Another take on passwords: entropy vs length

Shortly after writing about password strength, Linkedin managed to loose 6.5 million hashed passwords. The hashes have been made public by the crackers responsible for the attack. Posting so many password hashes in public is quite interesting. For starters, the hashes can be analyzed. Now we can read in the news what the most popular passwords for Linkedin are. After reading this list, it is pretty clear to me that there are many people who simply do not care about the security of their Linkedin accounts. Some companies were also extremely fast to provide extra tools such as  Linkedin password checker – I guess a case like this is good advertisement for LastPass.

As you can imagine, I was less-than-amused to find out my password was leaked, too. Granted, only the SHA-1 hash was leaked and my password was a random string. However, the geniuses at Linkedin forgot to salt the password hashes, making them easier to crack. I also do not quite understand why it took Linkedin longer to send me a warning email than Lastpass to write the password checker tool.

After changing my password and making sure I did not re-use this password on other sites, I started reading some more articles about password strength. One of the more interesting ideas was to pad random passwords with easy to remember strings. The article argues the password “D0g…………………” has the same length as the completely random “PrXyc.N(n4k77#L!eVdAfp9” but is much easier to remember. The latter has a much higher entropy which is usually considered as more secure. However, the author claims that padding passwords with easy to remember strings does not make them less safe unless the cracker knows the padding system. If the system used to pad the password is not known to the attacker, brute force is the only valid strategy to crack the password. The author concludes that password length beats entropy in most cases.

I agree with the basic conclusions of the GRC password strategy. However, looking at the most popular cracked passwords list cited above, I believe most people will just use very few padding strategies. Once these are known, password crackers can update the brute force algorithms to make guesses for the padding, effectively decreasing the security of these passwords.

Advertisements

VolcanoCafé

In my hometown our energy company releases 1200 cubic meters per second, year around, of dihydrogen monoxide. A compound well known to have killed more people than any other industrial agent. At any time the same energy company stores 10 000 000 000 cubic meters of dihydrogen monooxide just a few kilometers outside of my hometown.

This reckless pattern is the same all over the planet. All of our cities is filled with dihydrogen monoxide. And it is an ever growing problem.

I call for an emediate ban of dihydrogen monoxide, an agent known to kill thousands of people at a time!

Another thing that is not well known with this deadly industrial compound is that it often carries large amounts of proteinbased pollutants. Pollutants that ends up on our plates in large quantities. These nefarious pollutants are known to cause among other things fat induced health problems, and throat…

View original post 17 more words

Reconstructing Speech from Brain Signals

The previous post reviewed a science fiction book, The Accord by Keith Brooke, where virtual beings are created based on brain scans. It seems that scanning and decoding brain activity is getting closer to reality: A team of scientists from UC Berkeley, UC San Francisco, University of Maryland, and Johns Hopkins University managed to reconstruct individual words from brain signals of patients listening to recorded speech (B. Pasley et al., PLoS Biology 2012).

Speech reconstruction experiment paradigm

Listening to acoustic waveforms (left top) gives time-resolved signals (bottom right) recorded by probes implanted in the brain (top right). The signals are decoded into a spectrogram (bottom left). Image from original article.

The authors managed to reconstruct individual words by analyzing brain activity data. Reconstructing signals caused by live events is of cause very different from reading out the complete memory of a person as described in the sci-fi story The Accord. In fact, I doubt that memory can be accessed using electrodes. Electrodes require active, electrical signals in the brain while I suppose long-term memory is something more hard-wired. Nevertheless, the research article shows the tremendous progress science and technology is making by the combination of biology and information technology. It will be interesting to see when applications of this technology become available to, e.g., allow disabled persons to communicate better.

Last but not least I would like to thank the authors for publishing their work in an open access journal under a creative commons licence. Otherwise, I would not have been able to read this article and to legally show the picture on this blog.