The Worst Password Tips

Posted on 2013-04-20 by jcs

Mark Burnnet has an interesting post on The Worst Password Tips. His main thesis is that much—or even most—of the advice you hear about choosing passwords is no longer good advice. It used to be that passwords like p@r013 gave reasonable safety. Now substitutions like that are well known and all cracker software is configured to try them.

Similarly, passwords that take the first letter from each word of a phrase, such as my baloney has a first namembhafn, seem like a good idea because they won’t appear in any dictionary. The problem is that they are too short and in this age of GPU based crackers are subject to brute force attacks. The same goes for short random passwords such as n%C+k3q. Again it seems safe because it won’t be in any dictionary but it’s still short enough to be brute forced.

Burnnet recommends long passwords and, in fact, says that length is more important than randomness. I typically use a random 20 character password that gets generated automatically by my password management software. When sites allow it, the random password will have upper and lower case letters, numbers, and symbols. That increases the size of the “alphabet” that the cracker must deal with and makes his work much harder. Sadly, many sites have stupid, security-destroying restrictions on password length and composition but that’s another story. I’ll say only that such sites can be presumed to have other shoddy security practices and should be avoided if possible.

If you’re still making your passwords up by hand, you really should check out Burnnet’s post. It will give you some advice on what to avoid. Better yet, stop making them up and get some software such as KeePass or 1password to manage your passwords.

Posted in General | Tagged | 3 Comments

Tags with Emacs

Posted on 2013-04-19 by jcs

One of the oldest and most general code navigation tools is tags. The idea is that you generate a tags database for your code base and then use it to tell your editor where to find the definition of a variable, function, class, or whatever. I used to use tags when I was a Vim user but haven’t bothered since I moved to Emacs. Mostly that’s because I don’t deal with large code bases anymore so I don’t have the need. Of course, that means I never bothered to learn how to work with them in Emacs.

Marius Mårnes Mathiesen has written an excellent post on using tags with Emacs. He covers all the basics, including how to generate the tags database and keep it up to date. If you deal with large code bases and don’t already have a tool that works for you, take a look at his post. Tags may be just what you need. Even if you already have a solution, it’s worth taking a look to see if tags will suit you better.

Posted in Programming | Tagged | Leave a comment

Outage Status Update and After Action Report

Posted on 2013-04-18 by jcs

I’m happy to report that I can again log into the administrative page. I’ve released everything in the moderation queue and cleaned up a bit of a mess that I left while I was trying to figure out how to repush the posts that where already on the site but unreachable.

My hosting provider sent its customers an email explaining the situation and the actions that they took. It turns out that they were blocking connection attempts to the WordPress administrative page both to protect the accounts and also to lessen the stress on their servers. I suspected that they were filtering the logins to the admin page because I ran a packet trace on one of my attempt to log in and noticed that

  1. The initial TCP 3-way handshake completed in less that half a millisecond.
  2. Not a single GET request to the admin page was answered, even partially.

If the logins were failing because of too much traffic (a DOS attack, in effect), I would have expected to see the TCP handshake to show retransmissions and be slow. I would also have expected at least some of the GETs to succeed, if only partially.

In any event, the excitement is over for the time being although my hosting provider says that the attack is ongoing but that they have put less drastic measures in place. I want to take a moment to give my provider, IX Hosting, a shout out. They were very proactive in their reaction to this attack, first be recognizing there was a problem and then by blocking all access to the WordPress admin page when it became clear that the attacks were coming from thousands of IP addresses and that trying to block the attacking sites would not suffice.

When I first noticed the problem, I was able to engage a support tech on an IM chat immediately without having to open a support ticket or anything else. By and large things run smoothly with IX Hosting and when I do have issues, they are always dealt with in a timely, efficient, and friendly manner. If you’re looking for a reasonably priced home for your blog or other type of site, give them a look. I’ve been very happy with them.

Posted in General | Leave a comment

A Simple Explanation of One-Way Functions and Their Application to Passwords

Posted on 2013-04-17 by jcs

John Graham-Cumming has a very nice 4-part series on one-way functions and their application to passwords. The explanation is completely non-mathematical and should be understandable by anyone. By the end of the third post, Graham-Cumming has explained how a simple one-way function works, how it can be defeated, and how salting can make it (relatively) safe again. The fourth post completes the picture by discussing key stretching, again in a non-mathematical manner, as a way of increasing security by making a cracker work much harder to find a password.

Doubtless most Irreal readers already understand this material but it’s the perfect explanation for your non-technical friends (or boss). Well worth a read.

Posted in General | Tagged | Leave a comment

My Solution to the Elisp Challenge

Posted on 2013-04-16 by jcs

Here’s my solution to the recent Elisp challenge. It’s easy to be seduced by the notion of rotating one sequence to see if it’s equal to the other. That would work but the rotation is pretty expensive and the solution is O(n2). A simpler way is to concatenate one string with itself and then check if the other string is a substring. Here’s that solution in a nice, concise bit of Elisp: 

(defun cyclep (s1 s2)
  (and (= (length s1) (length s2)) (search s1 (concat s2 s2))))

Note that the length check is necessary for more than just a speed optimization as it eliminates cases like “ab” “abc”.

The efficiency of the solution depends on how search works. If it is O(n) then so is cyclep. Sadly search uses a brute force method and is O(n2). On the other hand, I remember from long ago that the Microsoft C strstr function, which does essentially what search does, was actually faster than Boyer-Moore and other fancy O(n) implementations. That’s because it used a machine instruction to find the first character of the substring and then just did the expected byte-by-byte check after that. The Elisp search function uses a similar strategy but, of course, it doesn’t use the machine instruction to accelerate finding the beginning of candidate substrings.

Posted in Programming | Tagged , | Leave a comment

Paredit and Multiple Cursors

Posted on 2013-04-15 by jcs

Brian Zwahr has an outstanding Emacs Rocks! type video up on using Paredit and Multiple Cursors together. This is excellent. He shows how to combine simple functions from each into a really powerful tool. Like Sveen’s masterpieces, the video is short (4:07) so there’s no reason not to enjoy it right now.

I really love multiple cursors. Ever since I first saw Sveen demonstrate them in his Web Rebels talk last year, I’ve been awed by how powerful a tool it is. Zwahr’s combining it with paredit, another favorite of mine, just makes both tools better. You really need to watch this video.

Posted in General | Tagged | Leave a comment

Outage Status

Posted on 2013-04-14 by jcs

I still can’t reach the administrative page so I assume the WordPress attacks are ongoing. That’s annoying but at least I’ve figured out how to push new posts. That still leaves those comments stuck in moderation, of course, but all I do about that is apologize again.

Posted in Administrivia | Leave a comment

My Solution to EmacsGolf 3

Posted on 2013-04-14 by jcs

Here’s my solution to the EmacsGolf 3 challenge. When I first saw Saul’s post, the first thing that popped into my mind was that this is the classic use case for a keyboard macro. The only problem is that each line is slightly different. Fortunately, Tim Visher showed us the way early in his VimGolf in Emacs series.

We start by beginning a keyboard macro with 【F3】 and then just start typing the first line until we get to Route. Next we enter recursive edit with 【Ctrl+u Ctrl+x q】, type in Route, and exit the recursive edit with 【Ctrl+Meta+c】. Now we backwards kill the last word (textViewRoute), yank it back again, and type in the rest of the line until we get to the second textViewRoute where we yank it back in again. Finally we finish the line, type 【Return】 and end the macro.

We complete the problem by running the macro again for each line but type in the unique word for that line. Here’s the keystrokes for the macro definition: 

TextView                ;; self-insert-command * 8
SPC                     ;; self-insert-command
textView                ;; self-insert-command * 8
C-u C-x q               ;; kbd-macro-query
<C-backspace>           ;; backward-kill-word
C-y                     ;; yank
SPC                     ;; self-insert-command
=                       ;; self-insert-command
SPC                     ;; self-insert-command
(TextView)convertView.findView  ;; self-insert-command * 30
ById(R.id.              ;; self-insert-command * 10
C-y                     ;; yank
);                      ;; self-insert-command * 2
RET                     ;; newline

That’s 69 keystrokes for the macro, two for the start and stop macro, 42 for the unique words, and 7 for the macro invocations. That’s a total of 120. It’s hard to see how you can do much better since almost all the keystrokes are just text that must appear1. If you have a better solution, by all means leave a comment.

Update: Oops. We need 8 more keystrokes for the 【Ctrl+Meta+c】 after each recursive edit.

Footnotes:

1 You could, I guess, save another 5 keystrokes by repeating the macro invocation 7 times with 【Meta+7 F4】.

Posted in General | Tagged | Leave a comment

Still More Information on the Outage

Posted on 2013-04-13 by jcs

Here’s another article on the ongoing attack on WordPress sites that helps explain what’s going on. From the description of the attack, I think Irreal is pretty safe since we don’t use stupid passwords but who knows. When all this is over, I’ll definitely be doing some forensics.

Posted in Administrivia | Leave a comment

More Information on the Outage

Posted on 2013-04-13 by jcs

Apparently, this is what’s going on that’s causing the problems with Irreal. It looks as if all WordPress sites are getting hit. I’ll post more information as it becomes available. Let’s hope this latest round of silliness ends soon.

Posted in General | Leave a comment