We looked at passwords and password strength in the context of a random password generator. That's a great tool and a wonderful ideal, but sometimes random strings can be a squeency bit hard to memorize and type.
Here are some tactics I've found for creating easily memorized passwords (with the understanding that you still need strong passwords and great security.)
I want to make one point, though, before I start: I've both been taught and seen that when you give people an example password, they will think that the example is itself a great password, and then use the example. Don't do that.
Acronyms: Take a phrase or sentence, using the first letters of each word. For example, "This password is for the backup administrator account" might become Tpiftbaa. That's not great (sufficiently random, but only 2 classes of character), but moving in the right direction.
Passcodes: Systems that will take a longer password can take a phrase or sentence in the form of a passcode. With the previous example, "This password is for the backup administrator account." could itself be the password. That's much stronger-- much longer and it adds the period as a third class of character, but remembering the little fiddly words can get tricky with these.
Patterns: Sometimes thinking outside the box is the key to a good password. Look at your keyboard and find a nice pattern. I'll use the keys on the left of a standard qwerty keyboard. Note that the keys make a cool "V" pattern-- hey, that's kinda random! "1qazse4" isnt' just a pattern on the keyboard, it's a decent password. The problem here is that somebody shoulder-surfing is much more likely to be able to pick up on your password because it makes an obvious pattern.
Transposing Characters: I hesitate to mention this one, because it's so easy to be lazy. Think you're 1337? Well, 'leet boy, you can use a "1" for an "i" or a "#" for an "H". This is a good tactic, but easy to abuse. "P@ssw0rd" is a very, very bad password- easily guessable. Use this tactic, but in conjunction with passwords that are good to begin with.
Mnemonics: Like anything memorized, attach them to other concepts or items-- or make up your own secret special meaning for your password. Pronounce it out loud in your mind-- just don't use things that are easily memorized but also guessable things about you.
Naughty Passwords: Since other mnemonics are often insecure, one trick you can use to make passwords more memorable is to use elements that are at least slightly naughty. Let's say your boss has a serious problem with rearward-facing pants bulge. Myb#aBFA would be a pretty good password! Breaking that down:
My
b(oss)
#(leet-h for has)
a
Big
Fat
Ass
Bet you won't forget that one so easily!
Wednesday, August 20, 2008
Intel: Plenty o' News from the IDF
A lot of info is starting to stream out of IDF (courtesy News.com as they have a concise article.) Short takes follow:
A dual-core Atom is coming, but only for the "Nettop"/thin client segment. Intel doesn't feel that it's power-efficient enough for the "Netbook" mobile market.
A 6-core Dunnington Xeon is planned as Penryn's siren song.
Roadmaps for Nehalem are starting to get fleshed out, with on-die video options and an 8-core version announced.
And this is all before next week's nVidia announcements! Biggest rumor? nVidia breaks into the x86 market...
A dual-core Atom is coming, but only for the "Nettop"/thin client segment. Intel doesn't feel that it's power-efficient enough for the "Netbook" mobile market.
A 6-core Dunnington Xeon is planned as Penryn's siren song.
Roadmaps for Nehalem are starting to get fleshed out, with on-die video options and an 8-core version announced.
And this is all before next week's nVidia announcements! Biggest rumor? nVidia breaks into the x86 market...
Tuesday, August 19, 2008
Security: Passwords part Deux: When Passwords Go Bad
It's probably worth a few minutes to talk about what constitutes a bad password.
Anything guessable is bad. Anything that's easily compromised through brute force is bad.
OK phew, that was hard! Now, on to the specifics. Users often don't really have a clue about passwords in general and see them as at best a necessary evil and at worst a horrible pain in the ass. Users will go to heroic lengths to "beat the system." Getting around these problems often involves management, but at least be vigilant for what happens.
Using really poor passwords: People use the names of their kids, their pets, their address, their kids' birthdays, their pets' birthdays, etc. These are all very easily guessable, bad passwords. The ultimate cliche is a password of "password." BAD USER! NO COOKIE! You'll see other common passwords like favorite sports teams, TV/movie characters, cities, states, brand names, etc. used. Your defense against this is setting up a password system that requires complexity and tests for dictionary words and other likely bad passwords.
Practicing Poor Password Security: Taping your password to your monitor, the underside of your keyboard, or scribbling it on the bottom of the tissue box all happen, often. No matter how complex your passwords are, writing it down in a public space removes all security. Anybody who can get to their desk can get in with their passwords. All you can do is have a policy set up such that when this is caught, the user gets their proverbial hand spanked, changes their password immediately and is informed not to do it again.
Using the Same Password in too many Places: This is another easy one, but hard if not impossible to test for. At least encourage your users to use different passwords for work than for any other use and if you have a more secure network or if they act with higher privilege than normal, ask them to use a 2nd password for that task so that a single compromise won't compromise every system.
Re-using the same passwords excessively: So if you have a password policy that the user has to change the password monthly, and can't use the same one doesn't preclude the user from just having two passwords and rotating them monthly. You can set policy such that they can't re-use more than X number of passwords (3-6 is common.) That's actually pretty reasonable. If users rotate a larger number of passwords less frequenty, it's not so terrible. The danger comes in when users combat this annoyance by just changing one character or identifier in the same base password. If "Password1" just becomes "Password2", the whole point of rotating passwords has just been invalidated. If you can, ensure that when a user changes a password that it's >1 character different from the old one.
But sometimes, admins fail as well. I've seen a production database system that contained credit card data at a major company that was just secured by a password-- not a username/password pair. Understanding that people are lazy, a co-worker sat down one slow afternoon and tried strings. About one in four turned out to be a valid password. These weren't exotic strings either-- mostly sports teams, common dictionary words, etc. Thankfully the admins realized this was a huge security hole and fixed it in short order.
If you can, ensure that passwords are as complex as possible and be vigilant for users trying to undermine your best efforts.
Anything guessable is bad. Anything that's easily compromised through brute force is bad.
OK phew, that was hard! Now, on to the specifics. Users often don't really have a clue about passwords in general and see them as at best a necessary evil and at worst a horrible pain in the ass. Users will go to heroic lengths to "beat the system." Getting around these problems often involves management, but at least be vigilant for what happens.
Using really poor passwords: People use the names of their kids, their pets, their address, their kids' birthdays, their pets' birthdays, etc. These are all very easily guessable, bad passwords. The ultimate cliche is a password of "password." BAD USER! NO COOKIE! You'll see other common passwords like favorite sports teams, TV/movie characters, cities, states, brand names, etc. used. Your defense against this is setting up a password system that requires complexity and tests for dictionary words and other likely bad passwords.
Practicing Poor Password Security: Taping your password to your monitor, the underside of your keyboard, or scribbling it on the bottom of the tissue box all happen, often. No matter how complex your passwords are, writing it down in a public space removes all security. Anybody who can get to their desk can get in with their passwords. All you can do is have a policy set up such that when this is caught, the user gets their proverbial hand spanked, changes their password immediately and is informed not to do it again.
Using the Same Password in too many Places: This is another easy one, but hard if not impossible to test for. At least encourage your users to use different passwords for work than for any other use and if you have a more secure network or if they act with higher privilege than normal, ask them to use a 2nd password for that task so that a single compromise won't compromise every system.
Re-using the same passwords excessively: So if you have a password policy that the user has to change the password monthly, and can't use the same one doesn't preclude the user from just having two passwords and rotating them monthly. You can set policy such that they can't re-use more than X number of passwords (3-6 is common.) That's actually pretty reasonable. If users rotate a larger number of passwords less frequenty, it's not so terrible. The danger comes in when users combat this annoyance by just changing one character or identifier in the same base password. If "Password1" just becomes "Password2", the whole point of rotating passwords has just been invalidated. If you can, ensure that when a user changes a password that it's >1 character different from the old one.
But sometimes, admins fail as well. I've seen a production database system that contained credit card data at a major company that was just secured by a password-- not a username/password pair. Understanding that people are lazy, a co-worker sat down one slow afternoon and tried strings. About one in four turned out to be a valid password. These weren't exotic strings either-- mostly sports teams, common dictionary words, etc. Thankfully the admins realized this was a huge security hole and fixed it in short order.
If you can, ensure that passwords are as complex as possible and be vigilant for users trying to undermine your best efforts.
Intel: i7 (Nehalem) will have a Turbo Mode
The Intel IDF Conference is going on as we speak, and Hardware-Infos.com (auf Deutsch) is reporting that Nehalems will have a mode similar to Santa Rosa Meroms where the chip will dynamically "overclock" itself on the fly on a single core when the need for high performance on a single execution thread is indicated. At this point, it's being called a Turbo-Mode, even though the Intel branding for this feature is unknown at this time. Details are still sketchy, but this is another very interesting detail about the i7/Nehalem platform.
In layman's terms, let's say you have a 4-core, 2.66 GHz CPU. If you're running something that only uses one core, but needs all the power it can get, you have no benefit over a 2.66 GHz dual-core CPU or even a theoretical single core version of the same. These are already maximum speeds, with the CPUs running at lower speeds when performance isn't needed. What this system will do is transparently to the user allow a single core to go faster than the rated maximum while reducing maximum speed on the remaining cores. No word yet on if this will work on a system that's already overclocked. I hope to have more info as this leaks out into the English language press.
Monday, August 18, 2008
Security: Passwords
There's not much to say about this one that's not common sense, but more common sense is better.
Passwords should be "strong" -- that is, not easily guessable or hacked via brute-force. The longer it is, the better. Combining different types of characters (upper-case letters, lower-case letters, numerals and 'special characters' like punctuation) is even better. Your birthday, the name of your dog, etc. are all very, very bad passwords. They're not as good as two-factor authentication, but often they're all you get to work with.
Sometimes you have to crank out password after password (or one Really Good password) and that's a job best left to a random password generator. If you just need some passwords, I like the PCTools Random Password Generator web page.
Passwords should be "strong" -- that is, not easily guessable or hacked via brute-force. The longer it is, the better. Combining different types of characters (upper-case letters, lower-case letters, numerals and 'special characters' like punctuation) is even better. Your birthday, the name of your dog, etc. are all very, very bad passwords. They're not as good as two-factor authentication, but often they're all you get to work with.
Sometimes you have to crank out password after password (or one Really Good password) and that's a job best left to a random password generator. If you just need some passwords, I like the PCTools Random Password Generator web page.
Sunday, August 17, 2008
BoingBoing has a list of the top 101 classic computer and computer-related advertisements "of all time!!!11!eleventy-one" (OK so, I made up the last part.)
I'm not old enough to remember a few of these, but others bring back some fond (and not so fond) memories. Enjoy!
I'm not old enough to remember a few of these, but others bring back some fond (and not so fond) memories. Enjoy!
Monday, August 11, 2008
VIA to Exit Chipset Manufacturing
VIA saw the handwriting on the wall... with the "Intel Platform" being one of their big strengths along AMD acquiring ATI for their chipset design, it's getting tough for 3rd parties to compete in the chipset market. VIA is officially announcing that they're leaving the 3rd party chipset market. nVidia's already on shaky ground with respect to chipset design and manufacturing, so that only leaves SiS at the extreme budget (read: low profit margin) end of the spectrum. My only fear is that 3rd parties are good for overclocking and tweaking, serving as a great market force in that respect.
VIA will continue to design and manufacture chipsets for their Nano processor- just not for Intel or AMD CPUs.
VIA will continue to design and manufacture chipsets for their Nano processor- just not for Intel or AMD CPUs.
Intel: New CPU Releases 8/11/2008
It's official! Several new models have released today, with one oldie but goodie seeing a massive price drop. All prices listed are from Newegg.
The E7300 (Dual-core, 2.66 GHz 3MB Cache) released at an affordable $144.99, a tremendously powerful entry at this price point. The only gotcha is a lack of hardware virtualization support.
The E8600 (Dual-core, 3.33 GHz 6MB Cache w/VT) is out at $279.99, a very workable price for such a fast stock speed. This guy is going to be a serious gaming powerhouse.
The Q9550 (Quad-core, 2.83 GHz 12 MB Cache w/VT) is now down to $339.99 at the 'egg. Once the pinnacle of slightly affordable quad-cores, the price is down quite a bit from last week. Hovering around $600 previously, this is now a realistic option for a mid-high end system.
All of these CPUs are now listed in stock. Expect some moderate price drops across most of the rest of the CPU range as well.
The E5200 is still MIA, but expected soon. I'll keep you posted. The street price should be around $90 for a 2.5 GHz, 800 MHz dual-core. Not shabby for a low-mid range system, and likely a strong overclocker.
The E7300 (Dual-core, 2.66 GHz 3MB Cache) released at an affordable $144.99, a tremendously powerful entry at this price point. The only gotcha is a lack of hardware virtualization support.
The E8600 (Dual-core, 3.33 GHz 6MB Cache w/VT) is out at $279.99, a very workable price for such a fast stock speed. This guy is going to be a serious gaming powerhouse.
The Q9550 (Quad-core, 2.83 GHz 12 MB Cache w/VT) is now down to $339.99 at the 'egg. Once the pinnacle of slightly affordable quad-cores, the price is down quite a bit from last week. Hovering around $600 previously, this is now a realistic option for a mid-high end system.
All of these CPUs are now listed in stock. Expect some moderate price drops across most of the rest of the CPU range as well.
The E5200 is still MIA, but expected soon. I'll keep you posted. The street price should be around $90 for a 2.5 GHz, 800 MHz dual-core. Not shabby for a low-mid range system, and likely a strong overclocker.
Sunday, August 10, 2008
Intel: Nehalem to be Branded Core i7
It appears the rumors are true. The next-generation Intel Nehalem architecture (successor to the Core 2 family) will be branded Core i7, at least for the Bloomfield versions.The picture of release information is also getting a little clearer. Intel's original Q3 2008 promise might be a little more like very late Q3 to Q4 date for the processor being released in anything remotely approaching "volume." These will all be higher end processors with three models ranging from $284 to $999 in thousand lots. Low-end and mobile CPUs are due in Q3 2009. I'll go out on a limb and say that some price cuts/new models will introduce some sort of mid-high end CPUs around the Q1/Q2 2009 time frame, with Core 2 still being a strong low-mid contender through 1H 2009.
The Bloomfield logo is pictured at right, with the Extreme part (at the $999 price point) supposedly sporting a black/grey logo.
Monday, August 4, 2008
Industry: nVidia to Leave the Chipset Market?
Xbit Labs and the Inquirer are reporting that nVidia is set to leave the chipset market entirely, with the Inq saying it's a done deal. Digitimes is proposing a more moderate view on the rumor, while the Tech Report has an article that contains a full, apparently official rebuttal from nVidia. There seems to be more than a grain of truth here as nVidia hasn't reached a deal with Intel to be able to license QuickPath Interconnect for the upcoming Nehalem processor. With no plans in sight yet to support new Intel motherboard technologies after roughly Q3 2008, that leaves nVidia with their original market, AMD.
There's just one problem with that... AMD finally has an in-house chipset maker with the ATI acquisition and they're pushing their own ATI chipset-based products. So faced with stiff competition over the bottom 20% of the market, what's nVidia to do? Is SLI doomed? Will nVidia break the software restrictions on SLI and allow SLI in Intel or even ATI motherboards? What about some of the cool tech that's trickling out like hybrid SLI?
With the failure of mobile G84/86 chipsets and falling stock prices, things must be a bit tense over at nVidia right about now. Competing aggressively with Intel has to be in the cards for nVidia to remain relevant in the chipset market.
Sunday, August 3, 2008
Security: Security through Obscurity
Security through obsurity frankly sucks. Sometimes you can't get around using it, so it's worth understanding what it is so you can avoid it whenever you can. Simply put, making something appear to be something else, or hiding an insecure service rather than securing it is poor security.
For example, having a file out on an unsecured network share called passwords.txt that contains, say, passwords is just stupid. That's less than no security; it's a tempting target for any prying eyes.
Renaming that file to csfr4pw.txt seems like it might deter casual onlookers, but anybody interested in your data can trivially grep or search through file contents and notice that it contains sensitive passwords. Likewise, other automated tools like nmap can help attackers easily determine what services are running where.
Find a better way to secure the data. Put it behind a protected share, encrypt it, or even just alter the contents to say "the passwords are stored in a tamper-evident envelope in a locked cabinet." Though technically part of "defense in depth," this is one tactic you should avoid if at all possible.
Saturday, August 2, 2008
Games: The Wonderful End of the World mini-review
The Wonderful End of the World is a casual game from developer Dejobaan Games ("making video games for over 75 years...") I was a big enough sucker to play the demo on Steam, and was hooked enough to buy the game. What is it? In short, it's Katamari Damacy with an attitude. The plot? You're a disembodied sprit that must collect as much of the world as possible before the world ends. The mechanism? Walk into something smaller than you and it sticks to you. As you collect stuff, you get bigger and can collect larger items. Sound familiar? There's not a lot of gameplay here that hasn't already been done in the Katamari universe.
tWEotW does bring a lot of attitude and style to the table, though. The levels are far less repetitive than Katamari Damacy, with levels themed after classic video games, an Internet cafe, a wacky mall, etc. There are also several running jokes-- organgutans show up in the oddest places, and if you look around you'll see some bizarre stuff in the levels. There is a minor difference over the Katamari games in that you're graded primarily on the number of items you collect rather than the ultimate size you attain. The two are linked, but the distinction is important to understand. You're graded after each level.
There are 12 levels in all, and 11 of them are easy to unlock. The final level is only unlocked if you get an A or A+ on every single level.
There were a few problems-- the game is fixed resolution with limited setup options. Unlike most Katamari Damacy levels where the game decides what to render based on the scale of your character, tWEotW has an inefficient rendering engine that renders everything all the time. On my anemic system, I had severe slowdowns in the larger scale levels. There are plenty of cases where your character can get stuck between objects-- it's not always clear where the edges of your character get calcullated. The game will eventually move you until you're unstuck, but the time lost is a pain. There's also one minor bug in the final level where you can pass through walls in certain areas.
Conclusions the level design is fairly well polished and wonderfully quirky. The game on the whole is pretty easy--expect to "win" in 2-5 hours with some replay value. I passed every level with at least a B on the first try. But some levels were hard to raise from a B or A- to an A in order to unlock the last level. The developer sells this game for $20, but Steam has it for $10. Is it a fun diversion at $10? Yeah, probably worth it, but I'm not sure if it's worth it at $20.
6/10
Security: Defense in Depth
Defense in Depth isn't just a military tactic anymore. This is another basic building block of IT security. In short, don't rely on one specific type of security for your valuable data and expect attacks to come from every vector possible.
Defense in depth starts with securing your systems physically. Anything that's really sensitive should be behind locked doors. Firewalls, separate sensitive networks, OS-level security, anti-virus, anti-malware, intrusion detection systems, and many other tactics can help ensure that what needs to be secure actually is.
Typically you'll want to combine multiple levels of security for additional assurance.
Subscribe to:
Posts (Atom)
Posts
