What Makes Your Password YOURS?



Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →

An Observation About Passphrases: Syntax vs Entropy



I suggested in the article to use passphrases instead of «traditional» passwords, for multiple reasons, including: sheer strength, memorability, and conforming to idiotic password creation policies without actually following detrimental recommendations of the policy authors.

This recommendation gives rise to a reasonable doubt: «what if syntactically correct phrases are as weak as dictionary words in comparison to a random string of symbols?''. Indeed, syntax itself should weaken a passphrase, as it provides some „predictability'' to the phrase. I want to address this problem, by comparing syntactically correct passphrases to random collections of words (which we all consider sufficiently strong… hopefully).
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.

Your "A++++" Air Conditioner Wastes Half Of Its Labour

It doesn't mean the «energy efficiency» rating is wrongfully stated, the statement is true, regarding electrical efficiency of the device, yet the cold produced by the device is not delivered to your house as you might think. It is split unevenly between your house and the Earth's atmosphere, where less than 1/2 is delivered to you, all the rest surprisingly enough is dumped into the atmosphere, no matter how many «pluses» they print on the energy efficiency label.

Forget about «A++++» — let's do some elementary physics




This beautiful picture is not true. Well, technically it is not entirely untrue, in absolutely dry air this picture is true, for example in Atacama desert or on Mars, but chances are the atmosphere of your house contains plenty of water, which is not mentioned on the picture. When your air conditioner cools air down it cools ALL components, of which the significant part is water vapour. The water vapour concentration is limited by the air temperature, lower the temperature lower is the maximum possible water content. That creates the dew point phenomenon. If you drop the air temperature below a certain level water condenses out, and your air conditioner heat exchanger operates most certainly below the dew point, this is why water comes out from the device. ...And goes straight outdoors carrying the cold produced on your expense to the earth atmosphere. So that the correct scheme should look like this:

water separation

Please, stop chanting «A+++++»


Even if we assume 100% efficiency of the device, it simply DISPOSES OF a significant part of its END PRODUCT. Now, let's us estimate how much significant is it.

Let's assume you want to cool a room down to comfortable 24 C, in a hot day (37 c, with 68% humidity, which is a typical July day in my home town).

Thus the air initially contains 0.03 kg of water per m^3.
If we now generously assume that the air pump operates at 11 C then we only need to cool 1/2 of the room volume in order to reach 24 C. It means that the heat exchanger produces 100% humid air at 11 C, which contains 0.01 kg of water per m^3.

Thus, the heat exchanger dumps 0.02 kg of cool water per m^3 of air.
Vaporization heat of water is 2257 kJ/kg, therefore your air conditioner dumps 0.02*2257 = 45.14 kJ/m^3
Let's see how big is this number.

Specific Heat capacity of humid air in our context is about 1.034 kJ/kg/K (with insignificant variation for such a rough calculation) and the density is about 1.2 kg/m^3. Thus the «consumer value» (pardon my language) of the air conditioning is roughly: 1.034*(37-24)*1.2 = 16.13 kJ/m^3

While the actually produced work consists of cooling half of the given amount of air from 37 to 11 C plus condensing water, which amounts to: (1.034*(37-11)*1.2 + 45.14)/2 = 38.7 kJ/m^3

Finally the ratio is: 16.13 / 38.7 = 0.42 — i.e. roughly 58% of the cold produced by your air conditioner goes straight outdoors.

Of course, it is a very rough estimation, but it gives you the order of magnitude of the phenomenon. Although I tried to give a conservative estimation, feel free to directly measure your air conditioner water output in order to get the precise number — I bet it will be even worse than «60%» stated in the title.

This loss does only seem inevitable!


The sad part is that this energy is completely recyclable for no cost — all you need to do is to vaporize this water on the heat exchanger of the condenser unit — BUT NOBODY CARES.

Android's Security Policy Is: "All Or Nothing"

This is the essay about the biggest and the most successful infosec profanation campaign in the world. It undermines the very idea of security awareness in each and every aspect, and it does so very subtly too. Initially I wanted to tell you how this profanation works and why it would be successful at cleansing users' minds from any security related thoughts; today I have upgraded my test-bunny Android device and realized that my «prediction» is getting late — Android has entered the final stage of the campaign: after the applications succeeded at damaging users' security awareness, the core system itself openly stepped into the battle, to commit the final blow.
Read more →

Randomness Does Not Imply Luck In Board Games

I often hear that randomness brings luck (therefore, unfair advantage for a weaker player) in a game. This idea is so strong and deep rooted in a general public that the words «luck», «randomness», «uncertainty» are often treated like interchangeable synonyms in discussions of game properties. Many people consider a game with a randomizer to be a low-grade push-your-luck childish trifle. I want to show you how wrong this judgment is.
Read more →

The Flattr Experiment

I decided to join flattr.com — a very neat donation platform. Isn't it reasonable to donate some money to the authors you like? Would it motivate you to donate if it leads to the elimination of ads? At least we can run this simple experiment. You are reading me (I know you do), and you are taking for granted the complete absence of ads on this clean and concise website. Please, consider making a flattr donation of any size if any article amused you. If it works sufficiently well to keep me from starvation, then ads will never appear on ithipster.com

Flattr this

Each Security Hole Is Created By Someone Deliberately.

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.

There Is Enough Wasted Electricity To Power All Cars In USA

I was confronted with a serious argument against Tesla cars (or electrically powered automobiles in general). It reads thusly: «If you replace all cars with Teslas the power grid will not be able to sustain the resulting tremendous surge of energy consumption». To me it sounds like a legit matter for a quick investigation, so here we go.
Read more →

What Would It Look like If The Web Developers Run A Grocery Store

Imagine, you enter a grocery store to buy a loaf of bread.
— Welcome to the Shop & Co!
— Hello. I am looking for…
— Where have you been recently?
— In a hardware store. Why?
— Do you use a car to get to us?
— No, I use a bike.
— Which model?
— XYZ123. Fucking Why?!
— Have you been to our store before? Any receipts?
— Nope.
— Where are you from?
— Me?! From Lithuania.
— Why do you speak English then?
— ...I don't know, I feel like doing so.
— May I speak Lithuanian?
— No way! just give me fucking bread!
— We are so sorry, we do not have Lithuanian bread right now.
— Can you give me any other goddamn bread!!!
— Nope.

This is exactly what happens every time you visit a website.

Flattr this