. For passwords I have to type often, e.g., to unlock screens, I still prefer shorter random strings. In the end, the single day necessary to crack the above mentioned 7 character random string password by brute force might still provide good enough security for me.

Location of CFEngine Inputs on Debian Systems

The first few times I used CFEngine on a Debian GNU/Linux system I ran into strange eror messages while updating the inputs. I used some code examples for update.cf:

"/var/lib/cfengine3/inputs"
    perms => system("600"),
    copy_from => mycopy("$(master_location)","localhost"),
    depth_search => recurse("inf"),
    action => immediate;

See here for the complete example. The only change I made was to adapt the code to the location of the CFEngine system files that are located under /var/lib/cfengine3 on Debian systems. Still, it gave me mysterious errors about recursive security issues.

The error is caused by a small difference in the  file locations on Debian systems: inputs are located in the /etc/cfengine3 directory and /var/lib/cfengine3/inputs is not a directory but a symbolic link to /etc/cfengine3. After I changed line no. 1 in above code to point to the real directory “/etc/cfengine3”, everything started to run smoothly!

Tip: Ubuntu systems are identical to Debian in this respect.

Configuration Management for Amateurs

The configuration of computer systems is a tedious endeavor. It requires installation of software and hours editing configuration files. Often, these tasks have to be repeated for many computers. This can be automated with configuration management software.
Configuration management software is written to control networks of tens if not hundreds or even thousands computers. So why would an amateur who runs only one or two machines want to use it?

In the past, I never used configuration management software. After all, all I wanted was to configure a single webserver. I like playing with server configuration files, after all I am a geek. However, I also have a day job that has nothing to do with system administration and a family. Therefore, even small projects can take a while to complete. Consequently, I forget many things and often fall into the same traps over and over again.

Of course I could take better notes, but automating configuration tasks prevents both repeated errors and serves as documentation at the same time. It also serves as a mind hack: On one hand, I know that documentation is important. On the other hand, coding is much more fun. Figuring out how to configure my system with a configuration management software can also be fun (for geeks).

In addition, even a small-time system administrator like me will end up repeating many things. The availability of cloud computing, for instance, gives many opportunities to play around – but also to spend a lot of time with mundane configuration tasks. Imagine you want to try some new software. Cloud computing gives easy and cheap access to computing resources. However, starting a fresh server instance usually comes together with basic configuration. Especially for geeks. After all, most geeks are not satisfied with the standard choice of text editor etc. Using configuration management software, you can automate these basic tasks. In my case, the resulting time savings can make the difference between a quick one-day project and a never ending on-off affair.

VolcanoCafé

In my hometown our energy company releases 1200 cubic meters per second, year around, of dihydrogen monoxide. A compound well known to have killed more people than any other industrial agent. At any time the same energy company stores 10 000 000 000 cubic meters of dihydrogen monooxide just a few kilometers outside of my hometown.

This reckless pattern is the same all over the planet. All of our cities is filled with dihydrogen monoxide. And it is an ever growing problem.

I call for an emediate ban of dihydrogen monoxide, an agent known to kill thousands of people at a time!

Another thing that is not well known with this deadly industrial compound is that it often carries large amounts of proteinbased pollutants. Pollutants that ends up on our plates in large quantities. These nefarious pollutants are known to cause among other things fat induced health problems, and throat…

View original post 17 more words

Reconstructing Speech from Brain Signals

The previous post reviewed a science fiction book, The Accord by Keith Brooke, where virtual beings are created based on brain scans. It seems that scanning and decoding brain activity is getting closer to reality: A team of scientists from UC Berkeley, UC San Francisco, University of Maryland, and Johns Hopkins University managed to reconstruct individual words from brain signals of patients listening to recorded speech (B. Pasley et al., PLoS Biology 2012).

Speech reconstruction experiment paradigm

Listening to acoustic waveforms (left top) gives time-resolved signals (bottom right) recorded by probes implanted in the brain (top right). The signals are decoded into a spectrogram (bottom left). Image from original article.

The authors managed to reconstruct individual words by analyzing brain activity data. Reconstructing signals caused by live events is of cause very different from reading out the complete memory of a person as described in the sci-fi story The Accord. In fact, I doubt that memory can be accessed using electrodes. Electrodes require active, electrical signals in the brain while I suppose long-term memory is something more hard-wired. Nevertheless, the research article shows the tremendous progress science and technology is making by the combination of biology and information technology. It will be interesting to see when applications of this technology become available to, e.g., allow disabled persons to communicate better.

Last but not least I would like to thank the authors for publishing their work in an open access journal under a creative commons licence. Otherwise, I would not have been able to read this article and to legally show the picture on this blog.

Book Review: The Accord by Keith Brooke

Book cover of The Accord by Keith Brooke

Cover of the ebook edition.

The Accord by Keith Brooke is a science fiction novel exploring the idea of a virtual heaven. The story is set in the future where climate change and overpopulation cause widespread wars, famine, and mass migration. These problems, however, only serve as the backdrop to a love triangle with Priscilla, her husband Jack, both politicians, and the scientist Noah. Noah is the inventor of the Accord, a virtual heaven.

The story is based on the idea of a future virtualization technology that allows to separate mind from body: brain scans are used to create a snapshot of a human brain, a digitized soul. After death, the snapshot is transferred to the Accord where the soul continues to live on forever in a virtual world. As the inventor of the Accord, Noah creates his own virtual worlds where he tries to get virtual instances of Priscilla to fall in love with him. Jack finds out about this and kills his wife out of jealousy. After their death, Priscilla and Noah meet again in the Accord but Priscilla’s last brain scan is too long ago – she does not remember that she fell in love with Noah. After an assassination, Jack also enters the Accord. He is jealous and starts an ever lasting hunt for Noah, trying to kill his rival. But in the Accord, everything is virtual, even death. People are reborn with full memory of their death.

The plot runs in multiple parallel threads. Keith Brooke does a great job weaving them together, changing narrators often. In addition to the suspens building up by Jack turning into a psychopathic character, the book made me think about the implications of this technology: Is it really desirable to live forever? Can mind be separated from the physical world?  What is real? Are crimes committed in the virtual world bad or do virtual crimes not count? The technology described in The Accord might be far fetched. However, today’s virtual worlds such as gaming communities already let people retreat into virtual lives – virtual love and murder included.

As more and more souls enter the Accord, the computing capacity of the real world cannot keep up with the constantly increasing resource needs of this artificial heaven. The plot moves to quantum space and even toys with (quantum) space exploration. At the end, the story glides into the mystical as the inventor of the Accord, Noah, attracts religious followers – a part that to me did not fit quite naturally into this book. The ending, however, is fascinating and fitting to the quantum nature of the later Accord (spoiler-free review, so you will have to read it yourself).

In conclusion, The Accord has everything a good science fiction book should have: it takes a modern technology – virtualization – and takes it to its extreme, it raises some important questions such as the ethical implications of living in a virtual world, and, most importantly, entertains.

You can find the ebook at Smashwords, DRM-free and for a more than reasonable price. Don’t trust Automatody!? book reviews? – read another review of The Accord at SF site.