Misunderstanding Computers

Why do we insist on seeing the computer as a magic box for controlling other people?
Why do we want so much to control others when we won't control ourselves?

Computer memory is just fancy paper, CPUs are just fancy pens with fancy erasers, and the network is just a fancy backyard fence.
コンピュータの記憶というものはただ改良した紙ですし、CPU 何て特長ある筆に特殊の消しゴムがついたものにすぎないし、ネットワークそのものは裏庭の塀が少し拡大されたものぐらいです。

(original post/元の投稿 -- defining computers site/コンピュータを定義しようのサイト)

Thursday, January 5, 2012

Good Password -- Bad Password

Well, maybe I or someone has convinced you to set up non-admin users to log in to for your day-to-day work. Now you're faced with the problem of how to choose a password.

(Well, actually, there's also the problem of how to set up a user name, which bears some discussion.)

You've heard all sorts of scary stories (and I'll tell you more) about passwords, and you probably wish you could simply avoid them altogether, but, for the present, they are a necessary evil.

Physical locks can often be picked, so they are not perfect protection.
Passwords, PINs, and passphrases can often be guessed, so they are also not perfect protection.

When you choose a lock, you usually pay a bit extra for a lock to protect things that are more valuable. For your $100 utility bike, a cheap lock is okay, but for your $1,300 dollar mountain bike, you want a better lock.

Likewise, when you choose a password, you may not want to spend much time figuring out a password for the blogging site where you just want to tell the blogger he's all wet. But you should be much more careful about how you pick your e-mail password and your on-line password for your bank.

And you should be really careful about your computer passwords.

One thing you should consider when you pick a password is who the bad guy is. Relative to a password, anybody can be a bad guy. Even good guys can be bad guys sometimes. Maybe your spouse can be privy to the password, maybe not. If you're working at home, probably not. [JMR201612301030: That is, probably not for your work account unless your spouse is also your secretary or something. ] Children? Siblings? Roommates? If you don't want to trust them with free access to your credit card number, you shouldn't trust them with your passwords.

(Well, if you are deliberately sharing a login account, that's different, but you want to be think a bit carefully about shared accounts, too.)

Your administrator password, at any rate, should be kept secret from just about everyone, maybe even your spouse. In fact, if your spouse doesn't want to share the administrator burden, you probably should not share the password. [JMR201612301035: And it's a good idea to ask him or her. ]

And if he or she does share the burden, it may be a good idea to have two administrator accounts, one for each of you. It's not that you don't trust your spouse, it's that arguments about who did it are not conducive to fixing the problem. And, yeah, you'll make your share of mistakes, too.

Bad passwords, PINs, and passphrases are those that are easily guessed, and those that are easily generated automatically by running through some sequence.

Some bad PINs: 1111, 6789, 0202. Also, 0207 would be bad if your birthday is March 2nd or February 7th. If someone steals or finds your wallet, your birthday is probably going to be on your license. 6149 might be good, if it's not part of your phone number or address, or your license plate number, or some other number someone might find in your wallet or might see you checking when you're at the bank. Except, now that I've used it here, you shouldn't use it. Bad guys might see it and think you'd use it.

How about one of these numbers reversed? After all, you need to remember it.

But if your roommate were to figure out how to regularly "borrow" your card without you knowing it, she might try your birthday this week, and your birthday reversed next week, then the last four digits of your phone number, and so forth.

If you are into being devious, you might write some number completely un-related to the actual PIN on a sticky note, and leave it attached to your card. Just be sure you don't try to use it when you're drunk.

[JMR201612301042: Being drunk is a security risk in and of itself, but I'll refrain from preaching at you too much about that in this post. ]

Should you write your PIN down somewhere? Many people say no. I don't know. If you're too tricky with your PIN, you're going to forget. Or you may remember that it's seven days past your birthday and your birth month times 3, but which came first?

If you do write it down, consider writing it in a crowd of other numbers, with some key that only you would notice to remind you where it starts. And write it in a simple code, maybe write two numbers that you have to add together, or use a rotate-by-three or by-five code or something. Be careful not to make it obvious what the number is by what you write around it.

Where PINs are used, they generally get invalidated after the third bad try. (And then you have to go in to the bank or phone company, show them your license, and get them to let you set a new one.)

Passwords can similarly be use limited, but are generally not invalidated. Three bad tries and you have to wait five minutes helps block guessing even simple passwords. But bad guys will sometimes find a way to copy the encrypted password file from the computer, and then take their own sweet time to crack the password by guessing one after another.

One way to cycle through guesses is to start at "0" and go through "9", then "A" to "Z", then start over at "00" through "ZZ", then "000" through "ZZZ". If the password is any combination of just four [JMR201612301051: capital ] letters and numbers, such an approach will find the password in less than a half an hour, even on computers that are not very powerful. If someone can get a thousand computers working at once over at some cloud rental place like Amazon's, such passwords can be [JMR201612301046: find found ] in seconds.

Another trick is to use lists of words. A list of all English words is less than 200,000, and even including ten other languages is still not going to break a million. That's going to be quick.

So joaN and x3r! and electrocution are too weak, and even mYjoaN9! and P0t+3rHa are not all that strong.

For someone who knows you, 8a$EbaLl is going to be somewhat weak, if the bad guy knows you like baseball. Yes, there are computer programs for turning words into 733t$p{aK like that, and they can run pretty fast. Likewise, BeatriceSmith, if that's your mother's name. And famous dates, like 19november1863, are not a good idea, especially if the bad guy knows you are a fan of Abraham Lincoln.

Actually, dates can be sequenced through pretty fast, so don't use any straight date. Do not use your phone number, or any all-number password.

Nonsense passphrases, like "BallWheelSnipe" are supposed to be good. I haven't checked all the math, but it does look pretty good. I'd go with "8aLLvvH33L$nip" instead, I think. But don't use either of these now, of course.

Twelve or more letters, numbers, and punctuation. Use three or more words, mix in a little leet-speak to make things a bit harder to guess, but not hard to memorize.

Write the passwords down?

Probably should.

With PINs, you have the bank or the phone company to go crying to. With your computer, you only have you.

Probably leave the list in a locked drawer in your desk. Even so, don't make the passwords obvious. Do things like burying the real passwords in a list of fake ones. Don't make it obvious which password goes with which user. Maybe encrypt the passwords and user names with something simple, like rotate-by-nine, if you can handle the un-rotation in your head.

And make sure you regularly check that the list has not been borrowed.

Now, you have strong passwords, and you have user accounts to separate the things you and your family do, you need to know about sudo. I'll blog about that next.


I've posted a little rant that might help remember passwords and passphrases, and might help understand simple encryption, here:


No comments:

Post a Comment