Why Sites Have Bad Password Policies

Posted on 2013-04-30 by jcs

Ars Technica has an excellent article on why many sites have security limiting password policies. I’ve written about this before on my old blog, but the Ars Technica article is particularly infuriating. So much so that this is my second attempt at writing about it; I had to abandon the first attempt for mental health reasons.

We all know the horror stories. There’s the brokerage firm that limits passwords to 5, 6, or 7 characters. Others have a seemingly arbitrary prohibition on some or all symbols. Many limit password length in arbitrary ways. Ways that suggest the passwords themselves are being stored rather than a hash of the passwords1.

But why do they have these restrictions? If they are implementing robust password security (using bcrypt, scrypt, PBKDF2, etc.) the restrictions don’t make any sense. Sure, maybe you want to limit your input buffer to 1K or even 512 bytes but that’s not a serious restriction. To find out, Ars Technica queried some of the offending sites about the reasons for their password policies.

The answers, as I say, are infuriating. One major company, which should certainly know better, says that most attacks can’t be defended against by password length and that in any event password cracking is hardly their biggest security problem. Another says that they allow only the dash and underscore symbols because symbols are harder to enter on mobile devices and customers don’t like entering them even on computers (I’m not making this up).

Go read it for yourself. There are other examples. Some make reasonable technical arguments involving regular expressions that check for password validity but here’s the thing: if you simply accept up to some number—512, say—of bytes for the password and hash the result using something like bcrypt you don’t have to do any validity checking. Hash functions don’t care what bytes you feed them and the end result of bcrypt and its brethren are a fixed length so managing storage space in a non-issue. Really, doing it right is simpler. It’s time to fix this instead of offering lame excuses. And please, stop telling me it’s raining.

Footnotes:

1 What does a maximum password of 15 ASCII characters suggest to you?

Posted in General | Tagged | Leave a comment

Vi(m) and Lisp

Posted on 2013-04-29 by jcs

Those of you who have been around for a while know that I was a Vi(m) user for a long time. I switched to Emacs when I started doing most of my programming in Lisp and Scheme. My main reason for the switch was to get Slime. It’s inconvenient, although possible, to program Lisp interactively in Vi. Yes, Yes, I know about Paul Graham and doubtless many others but the point stands.

Until I read Dorai Sitaram’s post on Editing Lisp and Scheme files in vi, I hadn’t realized another problem with programming Lisp in Vi: indentation. When you’re programming in C, which I mostly was in those days, the Vi family of editors does a very nice job of autoindenting your code as you enter it. It wasn’t as good at reformatting, as I recall, but I don’t remember ever being annoyed by it so it was, apparently, good enough. I usually handled natural language reformatting with fmt which, again, wasn’t seamless but seemed good enough at the time.

Sadly, there’s not a good solution for Lisp/Scheme code1. That’s what Sitaram’s post is about: external, fmt-like, filters to handle the chore. The seamless formatting of whatever code you happen to be writing is something that Emacs users just take for granted and reading Sitaram’s post made me realize that I’ve been spoiled—or assimilated as the Borg would say—by this. I wouldn’t want to be using Vi even if they had a reasonable Slime solution (which, apparently, they do).

As I’ve written before, I never enlisted in the Vi/Emacs holy wars and even though I’m (now) thoroughly committed to Emacs I still have warm feelings for Vi(m) and maintain a great deal of respect for it. That said, I don’t think I’d want to be a Vi Lisp programmer. One can (and many do) live in both worlds by using Evil but when I switched I decided to go all in and embrace the native interface. I’m glad I did but everyone’s different so Evil or even Vi(m) might be a better fit for some. If you’re a Vi(m) user and write in Lisp, what has your experience been?

Footnotes:

1 Apparently Vim has improved this situation somewhat in the last few releases. If you’re a Vim user and your experience is different, please leave a comment and let us know.

Posted in Programming | Tagged , | Leave a comment

Tips on Securing a WordPress Site

Posted on 2013-04-28 by jcs

After the recent WordPress Administration Page attack, my hosting provider sent its customers a link to the WordPress page on securing WordPress sites. It’s an excellent resource if you’re running WordPress and some of the ideas are general enough that they can be used in other environments as well.

If you’ve got a blog or some other permanent Web presence, you should take a look at the page and implement the suggestions that make sense for your situation.

Posted in General | Tagged | Leave a comment

The Last Answer

Posted on 2013-04-27 by jcs

For some reason The Last Answer, an Isaac Asimov short story from 1980 was popping up on the Internet this week. Oddly, I’d never read it before and being an Asimov fan, I thought I’d read most of his fiction. Being that he started publishing short stories in 1939, this story was written fairly late in his career—he died in 1992. On the other hand, he was active right up until the time of his death so perhaps it wasn’t that late.

In any event, The Last Answer is the quintessential Asimov short story: short and pithy. It reminds me of The Feeling of Power, one of my favorite Asimov short stories. If you like SF, and especially if you like Asimov’s SF, you should definitely spend 5 minutes to read this story, even if you’ve read it before. I’m sure you won’t be sorry.

Posted in General | Leave a comment

EmacsGolf 4

Posted on 2013-04-26 by jcs

Xah Lee is doing some refactoring and wants to change this 

;; define several class of keywords

(defvar mylsl-keywords
  '("break" "default" "do" "else" "for" "if" "return" "state" "while")
  "LSL keywords.")

(defvar mylsl-types
  '("float" "integer" "key" "list" "rotation" "string" "vector")
  "LSL types.")

(defvar mylsl-constants
  '("ACTIVE" "AGENT" "ALL_SIDES" "ATTACH_BACK")
  "LSL constants.")

(defvar mylsl-events
  '("at_rot_target" "at_target" "attach")
  "LSL events.")

(defvar mylsl-functions
  '("llAbs" "llAcos" "llAddToLandBanList" "llAddToLandPassList")
  "LSL functions.")

into this 

;; define several class of keywords

(defvar mylsl-keywords nil "LSL keywords.")
(setq mylsl-keywords '("break" "default" "do" "else" "for" "if" "return" "state" "while") )

(defvar mylsl-types nil "LSL types.")
(setq mylsl-types '("float" "integer" "key" "list" "rotation" "string" "vector"))

(defvar mylsl-constants nil "LSL constants.")
(setq mylsl-constants '("ACTIVE" "AGENT" "ALL_SIDES" "ATTACH_BACK"))

(defvar mylsl-events nil "LSL events.")
(setq mylsl-events '("at_rot_target" "at_target" "attach"))

(defvar mylsl-functions nil "LSL functions.")
(setq mylsl-functions '("llAbs" "llAcos" "llAddToLandBanList" "llAddToLandPassList"))

His first inclination was to just brute force it with cut and paste and some typing but then he asked himself what he would do if he had hundreds of lines like this to fix. I can think of at least two efficient ways to do this. What would you do?

Posted in General | Tagged | 7 Comments

Giant Emacs Reference Sheet Revised

Posted on 2013-04-25 by jcs

We here at Irreal are big fans of Aaron Hawley’s Giant Emacs Reference Card and have often written about some of the tidbits contained therein. Now Hawley has announced that he’s revised the reference and added another 500 commands for a total of more than 2000. It now covers keyboard macros, Dired Mode, Occur Mode, table, and Calc.

For me, one of the nicest things about the old reference card was the pleasure to be had from reading random sections and learning something new. I’m looking forward to the same pleasure with the new version. If you haven’t yet seen it, be sure to head on over and take a look. I have it bookmarked in the Documents section of my browser for easy reference.

Posted in General | Tagged | Leave a comment

Maintaining My Blog Post Queue

Posted on 2013-04-24 by jcs

Because inspiration doesn’t necessarily strike on demand, I like to stay a few posts ahead. For the last year, my procedure was to push a completed post to the site as a draft and then publish it when I was ready for it to appear on the site. The recent attack on WordPress administration pages and the subsequent inability to release pending drafts have made me rethink that strategy.

Now what I do is maintain a separate file on my local computer called push-queue.org that contains links to posts that are ready to go. Here’s what the file looks like1: 

* Ready to Post [3/5]
- [X] one-way-function
- [X] action-report
- [X] tags
- [ ] worst-passwd-tips
- [ ] hyper-super
ORG-LIST-END-MARKER
* Pending Posts

Those links are in normal Org format. For instance, the tags link looks like: 

[[file://Users/jcs/org/blog/tags.org][tags]]

Naturally, being lazy, I don’t want to maintain the push-queue.org file by hand so I wrote a bit of Elisp: 

(defun jcs-add-to-push-queue ()
  "Add the file associated with the current buffer to post queue in
push-queue.org"
  (interactive)
  (let ((file (buffer-file-name)))
    (when (null file)
      (error "Buffer not associated with file."))
    (find-file "/Users/jcs/org/blog/push-queue.org")
    (beginning-of-buffer)
    (if (search-forward-regexp "^\\* Ready to Post")
        (progn
          (forward-line)
          (org-end-of-item-list)
          (insert (format "- [ ] [[%s][%s]]\n" file (file-name-base file)))
          (org-update-statistics-cookies 'all))
      (error "Missing top-level header."))))

Now when I finish a post, I just type 【Meta+xjcs-add-to-push-queue (or really, thanks to smex, just a few letters of it) and push-queue.org is updated automatically. When I’m ready to publish a post I just click on the link to open the post in an Emacs buffer from which I can publish it directly to WordPress.

Footnotes:

1 The ORG-LIST-END-MARKER isn’t really there. It appears to be an artifact of exporting a Org file from inside another Org file. Or something.

Posted in General | Tagged , | 1 Comment

disaster.el

Posted on 2013-04-23 by jcs

This is great! It’s disaster.el, a really useful tool if you write in C/C++ and can grok assembly language. What is does is compile and disassemble the C/C++ code in the current buffer. In will even jump to the code generated by the C/C++ source that the cursor is on. It uses objdump, which is part of GNU binutils so you have to have it installed. It’s not installed on OS X, so you’ll have to load it if you want to use disaster.el on that platform. The amazing thing about disaster.el is that it’s a relatively simple package. That fact demonstrates, once again, how powerful a development platform Emacs is.

This project is almost enough to make me wish I was still writing in C. The ability to quickly look at the generated code can be a big win. Happily, CL and Slime let’s me do the same thing and even Elisp lets me look at interpreted code so I won’t have to go back to C.

Posted in Programming | Tagged | Leave a comment

A O(n) Solution to the Last Elisp Challenge

Posted on 2013-04-22 by jcs

As I mentioned in the post, my An Elisp Challenge post was suggested by this Programming Praxis post. The next Programming Praxis post was a followup that discussed Booth’s Algorithm, which calculates how many left rotations a string must undergo to be lexicographically minimal. The thing about Booth’s algorithm is that it’s O(n) in the length, n, of the string. That gives us a way of making cyclep O(n) as well.

First, we need Booth’s algorithm. The following is pretty much a direct translation of the Python code in the Wikipedia article into Elisp

(defun booth (str)
  "Calculate the number of left rotations STR must undergo to be
lexicographically minimal."
  (let* ((str (concat str str))
         (n (length str))
         (fail (make-vector n -1))
         (k 0))
    (dolist (j (number-sequence 1 (1- n)) k)
      (let ((i (aref fail (- j k 1))))
        (while (and (/= i -1) (not (eq (aref str j) (aref str (+ i k 1)))))
          (when (< (aref str j) (aref str (+ i k 1)))
            (setq k (- j i 1)))
          (setq i (aref fail i)))
        (if (or (/= i -1) (eq (aref str j) (aref str (+ i k 1))))
            (aset fail (- j k) (1+ i))
          (when (< (aref str j) (aref str (+ i k 1)))
            (setq k j))
          (aset fail (- j k) -1))))))

Once we have Booth’s algorithm, the rest is easy:

(defun rotate-string (str n)
  "Rotate STR left N positions."
  (let ((k (mod n (length str))))
    (concat (substring str k) (substring str 0 k))))

(defun cyclep (s1 s2)
  "Check if S1 and S2 are cycles of each other."
  (string= (rotate-string s1 (booth s1)) (rotate-string s2 (booth s2))))

The rotate-string function does a left rotate of n positions on the string and the cyclep function ties everything together by rotating both strings into their lexicographically minimal forms and checking to see if they are equal.

All of this is sufficiently complicated that the previous O(n2) solution will probably be faster for reasonably sized strings. Still, it was fun to put this “faster” solution together even though I’m unlikely to need a cyclep of any speed.

Posted in Programming | Tagged , | Leave a comment

Xah Lee on Defining Super and Hyper Keys

Posted on 2013-04-21 by jcs

If, like me, you are always writing little pieces of Elisp to do some task or another or if you have a lot of ELPA packages installed, chances are it’s hard to find key sequences for them. In theory, 【Ctrl+c】 is reserved for just this purpose but in practice rather than being reserved for users it gets used by almost every package. Even my beloved Org mode is guilty of this. 1 On the other hand, what choice do they have? There just aren’t enough key sequences based on the 【Ctrl】 and 【Meta】 keys.

Emacs, of course, can also make use of the 【Super】 and 【Hyper】 keys but modern keyboards no longer have these keys. All is not lost, though, because you can map some otherwise unused key to 【Hyper】 or 【Super】. Xah Lee has a useful post on defining hyper and super keys for Windows, OS X, and Linux. One trick that he misses for OS X is using the 【fn】 key for this. That’s something I learned from Magnar Sveen. I wrote about that here (don’t worry, you can still control music and the other special functions).

I have mapped several key sequence that begin with 【Hyper】. You almost never trip over a predefined sequence and even if you do that command invariably has some other key sequence assigned to it too. Take a look at Lee’s post and experience the joy of a whole new key sequence space.

Update: Corrected my misinterpretation of the reserved key rules. See the comments for further information.

Footnotes:

1 My understanding of the reserved key rules was faulty. In the comments, Phil points out that only 【Ctrl+c】 and a letter are reserved for users. Control characters and numbers are not reserved.

Posted in General | Tagged | 6 Comments