Strong and secure passwords

"What is the password dude?" He was grinning like Comrade Zuma at an arms show - a safe distance away behind the security gate.

It was national braai day and I was in no mood for games.

"Rumpelstiltskin" I said, utterly humorlessly.

He just grinned wider.

"What freaking password are you talking about?", I asked a little more loudly than necessary.

"The password to come in for the braai!", he said cocking his head to one side feigning surprise, and continued: "Didn't you get the memo?"

He slapped his forehead: "Oh no - of course you didn't...", he grinned even more broadly: "you were to busy writing newsletters skinnering about your...", he pretended to search for the word, "dim witted", he spat out, " urm...how did you call it....ah...'friends' weren't you?"

So he read the newsletter. That was a surprise. I didn't know he could read.

"Look cuz, it's only a newsletter and it's only fiction.", I said trying to look apologetic. I continued: "It's nothing personal....it's just that you guys are...so...entertaining."

"Well dude, I'm entertaining both of us right now!", he cackled and spoke in bold font: "what. is. the. pass. word.". He smiled sweetly...or a rather he tried to smile sweetly. I thought it looked more like a stroke in progress.

"Ok", I said reaching the end of my patience, "remember the world record you hold in screwing up a chicken braai?", I stepped right up to the gate and continued with a low voice: "I have photos."

He once burned a chicken so badly that if future archaeologists were to dig up the poor thing they might think it was blown all the way here from Chernobyl during that nasty nuclear accident thing. In fact, it probably is radio active too. If I should publish pictures of that unfortunate event, his reputation as a braai master will be severely dented. He will have to endure months - years even - of teasing.

For a fleeting second I thought I saw panic in his eyes. Then he recovered. "Bull cuz. There was no camera that day." The stroke - smile again. It was true of course. There were no cameras and I did not have photo's. I was betting his alcohol impaired memory would count in my favor. Pitty. I did not want to go to defcon one and nuke his ass.

"Ok," I said and stepped away from the gate. "You brought this on yourself." I took out my cell phone and started dialling. "There is still time to stop this...", I said, phone to the ear.

He looked confused. He does that rather well. He is often confused.

The only way my nuclear weapon was going to work was if I delivered it with no warning. A Pre-emptive strike as it were...smack him out of his id book photo.

"Hi sweetie!" I said to the phone in my best up-beat voice. "Listen, please do me a favour - please ask your husband to open the gate for me - he does not want me to come in."

I made eye contact. There was naked fear in his eyes. His mouth fell open.

Roboticaly he buzzed the gate and I stepped in. I stopped right next to him and, in my best menacing Godfather voice, said: "Kurt, my cuzzy," I waited a few seconds for a pregnant pause: "next time," another pause: "I'll REALLY call her."

Before he could recover I (very) quickly walked to the braai where all the wives were sitting: Switzerland. I was going to need asylum for a while.

Guessing a password in an offline system (where you have to wait for the reply) is very difficult. In an online system on the other hand, it can be a trivial process: There are several password recovery software programs that can perform hundreds of thousands of guesses per minute - if the software used to secure the data enables it.

For instance, about 24% of all passwords can be correctly guessed within about 100 000 attempts. If the software (let's say a password on an MS Word file) can process the attempts quickly enough, a relatively brute force attack is practical. MS Word for instance will allow several hundred thousand password guesses - per second. That is a few million password guesses every 5 minutes!

Consider for a second how much damage a malicious person or program with knowledge of your password(s) can cause. Such a person will be able to read all your email, send emails impersonating you, access your bank accounts, change your web site, wipe all data from your computer and even deny you entry to a braai.

Having a secure and secret password is absolutely essential to protect your digital assets and privacy - yet many people do not know how to choose a strong (good) password. Take Kurt for example. I know the password he wanted to hear was "Double" because that was what he was thinking about at the time. The problem was that if I guessed it correctly, he would not have admitted it. He was in the position to change his password on the fly. You and I on the other hand will not have the opportunity to change your password when someone tries to crack it...because we will generally be unaware of the attack. It is therefore important to pick passwords that you can not only remember, but passwords that are very difficult to guess.

Coming back to brute force attacks: Don't think password crackers will start with "aaaaaa", working to "abaaaa" and ending at "zzzzzz" as a brute force all-out attack. Hu-uh. Research has shown that about 24% of passwords can be cracked with a 1000 word dictionary testing for common passwords like "letmein", "secret", "password1" and so on, followed by prefixes like "+" or "?" or a number... and /or sufixes. This relatively simple 1000 word dictionary yields less than 100 000 passwords - and will correctly guess 24% of passwords...in seconds.

The most effective way to make your password more difficult to guess is to make it difficult to pronounce...because virtually all cracking dictionaries are phonetic. So here are the top 10 things you can do (use them all) to make your password difficult to guess...and to keep the philistines on the other side of the gate:

1. Make your password 8 characters or longer.

2. Drop the vowels from your password: "password" becomes "psswrd".

3. Add numbers or symbols to your password, but not in the end or at the beginning - but rather randomly inside the password. For instance, you can add the last 4 digits of your phone number like this "psswrd4673", but a stronger password will put the digits inside the word, so: "pss4673wrd" and insert a #&!^% in somewhere, like this: "pss4673wr!d". In fact, instead of typing "4673" keep the shift key in on the "73" and it becomes "&#"

4. Use a "pass phrase" instead of a word: For instance take a line from one of your favourite songs: "Living next door to Alice". Now using only the first letter in every word, it becomes "lndta" to which we can add 4 digits of a phone number, so: "ln4673dta" and a nice simbol #, so: "ln#4673dta". (Or just use the whole sentence - very long passwords are very secure). For an email password you might use something like "this is my personal email don't read it" which yields the password "timpedri"

5. Do not use the same password for all your sytems / services. This is the biggest mistake you can make. If you use website xyz to access your email and they are hacked your password becomes available to hackers who can use it to target other online services you use.

6. Change your passwords every few months. The longer you use a password, the higher the probability that someone will guess or steal it.

7. Write your password down if you are worried you might forget. Now don't write "my password = password" on a post it and stick it to your computer. No, write your password down as a code and file the paper somewhere: Let's say you used the password "ln4673dta" as in point 4. You could write this down to jog your memory: "Who is Allice and who did she call?" or even "living next door to alice". Unless someone KNOWS that is a password hint - your secret is perfectly safe. (See Password Safe later in the blog)

8. Never, ever, ever type your password on a computer you do not trust 100%. It takes a criminal only a few seconds to install key recording software on a computer in a public location to harvest and send passwords to him.

9. Do not use your login name as password. A password that is the same as the login name is the simplest to guess. The same holds for personal information about you - like wife/husband/children/pet names. If you have to use a loved one's name as password, then miss spell it. For instance, Peter can become "petarr"

10. Watch the eyeballs. If someone is watching you type your password, enter a few dummy characters. For instance, slip a wrong letter in somewhere and hit the backspace button. If you do that twice or three times during the process the peeping tom will find it difficult to keep track. Add two letters at the end, press the back arrow twice and the delete key twice. You get the idea.

You can test the "strenght" (ie how difficult it is to crack) with the Microsoft password checker here...

If you have a dodgy memory like mine, it can be a real disincentive to use long and complicated passwords. In fact, it can be downright painful if you forget the passwords, so let me introduce to you Password Safe:

It is free software you download and install on your computer.

Password Safe is locked and unlocked with one master password and then securely stores all your other passwords.

The software takes a few minutes to get used to but is really worth it to have separate, strong and secure passwords for each of the services you use.

Think of it as free insurance. You can download it here...

The web 2.0 and the tong bearer

"Web 2.0", I said as I turned the wors.

It was that time again. The usual tribe was drinking around a fire and pretending to braai.

Smoke was everywhere.

I had the tongs in hand, and protocol dictates that I have the right to introduce a new topic of conversation. The guy with the tongs have special status. Chairman of the braai.

Mostly he won't talk much because he will be too busy pretending not to burn the meat. The tong handler will pretend to be following the conversation too - all the while gauging who is slurring the most - because that poor slob will receive the tongs (and therefore the blame) just before dish-up time.

I had my victim marked and I was getting tired of the conversation whining about the All Blacks winning the Tri-Nations. Again.

So I introduced a new topic for conversation: Web 2.0

I did not have to look up from the coals to know they were all starring at me now, waiting for me to say something that made vaguely more sense. My victim's meat was nice and "crispy". His wife is not going to be impressed.

A diversion is called for: "Don't tell me you guys never heard about web 2.0" I said and, in a slow but smooth movement, turned around and shoved the tongs into my victims hand, pretending to hang on to it - as if I am reluctant to let go. His fist closed over the tool. Got him.

"You guys know what the web is, right", I said and let go of the tongs. The victim clutched it and immediately went over to the fire to turn some meat. Poor bastard.

"Duh!", challenged the number one technophobe in reply. I thought this guy was still afraid of automatic toasters, and here he is bragging about the web. Cool.

"Well", I said and watched my victim out of the corner of my eye. He was frowning - he must have noticed his meat was burnt. I continued smoothly: "the web itself was one of the greatest inventions of our time...", the pause draws several sagely nods.

"You guys know about 3G, the new generation of cell phones and services, right?" Lots of nods. "Now the term '3G' means the 3rd generation of cell phone services. In much the same way, the first static web pages could be called Web 1.0 and now, with fundamentally and dramatically improved functions, we can talk of the Web 2.0". Arched eyebrows all around.

I saw panic in my victim's eyes. His predicament started to dawn on him.

"Ok, let me explain this better: In the beginning all web sites consisted of pages of text - cross linked to other pages to create (spider) webs of information.

It was not long before scripting languages made it possible to have web pages produce dynamic content: in other words they could retrieve information from databases to show you the weather in your particular city, or the latest stock prices, or the top news stories.
Your interaction with these pages are based on a request / reply model. For instance: you type a search phrase into Google and it replies with a list of sites. You say you live in Cape Town and you get a weather forecast for that city.

Request - reply."

I started to circle the braai to the other side. Apparently to get the smoke out of my eyes, but actually to put some distance between me and my victim. He has since recovered from his panic state and took on the demeanour of a hunting cat. He was on the prowl for another victim...and it was not going to be me. Behind him I could see the girls setting the table...his time was running out and he knew it.

"Anyway", I continued, "we used the web. We interacted with it, but we could not change it. Consider that for a second: we interacted with the web in much the same way we interact with a TV, for instance. We change channels to get the information we want, but we are still fundamentally bound by what is on offer. We cannot change the shows on the TV. In the same way we use the web, but we could not directly change it."

"Eeeeek!", My victim screamed like a 12 year old girl who just found a turantula crawling on her cell phone. "Aaagghhh!", he was grabbing his tong-hand with his left. It looked like he was in agony.

Not too shabby.

"Ice, quick!", he said, and shoved the tong into the hands of the guy standing next to him", and quickly made off to the kitchen. He just missed the girls coming over to the braai to fetch the meat. Pure brilliance. The latest victim does not even know he is a victim - yet.

"You know, he is such a girl!", the latest victim smiled and automatically turned to the braai to assert his authority as The Tong Bearer. He froze in mid movement when he saw the burnt steak. Just then the girls arrived and shoved a dish for the meat into his hands. Checkmate. Game, set and match.

I felt sorry for him, so I continued my speech to give him a few more minutes to try and find a way out:

"Web 2.0 is not a new product or software or a machine. It is simply a short-hand way to refer to the new generation of web sites which not only enable ordinary web users to change the web - they actively encourage it.

Take our web hosting clients for example: We provide them with free software on their web servers that enable them to add pages of content, forms, product listings, specs and a zillion other things without having the faintest clue about FTP or HTML or any of that." The technophobe nods enthusiastically: he is editing his own web page for his company and he still does not know what HTML is. His web site is actually generating new business for him...and he can barely type.

"To take the example of our content management system a bit further: The technology behind the software is pretty intense, but from a user's perspective it's pretty much as easy as falling out of a tree...or burning meat at a braai. If you want to change something on the site, you log in with a user name and password...and click on the thing you want to edit and simply re-type it. Press save and it is published to the Internet. If you can spell 'Internet' you can do it."

I noticed the girls have started to dish up and suppressed a smile. There will be proverbial blood. The second victim looked a bit pale. The first victim decided to stay in the kitchen in order to solidify his alibi.

I continued: "Now think about this for a second: with zero technical knowledge you can publish information to the web. Not only that, but you do not have to worry about security or operating system upgrades or the appropriate hardware to use. If you have a web browser (even if it is on your cell phone), then you can publish or update your site.

From an initial beginning where our interaction with the web was based on a request-response model, now we can actually change information too. This is the premise of the 'new' web. Enabling people to interact and UPDATE the web. Examples of these sites are Facebook, Twitter, eBay, Blogger and many, more.

Taking that a bit further: almost all software is moving to the web, because the group of new technologies makes it practical to use word processors, spreadsheets, email programs, etc that are web based: Small (java) scripts download automatically and invisibly when required - all you see is a responsive, feature rich software program...for free.

The web 2.0 is the start of 'cloud computing' where most of your information and computing power is somewhere inside the Internet 'cloud'. You don't have to worry about upgrades, backups, security, buying more powerful computers or understanding how to install and maintain software. Best of all: your data is everywhere where you have access to the Internet.

The web is more interactive than ever before and it is growing and changing at an exponential rate - because ordinary people are pumping millions of new facts and observations into the 'system' every day."

"Ag no!", One of the girls protested loudly. All activity stopped and she got everyone's full attention: "Look how Carl burnt the meat! Nee man!"

That was the end of the lecture. To be continued at a later date.

"It wasn't me - it was Waldo!", he protested in a small, girl-like voice, tongs in hand.

Idjit.

"Yea right!", I said loudly enough for the girls to hear, and made an exaggerated wink in his general direction, smiling broadly.

Checkmate dude.

It is such a blessing to have dimwits for friends.

A morning in the life of a sysop

An incident a few years ago. The names are witheld to protect the guilty:

Hmm...having a nice dream. Snuggle deeper into the blankies - soooo good. The dream is about something nice - I don't know exactly what it is about, (the way dreams sometimes are), but it is definitely nice. On the border of my consciousness there is a vulgar, annoying, piercing sound. I shake my head in distaste and fall back into the warm and cosy dream....hmmm.

Pain explodes in my ribs. "What the hell?!"

She freaking poked me in the side with an elbow!

On reflex my hand balls into a fist and I coil my arm to deliver a punch to her nose.

"Oh", I realize, it's my wife.

Reluctantly I relax my arm and open my fist.

"Your cell phone is beeping." she says and promptly falls back to sleep.

I turn around and pick up my cell phone on the bed stand. Sure enough, there are messages.

This explains the screeching-animal-in-pain-sound on the edge of my dream. I scroll down on the cell phone display and read the message: The network is down. Excellent. Just what I need.

Just then the phone vibrates violently and screams at me again. I almost drop it from the shock.

Swearing under my breath, as not to wake the side-poking-villain sleeping next to me, I read the new message. "The network is down." Yea, yea yea.

I get out of bed and switch on the light. Laser beams burns holes in my eyes. With empty eye sockets I stumble to the closet to put on clothes - this is definitely going to take a while.

On autopilot I reach the office and place a call to the network operations centre of the company supplying our internet connections.

"Please run a test on this circuit number for me" I say and give him a circuit number.

The guy on the other side yawns. A few seconds pass.

"It's down he says."

I grunt.

Some several seconds later the other guys still said nothing.

I say: "it's down."

He says: "Yep."

I grip the telephone and say slowly: "Can. You. Fix. It. Please."

The other guys "Oh, ok. We will look into it." He gives me a reference number.

I put the phone down.

My watch says its 04h59. I stare at it for a while because I have never seen it show a time like that before. "Coffee." It's a single, clear thought. I get up and walk to the percolator. It's empty. I fill it up and switch it on and grab a coke while I am at it. Coke's got sugar, and it has caffeine. It'll do. I take a deep swallow from the can and then a another single, clear thought fills my head. "Nicorette." I grab my nicotine bubblegum and frantically stuff one into my mouth. While I exhale slowly the sugar, caffeine and nicotine kicks in simultaneously and for the first time today more than one thought at a time seems to be able to exist in my head.

I walk back to the computer and start up the network monitoring software. Two of the four network lines are down.

I stare at if for a few seconds and then hit "refresh". The software thinks for a while and then displays the updated status. The two lines are still down. That confirms it then. The lines must be down. I take another swig of Coke. I close the network monitoring program and start up my development tool. "Might as well do something productive while I wait", I think while I am vaguely amused by my naive ambition to salvage the rest of the day.

The phone rings again. I spill a bit of Coke jerking back from the instrument before I pick it up.

I announce my name to the caller.

"The line is up." The guy on the other side states confidently, and, I suspect, just a little snottily.

"Oh," I said, "Just a sec while I check the status here." I load the network monitoring software again and hit refresh. Still red across the board.

"No, it's not.", I tell the guy on the phone, managing to keep my tone slightly bored and just a bit aloof.

"Sir," he switches to formal talk, "I am running a check on it right now and the circuit is functioning normally." he quotes the circuit number while I write it down.

I check the circuit number.

"That is not the one with the problem.", I say. "Check the Cozahost circuit"

"It's the one you reported", he says.

"But it is not the one that is down", I say.

"It's the one that you reported", he says.

Hmm. I make my voice as sweetly sarcastic as I can: "Can you then please check this circuit number for me?" I ask, quoting the broken circuit number.

I can hear him type for a while. "it's down", He says.

Ok, he's not going to catch me for a second time. "Can you log that circuit as the error please?", I say - emphasising "please".

"Sure", he says, but it sounded distinctly as if he said a dirty word. I let it go.

"Your reference number is...", he says mechanically as he reads the number from his system.

"Thanks." I say and put the phone down.

I open my monitoring software again and let it run in the background. Next time I will be ready for that joker.

Back to the development work. I scan through the source files until I find the piece of code I have to work on. For a second I wonder if I should be doing this now...I might screw it up completely.

I take another swig of the Coke and slap a nicotine patch on my arm.

"Nonsense, I can do this with my eyes closed", I say to myself.

For the next 30 minutes the world disappears into nested ifs, case statements and post fields. I am coding up a storm and it's going surprisingly well. I finish the amendment and save the source code. I load up the program and give it a quick test. It works. Wow. Cool. I run it again just to make sure. It still works. Wow. Cool.

The phone rings again, but I don't get a fright because I just wrote code before sunrise and it worked first time. I am invincible!

I pick up the phone and announce myself.

"The line is up." It's my favourite operations guy.

"Just a sec" I say and click on my monitoring software.

"Nope, its not" I say when I see the red flags on all the indicators.

"The customer must reset the local LTU" he says sounding terminally bored.

I assume I am the customer, but what the hell is a LTU? No way I am going to ask him.

"Ok, I say and walk over to the server cabinet" A brief glance at the routers confirms that the lines are still down, but I decide to reset the only piece of equipment that belongs to the Telcom company - it must be the errant "LTU" because there is nothing else in the cabinet that qualifies. I switch the device off and back on.

It thinks for a while and returns to the state that it was before the delicate operation.

"It's still down" I say to the guy on the phone.

"The customer must reset the LTU" he says, now sounding more than slightly irritated.

Ok, now he is working on my nerves. "On which side", I ask, because, after all a network line has two ends - perhaps the guys on the other side of the line needs to reset their thingamajig.

"The A side", he replies testily.

Hell of a lot of help that is. "The A side." must be a new geographic location or something.

"Where is the A side?" I ask politely.

He gives the address - slowly. Like he is talking to a moron.

The address is mine.

Ok. if it's attitude he wants, it's attitude he will get I decide and say: "I just did the reset." a bit more loudly than necessary.

"You have to tell me before you do it!", he says at the same volume, "now I have to rebuild the circuit!"

Go to hell I think, but I keep quiet. If this guy wants to he can let the fault drag on for several more hours. I might be irritated, but I am not that stupid.

I can hear him type for a while.

"And now?" he says.

I assume he meant I must check the status lights again. I do. The error lights are gone and everything looks fine.

"Looks ok", I say feigning disinterest.

"Can I clear the fault now?" he asks.

"Uhm, not yet", I say.

30 seconds of icy silence ensues.

I'm not stupid. I know he can't break the circuit again because it will show in the logs that he purposefully disconnected us. I've got Mr Smartypants by the short and curlies and it's payback time.

"Why not" he asks eventually, in a much more civilized tone of voice. He knows he will have to explain to his supervisor that the customer did not agree to clear the fault after the service was restored. There will be questions. And consequences.

"I just want to monitor it for a while to make sure it is stable", I reply sweetly.

He knows what I am up to.

He knows I know he knows.

Revenge is sweet.

"Uh, ok", he says and hangs up."

Now that's what I'm talking about - one right up his LTU. Must burn like a mother.

I put the phone down, grinning. I just love the smell of revenge in the morning.

Oh look: the sun is up. It's going to be a gezact day.