Skip to main content

Quickie : password security

I cannot take credit for the recommendation that we start using words for passwords. The argument I recall reading suggested that a 40-character password made from 4 or 5 dictionary words was a) easy to remember and b) harder to crack.

At first my intuition had me thinking that this guy was nuts. But then I did some rudimentary math. First I assumed that in a strong password or the traditional sense there were a few valid chars:
a-z A-Z 0-9 and !@#$%^&*() ,./<>?;':"[]{}\|= <space>

The problem with this is that even the strongest websites limit the user to alphanumeric plus a few simple special characters. So let's say we have 72 valid chars. That means that the math for a 7 character password looks like:
72^7  = 1.00E13
72^8 = 7.22E14
72^9 = 5.19E16
72^10 = 3.74E18

I'm hoping I have the math right but there is some huge wiggle room. For instance there is a list of invalid words and sequences, dictionary attacks, and then l33t speak. So this will reduce the number of combinations by some amount. If not I'm hoping that it's in proportion to the "word" scenario.

In the proper work scenario we talk about 4 or 5 proper words. Considering the average number of words is between 60,000 and 75,000 [ref] this might actually be reasonable:
60K^4 = 1.29E19
60K^5 = 7.77E23
60K^6 = 4.66E28

WOW! I had no idea that this was the case. Now the real discovery is whether or not I really know 60K words and can I stream them together in a way that I can easily memorize and recite. I suppose it might be better to permit a combination of the strict and worded. This way you get the combined complexity and brute force is even harder to execute.

I don't know where my passwords fall in terms of strength. I know they are random and they they overlap both. But I know that I've had to deal with systems that have rules that limit the valid passwords. This, of course, totally corrupts whatever ruleset I have devised for myself to remember my passwords.

I'm not going to share what I do next. It could be nothing. But if you're going to hack my accounts I want to keep you guessing as long as I can.

Comments

Popular posts from this blog

Entry level cost for CoreOS+Tectonic

CoreOS and Tectonic start their pricing at 10 servers. Managed CoreOS starts at $1000 per month for those first 10 servers and Tectonic is $5000 for the same 10 servers. Annualized that is $85K or at least one employee depending on your market. As a single employee company I'd rather hire the employee. Specially since I only have 3 servers.

The pricing is biased toward the largest servers with the largest capacities; my dual core 32GB i5 IntelNuc can never be mistaken for a 96-CPU dual or quad core DELL

If CoreOS does not figure out a different barrier of entry they are going to follow the Borland path to obscurity.

UPDATE 2017-10-30: With gratitude the CoreOS team has provided updated information on their pricing, however, I stand by my conclusion that the effective cost is lower when you deploy monster machines. The cost per node of my 1 CPU Intel NUC is the same as a 96 CPU server when you get beyond 10 nodes. I'll also reiterate that while my pricing notes are not currently…

eGalax touch on default Ubuntu 14.04.2 LTS

I have not had success with the touch drivers as yet.  The touch works and evtest also seems to report events, however, I have noticed that the button click is not working and no matter what I do xinput refuses to configure the buttons correctly.  When I downgraded to ubuntu 10.04 LTS everything sort of worked... there must have been something in the kermel as 10.04 was in the 2.6 kernel and 4.04 is in the 3.x branch.

One thing ... all of the documentation pointed to the wrong website or one in Taiwanese. I was finally able to locate the drivers again: http://www.eeti.com.tw/drivers_Linux.html (it would have been nice if they provided the install instructions in text rather than PDF)
Please open the document "EETI_eGTouch_Programming_Guide" under the Guide directory, and follow the Guidline to install driver.
download the appropriate versionunzip the fileread the programming manual And from that I'm distilling to the following: execute the setup.sh answer all of the questio…

Prometheus vs Bosun

In conclusion... while Bosun(B) is still not the ideal monitoring system neither is Prometheus(P).

TL;DR;

I am running Bosun in a Docker container hosted on CoreOS. Fleet service/unit files keep it running. However in once case I have experienced at least one severe crash as a result of a disk full condition. That it is implemented as part golang, java and python is an annoyance. The MIT license is about the only good thing.

I am trying to integrate Prometheus into my pipeline but losing steam fast. The Prometheus design seems to desire that you integrate your own cache inside your application and then allow the server to scrape the data, however, if the interval between scrapes is shorter than the longest transient session of your application then you need a gateway. A place to shuttle your data that will be a little more persistent.

(1) storing the data in my application might get me started more quickly
(2) getting the server to pull the data might be more secure
(3) using a push g…