Megatheriums for Breakfast

Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.

– Wikipedia

I’ve been getting annoyed lately by web sites and applications which insist that passwords must be entered in a specific format, or with specific characters, in theory to improve security.  Specifically, so many sites and apps demand that passwords must include upper and lower case letters, numbers (and sometimes symbols).

For example, here’s what happens now when you try to create a new Apple ID in iTunes:

If you can’t read that grey text, it reads:

“Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter.  Don’t use spaces, the same character 3 times in a row, your Apple ID, or a password you’ve used in the last year.”

This greatly annoys me, because it’s silly – it’s “security theater” rather than real security.  Using a mix of upper and lower case characters and insisting on the inclusion of a number, only marginally increases the security of a password compared to lower case letters only.  And on iOS devices like the iPhone, entering a mix of numbers and upper and lower case characters correctly in a password is simply a pain because of the limited keyboard. Note also that Apple only ask for 8 characters.  It’s this short length which is the real flaw.

The fact is that you can greatly increase the security of a password, even if it is all in lower case letters, simply by making the password a few characters longer.  I’ll show you the figures below.  It annoys me because the assumption is that a password such as NyZq573j is magically (and that’s the correct word, because it’s magical thinking) stronger than a password such as myfavoritefoodischeese.  In fact, the latter is both much easier to remember and is many, many orders of magnitude more difficult for a brute-force cracking program to discover.

If you treat myfavoritefoodischeeseas simply a string of random lower-case characters, then there are some 130,000,000,000,000,000,000,000,000,000 (=1.3 × 10^29) possible combinations of the 22 letters in such a password.  No cracking program could try out that many combinations in the lifetime of the universe.

But, I hear you say, “if the cracker knows that you habitually use a string of English words in your passwords (I prefer Jeff Attwood’s term “passphrase”) then they can use a ‘dictionary attack’ and quickly crack them”.

Such an attack would work on passphrases of one or two words, perhaps.  But with something like 40,000 reasonably common words in the English language, it only takes a phrase of four or five words to be beyond reach.  In the case of the 5-word phrase above, there are some 10,000,000,000,000,000,000,000 (= 10^22) possible combinations of words, less than the random letter scenario but still a vast number, and way more than the mere 210,000,000,000,000 (=2.1 × 10^14) combinations of characters in an 8-character password like NyZq573j.

Here’s a comparison chart (the vertical scale is logarithmic).  ”Tokens” means either individual characters or whole words:

Here’s the raw data:

Note how adding a few more characters to a lower-case-only password equals or exceeds the complexity of a password mixing upper and lower case characters plus numbers.  Eg, a 12-character password of all lower case letters is MORE secure than a 9-character password of mixed case and digits.

The moral of this story, if there is one, is that longer passwords or phrases are much better than those which merely add a greater variety of characters or symbols.  And web sites which ignore that (or worse, put a limit to the maximum length of passwords) are being ignorant.  The majority of passwords have been stolen because people are forced to write them down because they are hard to remember.  Easy to remember passphrases do not have to be written down and, if long enough, are much more secure.

PS: myfavoritefoodischeese is NOT the password to any web site or computer I use!!

---

Update: more thoughts on this here. I demonstrate that mandating a combination of character types actually decreases password security.

Once again it’s been a long time since I posted here, but things have been busy at work, and I’ve had some medical issues which I won’t bore you with. I’m hoping to have much more time in future for blogging (and for my own software development).

---

Blackout and All Clear by Connie Willis

Hardcovers, my own collection

In these days of e-books, and the comfort of reading them on my iPad, I am buying fewer and fewer “dead tree” books. But I couldn’t resist this beautiful matched pair of hardcovers, available from Amazon more cheaply than I could even buy paperback versions in Australia.

I’ve only recently (last 12 months or so) discovered Connie Willis as a writer, which may be fortunate for me, as I understand this latest work was 9 years in the writing, a long time for dedicated fans. But well worth the wait even so, I would have thought.

These two volumes are really just one novel, split into two for practical publishing purposes. The novel is another in Willis’ series based around the idea that time travel is invented in the 2060s, and is in the hands of the History Department of one of Oxford’s colleges, purely to be used for historical research purposes. This particular work is based on the independent time travel trips of several of the historians to the period of World War II in Britain. These trips are all meant to be for short periods and to specific locales but for unknown reasons (slight spoiler coming here) each of them finds themselves unable to return to the future. The mystery of why this has gone wrong persists through almost all of the novel, but the real focus is on the characters, their predicament, and, more than anything, on the trauma that Britain underwent during the war. As in her earlier work Doomsday Book, Willis makes the tragedy of the times come alive by making us familiar with real human characters and their sufferings. And again, Willis seems to effortlessly combine elements of humor and grief, joy and tragedy. It’s also fascinatingly educational about World War II Britain and in particular the London Blitz.

This is Willis’ masterwork, I think. Nominally science fiction, it is a novel which stands out from the genre by its downplaying of technology and its interest in character and in the human condition.

Buy ‘Blackout’ on Amazon : Buy ‘All Clear’ on Amazon

---

One Good Turn by Kate Atkinson

E-Book on my iPad

Really good follow up to the author’s first novel about Jackson Brodie. I like Atkinson’s style a great deal, and the light humor of her approach. The ending of this one made me laugh out loud. There are several story threads based around different characters whose lives become tangled with each other through the “one good turn” of the novel’s title, in which a timid man puts an end to a road rage incident by throwing his laptop bag at the assailant. This happens at the start of the novel, and all the rest is the slow working out of these threads, which eventually throw a very different light on the original incident.

I’m looking forward to reading more of Atkinson’s work.

Buy ‘One Good Turn’ on Amazon

---

How I Killed Pluto (and Why It Had It Coming) by Mike Brown

Hardcover, my own collection

Very entertaining story of the discovery of large bodies in the Kuiper Belt, including at least one such object larger than Pluto, making it clear that Pluto is but one of a host of such objects. This made it clear that Pluto needed to be reclassified in some way. The International Astronomical Union decided on demoting Pluto from being classified as a planet, calling it a “dwarf planet”, a bit paradoxically (is a dwarf human not a human?).

But Brown’s book is not so much about this issue of terminology, however passionate the arguments about it, but about the very interesting and entertaining story of how he and his colleagues discovered and characterized these distant worlds.

Buy ‘How I Killed Pluto’ on Amazon

---

I Shall Wear Midnight by Terry Pratchett

Hardcover, my own collection

An excellent addition to Pratchett’s series for young adults featuring Tiffany Aching, now come of age as a witch in the Chalk country and once again at threat from a supernatural enemy. Not as hysterically funny as The Wee Free Men, the first book in the series, but well done nonetheless.

Buy ‘I Shall Wear Midnight’ on Amazon

---

Betrayer of Worlds by Larry Niven, Edward M. Lerner

Hardcover, my own collection

The latest in the series by Niven and Lerner which take another, sometimes twisted look at Niven’s “Known Space” stories. This is the fourth book in that series, and it is starting to flag a bit, though still worth reading. I’m guessing that there may be a final volume to come which focuses on the discovery and exploration of the Ringworld.

Buy ‘Betrayer of Worlds’ on Amazon

---

The Link: Uncovering Our Earliest Ancestor by Colin Tudge, Josh Young

Paperback, from library

Interesting-enough look at the discovery of a remarkably well-preserved fossil of an early primate, quite possibly ancestral to mankind. The book spends a lot of tedious time filling in the scientific background, though, and not so much on the investigation of the fossil itself as I would have liked.

---

Second World War: Milestones to Disaster by Winston Churchill

Audiobook

This was just the first volume of the heavily-abridged version of Churchill’s definitive History of the Second World War, and could just have easily have been subtitled “I told you so!”. It was an interesting-enough listen, but I think I would rather read the full work.

---

The Walker by Jane R. Goodall

Audiobook

No, this isn’t by Jane Goodall, the chimpanzee expert. It’s a first novel which shows promise but has quite a few flaws. It centers around a female detective in Britain’s police force in the 1960s. Her struggles against the male chauvinism of the time are an interesting background to the plot, which is all about a serial killer in London, who appears to be channelling Jack the Ripper (or someone or something like him). Some of this was pretty far fetched and it was hard to suspend disbelief. Reasonably well written, but I hope the writer improves with time.

---

Atlantic by Simon Winchester

E-Book on my iPad

Unfortunately, I found this a bit of a drag, and couldn’t finish it. It doesn’t have the focus of Winchester’s other, usually extremely interesting, books such as The Surgeon of Crowthorne or The Crack in the Edge of the World. It’s a very widely-reaching study of the Atlantic ocean. While there are some interesting snippets, it’s just too loose a concept to hold the interest.

---

Not in the Flesh by Ruth Rendell

E-Book on my iPad

Disappointing book by Rendell in her Chief Inspector Wexford series. The story twist was glaringly obvious to me by half-way through, and I spent the second half of the book being irritated by Wexford’s almost wilful avoidance of the obvious answer. Rendell rarely misses excellence, but this one definitely does.

---

Phantoms in the Brain by V. S. Ramachandran, Sandra Blakeslee

The Tell-Tale Brain by V. S. Ramachandran

Hardcover, my own collection

Very interesting books in the same sort of vein as Oliver Sack’s works, though more technical and less focused on the predicaments of the patients. But fascinating nonetheless, even when Ramachandran starts to speculate (in my view, fairly wildly) about the neurological bases of human characteristics such as smiling and the creation of art.