An Observation About Passphrases: Syntax vs Entropy



I suggested in the article to use passphrases instead of «traditional» passwords, for multiple reasons, including: sheer strength, memorability, and conforming to idiotic password creation policies without actually following detrimental recommendations of the policy authors.

This recommendation gives rise to a reasonable doubt: «what if syntactically correct phrases are as weak as dictionary words in comparison to a random string of symbols?''. Indeed, syntax itself should weaken a passphrase, as it provides some „predictability'' to the phrase. I want to address this problem, by comparing syntactically correct passphrases to random collections of words (which we all consider sufficiently strong… hopefully).
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.

Your "A++++" Air Conditioner Wastes Half Of Its Labour

It doesn't mean the «energy efficiency» rating is wrongfully stated, the statement is true, regarding electrical efficiency of the device, yet the cold produced by the device is not delivered to your house as you might think. It is split unevenly between your house and the Earth's atmosphere, where less than 1/2 is delivered to you, all the rest surprisingly enough is dumped into the atmosphere, no matter how many «pluses» they print on the energy efficiency label.

Forget about «A++++» — let's do some elementary physics




This beautiful picture is not true. Well, technically it is not entirely untrue, in absolutely dry air this picture is true, for example in Atacama desert or on Mars, but chances are the atmosphere of your house contains plenty of water, which is not mentioned on the picture. When your air conditioner cools air down it cools ALL components, of which the significant part is water vapour. The water vapour concentration is limited by the air temperature, lower the temperature lower is the maximum possible water content. That creates the dew point phenomenon. If you drop the air temperature below a certain level water condenses out, and your air conditioner heat exchanger operates most certainly below the dew point, this is why water comes out from the device. ...And goes straight outdoors carrying the cold produced on your expense to the earth atmosphere. So that the correct scheme should look like this:

water separation

Please, stop chanting «A+++++»


Even if we assume 100% efficiency of the device, it simply DISPOSES OF a significant part of its END PRODUCT. Now, let's us estimate how much significant is it.

Let's assume you want to cool a room down to comfortable 24 C, in a hot day (37 c, with 68% humidity, which is a typical July day in my home town).

Thus the air initially contains 0.03 kg of water per m^3.
If we now generously assume that the air pump operates at 11 C then we only need to cool 1/2 of the room volume in order to reach 24 C. It means that the heat exchanger produces 100% humid air at 11 C, which contains 0.01 kg of water per m^3.

Thus, the heat exchanger dumps 0.02 kg of cool water per m^3 of air.
Vaporization heat of water is 2257 kJ/kg, therefore your air conditioner dumps 0.02*2257 = 45.14 kJ/m^3
Let's see how big is this number.

Specific Heat capacity of humid air in our context is about 1.034 kJ/kg/K (with insignificant variation for such a rough calculation) and the density is about 1.2 kg/m^3. Thus the «consumer value» (pardon my language) of the air conditioning is roughly: 1.034*(37-24)*1.2 = 16.13 kJ/m^3

While the actually produced work consists of cooling half of the given amount of air from 37 to 11 C plus condensing water, which amounts to: (1.034*(37-11)*1.2 + 45.14)/2 = 38.7 kJ/m^3

Finally the ratio is: 16.13 / 38.7 = 0.42 — i.e. roughly 58% of the cold produced by your air conditioner goes straight outdoors.

Of course, it is a very rough estimation, but it gives you the order of magnitude of the phenomenon. Although I tried to give a conservative estimation, feel free to directly measure your air conditioner water output in order to get the precise number — I bet it will be even worse than «60%» stated in the title.

This loss does only seem inevitable!


The sad part is that this energy is completely recyclable for no cost — all you need to do is to vaporize this water on the heat exchanger of the condenser unit — BUT NOBODY CARES.

Randomness Does Not Imply Luck In Board Games

I often hear that randomness brings luck (therefore, unfair advantage for a weaker player) in a game. This idea is so strong and deep rooted in a general public that the words «luck», «randomness», «uncertainty» are often treated like interchangeable synonyms in discussions of game properties. Many people consider a game with a randomizer to be a low-grade push-your-luck childish trifle. I want to show you how wrong this judgment is.
Read more →

The Flattr Experiment

I decided to join flattr.com — a very neat donation platform. Isn't it reasonable to donate some money to the authors you like? Would it motivate you to donate if it leads to the elimination of ads? At least we can run this simple experiment. You are reading me (I know you do), and you are taking for granted the complete absence of ads on this clean and concise website. Please, consider making a flattr donation of any size if any article amused you. If it works sufficiently well to keep me from starvation, then ads will never appear on ithipster.com

Flattr this

Utilizing Wasted Energy Of The Slag Dumps

Today I want to talk about ecology, in a very unorthodox manner, as I always do with any subject. There is one very necessary practice in the metallurgy all over the world: slag dumping. Of course, our cherished environmentalist buzz-makers know nothing about that, because steel and copper, just like coffee and croissants, grow on trees. And it is much better to keep them at their present state of ignorance, as long as we want a serious, intelligent, and productive discussion on the topic.

First of all, there is nothing wrong with the metallurgy in general and the slag in particular. However, there is some room for a significant improvement that benefits our «environment», unlike bullshit «carbon taxes» or «wind turbines». In order to understand the basics of the problem watch any of the «slag dump» videos on youtube, like this one www.youtube.com/watch?v=zKOENNXsSBQ This «molten lava» is slag, an inevitable byproduct of any metallurgical process. It has no use in the industry, it contains no precious components, and it has to be removed from furnaces, in order to keep them running.

The first thing that must strike you as you see the action is: «what a waste of energy!!!» Indeed, slag is hellishly hot, where «hot» means two important properties: abundant and high potential, which makes the energy easily CONVERTIBLE. But, hold on, this shit is solid under normal conditions. When you extract energy from molten slag it will solidify, incapacitating any conceivable heat exchanger.

Let's apply some IT reasoning here. While it is difficult to take energy away, how about taking an energy consumer in? Picture that, you have to heat something, so you mix it into hot slag. The output will very likely to be total garbage… Yes! GARBAGE! Put garbage in, melt it by the heat contained in the slag, and then shape it in building bricks, or fillers, or whatever you need to build artificial islands…

In the end you get a pretty normal solid waste processing plant running on free energy.

On The "Bottom-Up" Approach To Data Security

Once I stated the title I immediately realized that there are many distinct dimensions having their own «bottoms» and «ups». So I must specify. The «bottom» is a set of elementary data manipulation operations available to you as a programmer or a data security specialist (although it is often the same «you»). The «top» is a transitive closure of this set. The set of operations available for a user is rather close to the «top», and mapping them into the basic data handling operations constitutes the essence of the programmer's job. The «bottom-up» approach to data security is a job of defining all the necessary data access rules in terms of the basic data handling operations — you apply certain restrictions to various data elements and they affect the data system overall behavior, namely data accessibility in the high-level terms used by the end users. The most elaborated text-book example of this approach is SQL — it gives you very low-level security bricks to build a custom building without specifying explicitly this building emergent properties.
Read more →

How to fix U.S. educational system once and for all

Amendment 28


The U.S. govt has no right to interfere with any aspect of public education, neither institutionalized nor irregular. It is prohibited for the govt to fund a school, advertise education services, impose standards or requirements in any way related to public education, limit educational activities in any way shape or form (for example: by demanding licensing).

Amendment 29


A teacher has an absolute, unrestricted, unalienable right to choose his students as he sees fit. A teacher is free to enroll and dismiss students on a whim at any time without answering to anyone or explaining his motives. The right of a teacher to freely select his students can not be limited by any institution, this amendment overrides any contractual obligations in this regard.

=================
Simple as that. No more laws and «departments» and «committees» are needed. You can even send your department of education to a re-education camp in Siberia.

And by the way, these two clauses are sufficient to return MALE teachers to the schools.