In case you a) read xkcd [which you should if you don’t]; and b) didn’t know the following.
There is additional text available for xkcd comics, just hover your mouse over the comic:
There’s also a comment page over at http://syndicated.livejournal.com/xkcd_rss/ which often has interesting discussions and will even explain the jokes that cover over your head (and occasionally mine).
0
If you use passwords, there’s a good chance you’re doing them wrong and exposing yourself to unnecessary risk.
My intent is provide some basic information on how you can do passwords better1, suitable for grandma to use (no offense grandma), because there’s no reason that you can’t do passwords better.
In the beginning, the internet was a benevolent place. If I said I was fergbrain, everyone knew I was fergbrain. I didn’t need to prove I was fergbrain. Of course, that didn’t last long and so passwords were created to validate that I was, in fact, fergbrain.
Passwords are one of three ways in which someone can authenticate who they are:
Back In The Day™, passwords were the de facto method of authentication because they were the easiest to implement and in many ways still are.
At the time, token-based methods were just on the verge of development with many of the technologies (such as public-key encryption) not even possible until the mid 1970’s. And once suitable encryption was more completely developed2, it could not be legally deployed outside of the United States until 1996 (President Clinton signed Executive Order 13026).
Finally, biometric authentication was an expensive pipe dream3.
The point being: passwords where the method of choice; and as we know, it is quite difficult to change the path of something once it gets moving.
Having just one password is easy enough, especially if you use it often enough. But how many places do you need to use a password? Email, social media, work, banking, games, utilities…the list goes on.
It would be pretty hard to remember all those different passwords. So we do the only thing we believe is reasonable: we use the same password. Or maybe a couple of different passwords: one for bank stuff, another for social media, maybe a third one for email.
Bad guys know that most people use the same username, email address, and password for multiple services. This creates a massive incentive for bad guys to try and get that information. If the bad guys can extract your information from one web site, it’s likely they can use your hacked data to get into your account at other web sites.
For bad guys, the most bang for the buck comes from attacking systems that store lots of usernames and passwords. And this is how things have gone. Over just the last two years Kickstarter, Adobe, LinkedIn, eHarmony, Zappos.com, last.fm, LivingSocial, and Yahoo have all been hacked and had passwords compromised. And those are just the big companies.
In my opinion, most people know they have bad passwords, but don’t know what to do about it. It’s likely your IT person at work4 keeps telling you to make “more complex” passwords, but what does that mean? Does it even help? What are we to do about this? Can we do anything to keep ourselves safer?
There is no single best way to do passwords. The best way for any particular person is a compromise between security, cost, and ease of use.
There are several parts to doing passwords better:
If one web site is hacked, that should not compromise your data at another web site. Web sites generally identify you by your username (or email address) and password. You could have a different username for every single web site you use, but that would probably be more confusing (and could possible lead to personality disorder). Besides, having to explain to your friends why you go by TrogdorTheMagnificent on one site but TrogdorTheBold on another side would get tiring pretty quick.
For reasons which I hope are obvious, making your passwords unique is better than making your usernames unique. Unless you don’t want people to find you, then make both your username and password unique.
Passwords should be unique for each web site or service.
Why: If a unique passwords is compromised (e.g. someone hacked the site), the compromised password cannot be used to gain access to additional resources (i.e. other web sites)
If you’re asking yourself, “But how do I remember all those passwords?!” just hold your horses.
People suck…at picking good passwords.
If you choose your own passwords, here’s a little test:
If my password was, for example, Ferguson86Gmail, I would only have 34.5 points:
Instead choosing Ferguson86Gmail as my password, what if my password was Dywpac27Najunst? The password is still 15 characters long, it still has two capital letters, and it still has two numbers. However, since it’s randomly generated it would score 89.3 — over twice as many points as the password I choose.
What’s going on here?
When you make up your own password, such as Ferguson86Gmail, you’re not choosing it at random and thus your password will not have a uniform random distribution of information5.
Passwords chosen by users probably roughly reflect the patterns and character frequency distributions of ordinary English text, and are chosen by users so that they can remember them. Experience teaches us that many users, left to choose their own passwords will choose passwords that are easily guessed and even fairly short dictionaries of a few thousand commonly chosen passwords, when they are compared to actual user chosen passwords, succeed in “cracking” a large share of those passwords.6
The “goodness” of a password is measured by randomness, which is usually referred to as bits of entropy (which I cleverly disguised as “points” in the above test) the reality of the situation is that humans suck at picking their own passwords.
If more entropy leads to better passwords, let’s look at what leads to more bits of entropy in a password. The number of bits of entropy, H, in a randomly generated password (versus a password you picked) of length, L, is:
Where N is the number of characters possible. If you use only lowercase letters, N is 26. If you use lower and uppercase, N is 52. Adding numbers increases NÂ to 62.
For example:
mougiasw is an eight-character all lowercase password that has 
bits of entropy.gLAviAco is an eight-character lowercase and uppercase password that has 
bits of entropyPr96Regu is an eight-character lowercase, uppercase, and numeric password that has 
bits of entropy.Adding uppercase gets us 8 additional bits, but adding numbers only nets us 2 additional bits of entropy. However, look what happens when we just add additional characters instead:
vubachukus is a ten-character all lowercase password that has 
bits of entropy.neprajubrawa is a twelve-character all lowercase password that has 
bits of entropy.For every additional character, you add 
The good news is that for randomly generated passwords, increasing the length by one character increases the difficulty to guess it by a factor of 32. The bad news is that for user selected passwords, every additional character added to make a password longer only quadruples the difficulty (adds roughly 2 bits of entropy which, based on NIST Special Publication 800-63 Rev 1 for the first 12 characters of a password).
More bits of entropy is better and I usually like to have at least 44 bits of entropy in my passwords. More is better.
Having to break out a calculator to determine the entropy of your passwords is not easy, and passwords should be easy. So let’s make it easy:
Longer passwords (at least ten characters long) are better than more complex passwords.
Why: Adding complexity only provides a minimal and one time benefit. Adding length provides benefit for each character added and is likely to be easier to remember.
The inevitable reality of doing passwords better is that you need a way to keep track of them. There simply is no way a person can keep track of all the different passwords for all the different sites.
This leaves us with two other options:
Yes. Writing your passwords down in a safe place is an acceptable method of keeping track of your passwords:
From www.schneier.com:
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
–Bruce Schneier, 2005
Writing down passwords can be appropriate because the most common attack vector is online (i.e. someone you’ve never even heard of trying to hack into your account from half-a-world away) with the following caveat: you make them more unique and more entropic.
By writing down passwords, you can increase their entropy (i.e. making them harder to guess) since you don’t have to memorize them. And since you don’t have to memorize them, you are more likely to create a better password. Additionally, if you write your passwords down, you don’t have to remember which password goes with which account so you can have a different password for each account: this also increases password uniqueness.
It would be reasonable to obfuscate your password list — instead of just writing them down in plaintext — so that if someone were to riffle through your wallet, they wouldn’t immediately recognize it as a password list or know exactly which passwords go with which accounts.
Instead of keeping them on a piece of paper, you could use a program to encrypt your passwords for you. There are a variety of ways to safely encrypt and store your passwords on your computer. I have been using 1Password for several years now and have been very impressed with their products7.
KeePass is another password manager I’ve used, however it does not have good support for OSX. There are other systems one could use, including Password Safe YubiKey.
I tend to be leery of web-based systems, such as LastPass and Passpack for two reasons:
You don’t have to remember your passwords.
Why: It’s better to have unique and more entropic passwords than it is to never write down your password.
That’s it! Hopefully you found this helpful, now go make your passwords better and report back!
19 February 2014: Added additional clarification about entropy of user-generated versus randomly-generated passwords.
0Arguably, there is no one right way to do passwords ↩
it’s one thing to prove the mathematics of something, it’s a whole other thing to release a suitable product ↩
and still sort of is ↩
or your son/grandson/nephew/cousin ↩
this is, in part, how predictive typing technologies such as SWYPE work ↩
as well as their technechal discusions on topics such as threats to confidentiality versus threats to availability ↩
In theory I should always consult this before I start a new project:
In practice, I probably won’t.
0Until Randall pointed this out , it didn’t even cross my mind: the inverse1 of miles (length) per a gallon (volume) is a unit of area. Ergo, my car’s efficiency is 0.1023mm2, or roughly twice the area of a pixel on a screen.
0gallons per mile ↩
I shared this video1 with Peter, who then asked:
I saw that a couple days ago. Awesome! And has some cool practical applications. I [couldn’t] quite tell if the pitch of the robot was adjustable by the user, or of it always jumped in the same direction. Did you get a sense for that?
It was a good question and one I didn’t have an immediate answer to.
I would actually guess that I don’t have immediate answers2 to at least 50% of questions people ask me3. I have to do some amount of thinking, and sometimes even some research. I think people tend to think I know the answer off the top of my head, I assure you: I am not that smart.
I do have an inquisitive mind, I do know where to look, and I do know how to ask the right question.
I decided to remedy this question though by talking it through, instead of just giving an answer. This is basically my thought processes as it occurred. Except that I got Sin and Cos mixed up and didn’t realize it until I had finished my conclusion. So I had to redo my entire analysis, and that’s what you see here. Please note this is still really just a paper napkin answer:
As far as angle, I’m not sure. I suspect there would be some angle change.
Elevation angle can affect two things, how high it goes and how far it goes forward, and these two things are intrinsically linked through SohCahToa. Height and forward distance can also be affected by the force applied (ceteris paribus4). This gives a problem with two independent input variables (angle and power) and two dependent output variables (height and forward distance/range).
Since my primary goal is to jump, I’m going to put most of my energy into that. If I want to jump higher, I can either apply more force or make my elevation angle higher (as long as it’s < 90°). As the elevation angle nears 90° [latex]\left (\frac{\pi}{2} \right )[/latex], more of my energy goes into going up than going forward. The proportion of energy applied to going up is defined by Sin and the proportion of energy applied to going forward is defined by Cos. Also worth remembering is that the Sin[x] + Cos[x] is not a straight line, it's another parabola that peaks at 45 degrees. The biggest bang for your average buck is to angle yourself at 45 degrees and shoot. Additionally, Cos (forward) angles that are near 90° have a high rate of change (i.e. going from 80° to 81° has more of a difference than going from 10° to 11°), thus little changes in elevation angles near 90° have relatively larger impacts on how far forward I go. Conversely, Sin (height) angles that are near 90° have very low rates of change. The cross over point for rates of change between Sin and Cos is - you guessed it - at 45° . Since the goal of the robot is to jump high (not far), it would make sense to only use high angles (above 45° ). To vary height significantly though, you are going to have vary power. Going from 46° to 90° only increases height by ~93% if the force remains the same. In comparison, going from 1 degree to 45 degrees increases height by 164,000%. Math is great, but if you can't implement it, it doesn't matter so let's turn to what's practical: One of the underlying assumptions is if the robot can vary the force it uses and if it could accurately set it's elevation angle. Setting the angle is pretty easy using encoders, and accelerometers to determine which way is down (if you were jumping from an angled surface, for instance). We've also already seen that the jumping leg can move, so adding functionality for precision angle measurements (within a degree, let's say) is pretty trivial. The real question, I think, is how does it jump? Delivering energy quickly has always been a problem. Delivering a measured amount of energy quickly even more so. Based on jumping from the ground to the loading dock (1.5 meters in height at most) and then from the loading dock to the roof (probably at least 4 meters), that's about a 166% increase in height, which is not quite enough as could be accomplished by just varying the angle from 46° to 90°. Since you can't gain that height just by altering the angle alone, it makes sense to assume that the jump force setting can be altered. However, if you change the jump force setting, what does that do to the forward movement (we know it will make the robot jump higher)? It will, of course, move the robot forward even more. How much more? I don't know exactly, but probably enough to make some minor angle tweakage worth it. We would have to sit down and work on the math to verify the exact amount. I think it involves something with squaring the derivative of the force divided by the mass. Squaring always make numbers bigger, so I tend to think it would be significant. Suffice it to say, if you don't want to proportionally more forward when you jump significantly higher, you would have to adjust your jump elevation angle. Thus I would assume there may be small changes in angle elevation, but that's hard to estimate given the view-point the videos were shot at. It's also pretty easy to solve for power required and angle needed to reach a particular height while moving forward only a certain amount (once you figure out what the maths are), so at least the implementation factor is pretty easy from a computing standpoint. And I've spent way to much time on that answer.5 As always, please check my work.
0Powered by Twitter Tools
0* Q: Wha? A: Every week I go through about 1000 posts on my RSS feed. These are ones that I thought worth sharing. You can find previous Shared Items here.
0* Q: Wha? A: Every week I go through about 1000 posts on my RSS feed. These are ones that I thought worth sharing. You can find previous Shared Items here.
0* Q: Wha? A: Every week I go through about 1000 posts on my RSS feed. These are ones that I thought worth sharing. You can find previous Shared Items here.
0* Q: Wha? A: Every week I go through about 1000 posts on my RSS feed. These are ones that I thought worth sharing. You can find previous Shared Items here.
0