This article on hacked RockYou passwords made me checking my own password-behavior, and – what should I say – everythings fine ;-)
But my real life experience in team and family tells me, that I’m the exception. And according to the TechCrunch-article above, I’m a biiiig exception: only 0.2% of the users had a »strong password«.
In this post I would like to point out the most common mistakes with passwords and want to show how you can make up easy to remember passwords that are strong further more.
1. The weak-password-trap
First: What are weak passwords? Basically they are short, contain only letters and can be found in the dictionary (even combinations of those – like “iloveyou” – are evil).
You should use at least eight characters to resist a Brute-Force-Attack. The more the better. (Who thinks that a long password is hard to memorise can use the method described in section 3.)
Every additional character multiplies the number of possible combinations enormous (see Appendix): using nine instead of eight characters, when using only lowercase letters, for example multiplies the possible combinations by 26, increasing them from 0,2 to about 5 trillion.
2. The same-password-trap
Even the strongest password is useless, when someone else knows it (saved as clear text, noted down, … ), and can access all kind of different accounts with it – check out the xkcd comic on password reuse.
3. How do I find a secure and easy to remember password?
Here is my tip to make up a long but easy to remember sentence. As an example we use (The sentence should be easy to remember): »The quick brown Fox jumps over the lazy Dog.«
Now we take the first letters of each word: TqbFjotlD.
Let”s replace the o (letter O) with an 0 (zero). The q looks a little bit like a 9 and the b like a 6. The l can be replaced with a 1: T96Fj0t1D.
Now I replace the j with a !, because they are also alike.
A secure password would be T96F!0t1D.
Things you can use most times: $ instead of S, 3 instead of E, 7 instead of t.
4. Password generators
There are a lot of programms, that generate a random sequence of characters. Some can be configured in aspects of length and used (special) characters. I use one for generate »one time passwords« e.g. for user-logins, where the password has to be changed after the first login. Because either you have to memorize these (more or less) random sequences (hard), or you have to note them down (insecure) or you have to store them, using:
5. Central pw management
Finally there is the possibility to store passwords in one central place. A small programm encrytes your password(s) into a database and decryptes them after entering a master-password.
This is really a handy way, because you can use real random character-sequences (from step 4), but you don’t have to remember or note them down. But even this way has three catches:
1. The PW-Management-Tool has to be secure itself (strong encryption of the passwords, resistent to attacks).
2. One password gives access to everything!
3. Most times, a PW-Management-Tool is bound to the computer on which it was installed. If you want to use the passwords from on the way, you have to use your brain or an (in)secure online-access.
One last tip
Don’t ever change your password on a friday or just before your holidays: the chance of forgetting is quite big.
And one more appeal to my developer collegues: please please please don’t store passwords as clear text in databases. The strongest password becomes useless if every sysop can read them in MySQL.
|Length||Used characters||possible combinations|
|8||lowercase only||26^8 (0,2 Billion)|
|8||lower-/uppercase and digits||62^8 (218 Billion)|
|8||lower-/uppercase and digits and special characters*||77^8 (1236 Billion)|
|9||lowercase only||26^9 (5 Billion)|
|9||lower-/uppercase and digits||62^9 (13500 Billion)|
|9||lower-/uppercase and digits and special characters*||77^9 (95000 Billion)|
|Obvisiously: a combination of long password and many characters enlarges the number of variations enourmously.|
* I tend to be cautious with special characters! It may happen that you are using a keyboard on which you can’t find all special characters (Mac/Windows, Abroad, cyber cafe). But !§$%&/()=?.,:; should always work. For the table above I assume 15 working special characters.
Working on a german project with dynamic Textfields or forms is no problem for me: there are six »Umlaute« and one ligature, that I use every day. English forms are even easier: no special characters at all (how unimaginative ;-)…
But at the moment the project’s scope is widened to East- or West-Europe, problems begin if you weren’t attentive in school: In Spanish questions start with this upsidedown questionmark, don’t they? In French there are accents, but what directions and on which letters? And does anyone had Czech or Hungarian in school?
This is for all developers, making forms or dynamic textfields for the western hemisphere (no Cyrillic or Greek characters).
Comment if something is missing and I’ll update the list.
[Update] Thanks Stefan, for Croatian đ and Đ.
[Update] Thanks G, for Hungarian letters őŐ and űŰ
[Update] Thanks codebuilder, for ď, ģ, ì, Ï, ì, Ø and ť
[Update] Thanks David for Åå (Sweden)
[Update] Thanks Andrzej for ŻżĄąĘę (Poland)
[Update] Added versal ß and sorted all characters Uppercase-next-to-Lowercase
[Update] Thanks Cosmin for Ţţ Ăă (Romania)
[Update] Thanks NA for Ææ (Danish)
[Update] Thanks Dave for ð, þ, and Þ (Icelandic)
[Update] Thanks Fabien for Œ (French)
[Update] Thanks Peter for Ľľ (Slovakia) and Ůů (Czeck)
[Update] Thanks cosku for Ğğ and ı (Turkish) – yes, let’s count Turkey to Europe ;)
[Update] Thanks to Alex for pointing out the T and S with comma and cedilla.
[Update] Thanks Candid for the »Baltic pack« Āā, Ėė, Ēē, Īī, Įį, Ņņ and Ūū.
Today I joined Flattr.com
It’s a social micropayment system from one of the former Pirate Bay guys from Sweden. I think it is a great idea and I hope a lot of technic blogs will implement it, because sometimes I would like to thank someone for his/her help with more than just a »Thank-You«-comment (but with less than buying something from his Amazon wishlist).
I probably implement it here, we’ll see!
Here is a little video that explains the way Flattr works:
Firefox is still my weapon of choice when it comes to developing. Addons like Firebug or Tamper Data are crucial for my daily work.
And as I see no reason why I should make the effort to sync my bookmarks between several browsers, I use it almost everytime.
I’m also paranoid about Google as a datacollector, so I try using as little G-Products as possible. As there is no Iron for Mac yet, I only have Iron on my VM for testing. To put it in a nutshell:
Chrome will not become my browser in the near future, but this promotion video blows my mind: it shows how fast chrome renders a page – actually faster than a potato-gun shoots!
As a geek, I like the equipment used: MacBook Pro with Windows, a 24″ Asus Monitor with a replaced backlight, a 15Mbps internet connection. Filmed with several Phantom v640 High Speed Cams in »just« Full HD with 2700fps!!
As a designer, I really like the aesthetic of the cuts and the idea behind the color and the deep frier!
Today, Steve Jobs screamed out his thoughts on Flash!
His six arguments, why Apple keeps Flash away from their mobile devices are
- Flash is not open
Yes, Flash is proprietary, so is Apple. Deuce! But Adobe doesn’t block fdt or Eclipse, if this is your first choice as a developer!
And Serge Jespers compares HTML5-openess with Flash-openess – his conclusion: they are equal.
- Apple devices can access the full web
It may be that the vast mayority (Vimeo, Netflix, Facebook, N.Y. Times …) of video can be watched with an Apple device with the use of H.264 (but have a look at this footnote), but what about the not so big sites and those little webapps, whichs purpose is not displaying stupid videos? – Apples answer is probably: learn Objective-C and make an app, so that there is an app for everything (and we can earn more money)!
- Flash is not secure, slow performing and crashes
- let’s have a look at the crash-argument: I can’t check if it is correct that »Flash is the number one reason Macs crash«, but from my experience that’s not true: my Mac crashes because of device-drivers (Wacom-Tablet), strange network behavior (Wifi, NAS) and software, that’s written in Objective-C or Cocoa (Pathfinder, ClamXAV).
- security and Mac… Apple should mind their own business, first!
- Battery life
There are many ways to safe battery life: when I turn down my backlight on the iPod Touch G1 for example, my battery lasts four days instead of one.
Apple says, that most Flash webapps would have to be worked over, if iPhone would support Flash, because they rely on rollover-effects. That is true, but keep this in mind:
- other devices with touchscreen support Flash anyways
- developers will consider this in future Flash webapps, as they considered it in their HTML-development in the past, when touchscreen-devices became more popular
- Apple claims to be the usability-kings, they even don’t ship manuals with their products (because they are self-explaining?). I came across two solutions in 30 seconds thinking about how to handle rollovers on a touch device, so they can find a solution, too.
- The »most important reason«
Apple says, that slow third-party layers keep developers from benefitting from plattform enhancements.
This may be true in some constellations. But developers can benefit from third-party possibilities, when a competition between them and the platforms starts or when they can save time and affort when using third-party material.
Regarding argument 2 and the topic H.264, I would like to cite Serge Jespers: »It [H.264] is owned by a private organization known as MPEG LA who said earlier this year that “Internet Video that is free to end users would continue to be exempt from royalty fees until at least December 31, 2015“. Nobody knows what is going to happen after 2015. The patents awarded to MPEG LA don’t expire until 2028. So… to make this clear… H.264 is not open.« (webkitchen.be on Flash and HTML5)
I’m very excited: in the afternoon I’m going to join the crüe to start our trip to cologne!
I’ll post some impressions (from our trip with a lot of nerding and geeking and the fabolous flashforum conference) here later this week on fASforward!
Sometimes A-pple is an a-hole!
With the terms for their new iOS 4, Apple locked out unwanted frameworks and transscription-software:
(Section 3.3.3 of iPhone Developer Program License Agreement in the iPhone 4.0 SDK, via AppleInsider)
The moment of announcement was very hard for Adobe, which will launch their Creative Suite 5 the next monday! A new keyfeature (Update: but not the only one) of Flash CS5 was the built-in export for iPhone OS (like demonstrated by Lee Brimlow on gotoAndLearn();) – let’s see how they will react.
Me personally: I’m very sad about this monopolist-like, money-raking move. I just decided to switch to Mac in december and kind of regret my choice now. Apple’s making tons of money because of their gorgeous marketing for expensive hardware. They earned a lot with keeping Flash away from the iPhone and the Appstore with its intransparent approving-politics (ads, porn, etc.).
I think I have to deal with Objective-C, Cocoa and Xcode now, to judge whether this decision at least makes sense from the developers point of view – and of course (being the »Medien-Nutte« I am) I’ll get some Apple-shares, to profit…
[Update: OS 4 is called iOS 4 now, so I changed it in the post – we don’t want that old posts drop out of search-index, although that’s a great tactic, Apple Marketers.]
This is what happens when you don’t clean up for a long time, don’t clean out moving boxes (actually take those boxes unopened into the next office) and then do the mother of all clean-ups!
Does anybody know: did ColdFusion ever get on one single floppy??
After having no chance so try the Flash Builder Beta in June (see screenshot), I give the new Flash Builder 4 – Beta 2 (that I got along with ColdFusion Builder Beta 2 and Flash Catalyst Beta 2 on #SotR09) a try. You can download it directly from Adobe Labs and share your impressions in the comments.