Tuesday, February 19, 2013

Randomness is Security...

This is me - on the quest to find a rule for secure passwords that I can remember and reuse regularly.
Of course other wiser people spend much more time on this topic, but reinventing the wheel is quite fun, and nothing is more educating. And perhaps it will help you understand the problem of security a bit better.


Dictionary Hack

I assumed a cracking speed of 1000 guesses/second, and assumed a dictionary crack (i.e. simply trying out words in a predefined list and comparing the resulting hash to the target hash).

If you take a list of 4 million words (perhaps words used 99% in languages based on the latin alphabet), then testing each word in the list takes a total of:

4 000 000 / 1000 (seconds) => /60 (minutes) => /60 (hours) => /24 (days)
= ~1h 07

... around 1 hour and 7 minutes.
If you try repeating the words, say twice in a row, you now have 4 million extra words to test, each being the double a word from the original list.
Repeat three times, you have another 4 million rows.
... this makes for a nice linear progression;

So if you take a random word, say "closet", and repeat it 9 times: "closetclosetclosetclosetclosetclosetclosetclosetcloset" as you password, it would only take 8 hours to hack your password.



If you take more realistically, only half a million words, the password above would be discovered in 1 hour 30 minutes. (I would have taken less honestly, but the red line would hug the bottom axis and no relevant progression could be seen. So just imagine that for a realistic amount, only perhaps 5000 commonly used words which includes words you use for your password, hacking your password would be as fast as it takes you to click a mouse button).

Brute Force

Now if you just use random letters, numbers and symbols, your password could be: "A!diT0la%"
Brute Force works by trying out every possible character combination for a certain set of characters

So if you use all small letters [a-z] (26), capital letters [A-Z] (26), digits [0-9] (10), and some special signs [!"§$%&/()=?*'#+~] (16), for every possible character in your password, you have a total of (26+26+10+16 = 78) characters to chose from.

So for 1 letter passwords, you can try a maximum of 78 times before guessing the password.
At 2 letters it is already 78*78, because every character can be combined with itself and all other characters in the list, which makes for 6084 maximum guesses.
... this is exponential growth:


Already at a password length of 4 characters (ex. "$jO9") it takes 10 hours to go through all possibilities. If you just use 6 random lowercase letters [a-z] (ex. "lbocca") it takes ~85 hours (3.5 days) to try all possible guesses. Using 6 random characters with 78 options (ex. "§klOD&"), it takes 801 hours (~1 Month) to go through all options.

Randomness

Yes, the longer the password you use, the longer is the maximum time it takes for it to get cracked.
but "closetclosetclosetclosetclosetclosetclosetclosetcloset" is not as secure as "§klOD&"!

This is due to randomness(!) - the more predictable you are, the easier it will be to exploit you.

And using known words "closet" is more predictable than using random characters "§klOD&". And for a computer to check if you used "closet" 9-times in a row, or with a 1 at the end, really isn't that much more of a trouble.

So the goal when attempting to create security, is to be random enough to fool potential attackers, but organised enough to be able to remember your own password. (Try remembering "!9dA85Dso§d" ;)

This demonstrates beautifully, that  Security is always a matter of finding a balance between usability(can i remember my password?) and risk attitude (how ok is it if my password gets cracked?).


Update: here a link to some other opinions on word repetition in a password.

Friday, February 15, 2013

Restarting my running training...

I want to talk about a particular aspect of being good at something - the fact that if you stop doing it, after some time you actually lose form and start getting worse than you have previously been. That makes it all the harder to start again.

Last year I started running regularly, following a specific training plan, and even improved quite well, going from barely being able to wheeze out 5km in 30', to running half-marathons and doing 5km in 22'. After about 4 months of intensive training, I failed to recognize the need for long-term planned training, including recovery periods, and had a burn out. Now it's half a year later and I still haven't reached the same level of training control as during those 4 months.

Here is the list of arguments, that kept me from returning to my previous training ambitions:
  1. I had burn out, and couldn't run near the times and distances that I could during my previous training. (later i realized this was normal, and was just a sign, that I needed to take it easy for a month or so, running slowly and shorter distances, before beginning again with intensive training)
  2. I wanted to switch to triathlon training, which included bicycle and swimming training units, thus I couldn't naturally run as much as I did previously. (In theory true, but in effect I only swam and biked in alteration once a week. Thus I just trained less, running 1-3 times a week.)
  3. I was very occupied at home and work, and didn't have the piece of mind to simply start training properly again. 
  4. By now I was losing form, and thought that I shouldn't train so much as I had planned - so I let planned training units drop away.
  5. Then it got cold during Winter.
  6. I got sick.
  7. I weigh 6kg more than 3 months ago. My knee hurts a bit when I run. I can't sprint even just 400m.

But there's light at the end of the tunnel :P !
I miss running, and I miss feeling strong & healthy.

So even though I couldn't run 10km enjoyably and can't get a speed of more than 8km/h without killing myself, I am restarting my training.

I found a plan, that helps. But in the end I just want to get back to running.

Here's my plan for running every 2 days and improving my condition over time. I'll keep posting on how I'm getting on with it (by highlighting in green what I've done):

Walk/Jog progression: 

Day 0:

  1. 5' walk/1' jog (x5)
  2. 4' walk/2' jog (x5)
  3. 3' walk/3' jog (x5)
  4. 2' walk/4' jog (x5)
  5. 1' walk/5' jog (x5)
  6. 30' jog
Day 13:
  1. 30'
  2. 30'
  3. 30'
  4. 35'
  5. 30'
  6. 30'
  7. 35'
  8. 35'                                      14. 35'                                      20. 45'
  9. 30'                                      15. 40'                                      21. 45'
  10. 35'                                      16. 40'                                      22. 45'
  11. 35'                                      17. 40'
  12. 35'                                      18. 45'
  13. 40'                                      19. 40'
Day 39...

... after 3 months I will be running 45' at a solid pace, my legs and body being accustomed to running again, without over-doing my training with any such things such as interval-training, progressions, or long-distance running.
So hopefully for this summer, I can start my next dream of successfully preparing and completing a marathon, and maybe even some triathlon competitions.

I want to get back to running, and go about it in a smart way that won't execute my body, but ensures my long-term happiness instead.

The power of "Just start doing it"

Generally, when I identify myself with a task - I think about how to get it done...
I think about it. - the root of all my problems.

I begin imagining all the interesting problems that a task carries with it. I imagine all the fun it would be to solve them. I even categorize into basic stuff that needs to get done, and the fancy stuff that is more of a "nice-to-have-but-not-necessary". But of course, the fancy stuff is what makes this task stand out - it is what appeals to me.
It is the fancy stuff that I identify with. It is what impresses other people, it is what lights a flame of interest and wanting to take part in them. It is the fancy things that represent what I feel and think, which define my individuality and allow for me to be satisfied with what I create.
And thus it happens, that I tend to forget about the basic stuff, since those are "obvious" issues.

But it is the basic aspects that are the heart & blood of anything that needs to get done. Take a look at yourself - when you consume a thing somebody else has created, say, read an article, attend a workshop - the first things that you look for are basic traits, that help you find an orientation and get an entry into whatever topic you're currently dealing with.
These basic things are what opens the door to all the fancy stuff that's hidden behind it. The quality of the basic things is 80% of whatever you are doing.

So just start doing the basic things, and worry about the fancy stuff when you get to it.