6'3" and 140 pounds is a body-mass index of 17.5. 18.5 is considered underweight. I have a BMI of 19.7, well into the normal range, and I occasionally get comments from strangers that I look too thin to be healthy.
Let's say it loud and clear. The only safe and acceptable way to interfere with elections is in an obvious way which ensures that a candidate completely unacceptable to the establishment gets a majority of votes. Bugs bunny if you can't pick. The Green party or the Libertarians if you mess with an American election. Vladimir Putin, for any other country outside Russia; Anna Politkovskaya if you are messing with the Russian elections.
Or, you know, the New Democratic Party in Canada, who are the victims here.
There will probably be some sharp satire on The Daily Show and The Colbert Report. MSNBC may make a few snide comments. Other than that, I would guess most media will ignore it. Fox will try to frame it as if Murdoch is the victim.
Given that you've already had to buy a ticket, show up at the airport on time, check in, and wait for your section to be called for boarding, you've already had to pass several tests of basic social tractability, which are more or less justifiable independently for practical reasons.
One of the oldest tabletop RPGs, and the first to emerge with a rules set that wasn't a spin-off of Dungeons & Dragons, was Traveller, a science fiction RPG modelled on the galactic empire genre of science fiction -- a genre that itself has much to draw upon, from Isaac Asimov's Foundation series, the Aliens movies, to China Mieville's Embassytown. One of the original designers of Traveller commented that Firefly was as close to a Traveller TV series as he could hope for.
The classic premise for a Traveller campaign is a band of merry rogues, travelling from system to system in a small merchant vessel, usually at odds with the powers-that-be, who tend to have a hard time catching up with merry rogues with their own starship.
There are a couple of lines of Traveller still in publication, such as GURPS Traveller, featured prominently at your Friendly Local Gaming Shop, at least as of Friday.
I use several different techniques to generate passwords and passphrases. Different systems have different constraints. None of the *nix distributions I've tested disallow spaces; on some VMs I've set up, I use multiple words separated by spaces for user passwords. I use SSH a lot, and sometimes GnuPG; I can use multiword passphrases, including spaces, with them.
Of course, you can just drop the spaces. "correcthorsebatterystaple" or "correct!horse!battery!staple" still work.
It's been implemented, in a program called apg, which is available by that name from the repositories for Ubuntu LInux and Fedora Linux, and presumably other *nixes as well.
Calculating the entropy of the pronounceable passwords it generates would be a little tricky; less entropy than the same number of random characters, of course, but more entropy than a dictionary word.
This pass phrase generator is a similar idea: randomly generated phrases, in which words are randomly selected from a list, according to parts of speech, and mixed with numbers and symbols. The phrase is random and absurd, which is an aid to memory, and it also happens to pass the constraints of most password checkers I have to deal with. The one problem is that it's not neatly packaged. I don't know Java well enough to package it neatly; I managed to get it working with a shell script wrapper. I don't think it would be hard to fix for someone who knows Java better than I.
Most people could easily memorize a few strong passwords. But password reuse should be discouraged. See XKCD #792. That sort of thing actually happens; it's one of the points of phishing.
If you make use of good password safes -- I recommend KeePass -- then you can keep track of lots of strong passwords and passphrases, while only needing to memorize a few of them.
As the article points out, the XKCD comic does specify using randomly selected words, presumably from a list of 2048 (2^11) words. So an individual user, actually using an algorithm to randomly select words from a list, can actually generate a reasonably secure passphrase.
The trouble is, users who are instructed to use passphrases will not necessarily use randomly selected words. Enough will use meaningful phrases, that a brute-force attack, using a database of English words commonly appearing adjacent to each other, is a viable attack.
Things are quite different from the perspective of a user trying to maintain personal security, and an administrator trying to maintain the security of a site in general, and that's the real issue here. It's easy to test whether your users are using passwords that include a mix of numbers, letters of both cases, and symbols, rather than actual words. But if instead you require passphrases, it's a lot harder to test whether they're using random passphrases. And an administrator has to worry about keeping everyone secure, including those who aren't going to read articles on how to choose secure passphrases.
I have to admit with some chagrin, even within this thread, I'd railed against arbitrary password constraints, but from this point of view, they make much more sense than simply allowing passphrases.
The idea with those constraints is to force users to use unguessable passwords, rather than a password like "password".
One problem is, as you point out, it reduces the result space, or the maximum amount of entropy in a password. More seriously, in practice, the tighter the constraints on generating a password, the more difficult it is to actually generate a password that passes the constraints -- and the less likely it is that available tools or techniques for randomly generating a password will work. So, you end up with weaker passwords, more password reuse, and more sharing of passwords.
At my job, I ran into one situation in which a password I had been given for access to a particular server expired, and I had to generate a new one, but the first several randomly generated passwords I tried weren't accepted. I got through to a sysadmin, who told me that it was probably because they had very strict rules for acceptable passwords. But, she couldn't remember what the rules were. Eventually, I came up with a random password generator that created passwords that the server accepted. I shudder to think what my colleagues did.
He was assuming a list of 2048 common words. Hence, 11 bits of entropy per word.
Part of the point was that the emphasis was on creating a password that was both random and easy to remember; longer word lists will include uncommon words that are harder to remember. The part about the mnemonic device was not just a punchline, but a prime technique for memorization. It's hard to come up with a mnemonic device for a word you've never seen before.
Partly because of that XKCD strip, I created a shell script that uses a word list of about 4000 words, and most of the work was coming up with that word list. It would have been much easier to just use the Linux word list for spell checking,/usr/share/dict/words, which on the system I'm using at the moment contains more than 400,000 words. Just now, selecting four random words from the shorter list gives me, "abuse weight facilities naive", which somehow conjures up memories of the locker room in high school. But, with '/usr/bin/shuf -n 4 --random-source=/dev/urandom/usr/share/dict/words', I got, "undflow allo auntship outbreak", with three words I can't remember ever using in any context, two of which I've never seen before, and one of which, "undflow", I will now check in a dictionary because I can't even guess what it means. Good luck remembering that one. (Though it's still easier to type than 'oo#A@y8)02d'.)
Addendum: none of the dictionaries I checked defined "undflow".
That's not more secure, and I'm not sure 5 randomly chosen words is always going to be any easier to remember.
It's about as much entropy, but I find it much easier to remember a sequence of five randomly selected words than a sequence of 10 randomly selected characters, and I believe most people do.
I have a few hundred passwords I need to keep track of, so I can't memorize them all; instead I use a password safe. While password safe applications usually have a feature to allow pasting in a password, in many situations I can't use that feature, so I need to look at the password, then re-type it. The less time the password is visible, the better. And if it's a series of words, I don't need to look at them long to remember them clearly enough to type them; but with random characters, I'm likely to need to go back and forth between the displayed password and the field I'm typing in.
The general idea is that you calculate the difficulty of cracking a password or passphrase on the assumption that the attacker knows what algorithm you used.
More practically, if someone is writing software to crack passwords or passphrases, they're likely to write it so that it checks passwords or passphrases generated by various popular algorithm. So, if you're using a popular algorithm (such as using a sentence), but the attacker doesn't know which one, that adds a few bits of entropy for the software to grind through, but not all that much.
As I understand it, with the XKCD approach, you're using random words rather than random characters. So, it's a tradeoff in which you do more typing, in exchange for ease of memorization. (Also, I think it's a lot easier to type four or five words, all lower case, than it is to type a shorter string of random characters).
The key advantage is that if it's easier to remember and use passphrases, then people are more likely to use them, rather than trying to "outsmart" irritating password rules. If users consistently use randomly selected passphrases, that's a big improvement over the common situation of people using passwords like "letmein12345".
Yes, sitting in 2012 we can all agree that floppy drives have been obsolete for years, but in 2009 HP was still shipping them as standard.
Not quite. In 2009, HP stopped offering standard floppy drives as an option. The Wikipedia article didn't say when they stopped including them as a standard feature.
In February 2003, Dell announced floppy drives would no longer be pre-installed on Dell Dimension home computers, although still available as a selectable option and purchasable as an aftermarket OEM add-on. On 29 January 2007, PC World stated that only 2% of the computers they sold contained built-in floppy disk drives; once present stocks were exhausted, no more standard floppies would be sold. In 2009, Hewlett-Packard stopped supplying standard floppy drives on business desktops.
What you're talking about is a different sort of process from what the article is discussing.
With respect to language, any given language involves mapping sounds to syntax, in a process which simplifies what's heard for the purposes of language processing. Two sounds that are slightly different are both mapped to the same syntactic unit, like an "L" sound. Different accents, dialects, different languages that are closely related, can have slightly different maps, so that one person hears an "L" when another hears an "R". And, no language attached syntactic significance to every sound. Those that are not mapped to a syntactic unit are, for the purpose of language processing, ignored. This is why it can be difficult for learners of a new language to reproduce certain sounds: sometimes it's obvious that a speaker is making a specific sound that is a syntactic unit, but it falls between the sounds for two syntactic units with which you're familiar; or, it's a sound you're not used to having any syntactic meaning at all.
That's very different from the issue the article discusses, however. Language sounds are all well within the range of human hearing, whether you attach syntactic significance to a sound or not. The article was discussing the range of sounds that it is physically possible for a human being to hear, because of the physical characteristics of hairs attached to neurons in a human ear: about 20 Hz to 20 KHz. There's some individual variation: one person in this thread said he was tested as able to hear 21 KHz. But no one can hear 192 KHz.
Slashdot Mirror
A young man was shot and killed while bearing only a can of iced tea and a bag of skittles.
And sporting a hoodie. Don't forget the hoodie.
Yeah, even members of Congress can get busted for wearing those.
6'3" and 140 pounds is a body-mass index of 17.5. 18.5 is considered underweight. I have a BMI of 19.7, well into the normal range, and I occasionally get comments from strangers that I look too thin to be healthy.
So, Trayvon was extraordinarily thin.
The ships arrive empty and depart full.
Colonialism: the gift that keeps on taking.
Let's say it loud and clear. The only safe and acceptable way to interfere with elections is in an obvious way which ensures that a candidate completely unacceptable to the establishment gets a majority of votes. Bugs bunny if you can't pick. The Green party or the Libertarians if you mess with an American election. Vladimir Putin, for any other country outside Russia; Anna Politkovskaya if you are messing with the Russian elections.
Or, you know, the New Democratic Party in Canada, who are the victims here.
Thank you. That was well-written and clear.
Why is this useful?
There will probably be some sharp satire on The Daily Show and The Colbert Report. MSNBC may make a few snide comments. Other than that, I would guess most media will ignore it. Fox will try to frame it as if Murdoch is the victim.
You do realize that Rupert Murdoch controls Fox News, right?
Given that you've already had to buy a ticket, show up at the airport on time, check in, and wait for your section to be called for boarding, you've already had to pass several tests of basic social tractability, which are more or less justifiable independently for practical reasons.
Have you ever checked out a book from a library? You're sharing the book by taking turns.
One of the oldest tabletop RPGs, and the first to emerge with a rules set that wasn't a spin-off of Dungeons & Dragons, was Traveller, a science fiction RPG modelled on the galactic empire genre of science fiction -- a genre that itself has much to draw upon, from Isaac Asimov's Foundation series, the Aliens movies, to China Mieville's Embassytown. One of the original designers of Traveller commented that Firefly was as close to a Traveller TV series as he could hope for.
The classic premise for a Traveller campaign is a band of merry rogues, travelling from system to system in a small merchant vessel, usually at odds with the powers-that-be, who tend to have a hard time catching up with merry rogues with their own starship.
There are a couple of lines of Traveller still in publication, such as GURPS Traveller, featured prominently at your Friendly Local Gaming Shop, at least as of Friday.
If you are going to get anywhere you need to become a loan wolf who's ready to do whatever is necessary to get ahead in life.
I don't know if that pun was intentional or not, but "loan wolf" works brilliantly, either way.
I use several different techniques to generate passwords and passphrases. Different systems have different constraints. None of the *nix distributions I've tested disallow spaces; on some VMs I've set up, I use multiple words separated by spaces for user passwords. I use SSH a lot, and sometimes GnuPG; I can use multiword passphrases, including spaces, with them.
Of course, you can just drop the spaces. "correcthorsebatterystaple" or "correct!horse!battery!staple" still work.
It's been implemented, in a program called apg, which is available by that name from the repositories for Ubuntu LInux and Fedora Linux, and presumably other *nixes as well.
Calculating the entropy of the pronounceable passwords it generates would be a little tricky; less entropy than the same number of random characters, of course, but more entropy than a dictionary word.
This pass phrase generator is a similar idea: randomly generated phrases, in which words are randomly selected from a list, according to parts of speech, and mixed with numbers and symbols. The phrase is random and absurd, which is an aid to memory, and it also happens to pass the constraints of most password checkers I have to deal with. The one problem is that it's not neatly packaged. I don't know Java well enough to package it neatly; I managed to get it working with a shell script wrapper. I don't think it would be hard to fix for someone who knows Java better than I.
Most people could easily memorize a few strong passwords. But password reuse should be discouraged. See XKCD #792. That sort of thing actually happens; it's one of the points of phishing.
If you make use of good password safes -- I recommend KeePass -- then you can keep track of lots of strong passwords and passphrases, while only needing to memorize a few of them.
As the article points out, the XKCD comic does specify using randomly selected words, presumably from a list of 2048 (2^11) words. So an individual user, actually using an algorithm to randomly select words from a list, can actually generate a reasonably secure passphrase.
The trouble is, users who are instructed to use passphrases will not necessarily use randomly selected words. Enough will use meaningful phrases, that a brute-force attack, using a database of English words commonly appearing adjacent to each other, is a viable attack.
Things are quite different from the perspective of a user trying to maintain personal security, and an administrator trying to maintain the security of a site in general, and that's the real issue here. It's easy to test whether your users are using passwords that include a mix of numbers, letters of both cases, and symbols, rather than actual words. But if instead you require passphrases, it's a lot harder to test whether they're using random passphrases. And an administrator has to worry about keeping everyone secure, including those who aren't going to read articles on how to choose secure passphrases.
I have to admit with some chagrin, even within this thread, I'd railed against arbitrary password constraints, but from this point of view, they make much more sense than simply allowing passphrases.
The idea with those constraints is to force users to use unguessable passwords, rather than a password like "password".
One problem is, as you point out, it reduces the result space, or the maximum amount of entropy in a password. More seriously, in practice, the tighter the constraints on generating a password, the more difficult it is to actually generate a password that passes the constraints -- and the less likely it is that available tools or techniques for randomly generating a password will work. So, you end up with weaker passwords, more password reuse, and more sharing of passwords.
At my job, I ran into one situation in which a password I had been given for access to a particular server expired, and I had to generate a new one, but the first several randomly generated passwords I tried weren't accepted. I got through to a sysadmin, who told me that it was probably because they had very strict rules for acceptable passwords. But, she couldn't remember what the rules were. Eventually, I came up with a random password generator that created passwords that the server accepted. I shudder to think what my colleagues did.
He was assuming a list of 2048 common words. Hence, 11 bits of entropy per word.
Part of the point was that the emphasis was on creating a password that was both random and easy to remember; longer word lists will include uncommon words that are harder to remember. The part about the mnemonic device was not just a punchline, but a prime technique for memorization. It's hard to come up with a mnemonic device for a word you've never seen before.
Partly because of that XKCD strip, I created a shell script that uses a word list of about 4000 words, and most of the work was coming up with that word list. It would have been much easier to just use the Linux word list for spell checking, /usr/share/dict/words, which on the system I'm using at the moment contains more than 400,000 words. Just now, selecting four random words from the shorter list gives me, "abuse weight facilities naive", which somehow conjures up memories of the locker room in high school. But, with '/usr/bin/shuf -n 4 --random-source=/dev/urandom /usr/share/dict/words', I got, "undflow allo auntship outbreak", with three words I can't remember ever using in any context, two of which I've never seen before, and one of which, "undflow", I will now check in a dictionary because I can't even guess what it means. Good luck remembering that one. (Though it's still easier to type than 'oo#A@y8)02d'.)
Addendum: none of the dictionaries I checked defined "undflow".
That's not more secure, and I'm not sure 5 randomly chosen words is always going to be any easier to remember.
It's about as much entropy, but I find it much easier to remember a sequence of five randomly selected words than a sequence of 10 randomly selected characters, and I believe most people do.
I have a few hundred passwords I need to keep track of, so I can't memorize them all; instead I use a password safe. While password safe applications usually have a feature to allow pasting in a password, in many situations I can't use that feature, so I need to look at the password, then re-type it. The less time the password is visible, the better. And if it's a series of words, I don't need to look at them long to remember them clearly enough to type them; but with random characters, I'm likely to need to go back and forth between the displayed password and the field I'm typing in.
The general idea is that you calculate the difficulty of cracking a password or passphrase on the assumption that the attacker knows what algorithm you used.
More practically, if someone is writing software to crack passwords or passphrases, they're likely to write it so that it checks passwords or passphrases generated by various popular algorithm. So, if you're using a popular algorithm (such as using a sentence), but the attacker doesn't know which one, that adds a few bits of entropy for the software to grind through, but not all that much.
As I understand it, with the XKCD approach, you're using random words rather than random characters. So, it's a tradeoff in which you do more typing, in exchange for ease of memorization. (Also, I think it's a lot easier to type four or five words, all lower case, than it is to type a shorter string of random characters).
The key advantage is that if it's easier to remember and use passphrases, then people are more likely to use them, rather than trying to "outsmart" irritating password rules. If users consistently use randomly selected passphrases, that's a big improvement over the common situation of people using passwords like "letmein12345".
Yes, sitting in 2012 we can all agree that floppy drives have been obsolete for years, but in 2009 HP was still shipping them as standard.
Not quite. In 2009, HP stopped offering standard floppy drives as an option. The Wikipedia article didn't say when they stopped including them as a standard feature.
They've been obsolete for years.
From Wikipedia:
In February 2003, Dell announced floppy drives would no longer be pre-installed on Dell Dimension home computers, although still available as a selectable option and purchasable as an aftermarket OEM add-on. On 29 January 2007, PC World stated that only 2% of the computers they sold contained built-in floppy disk drives; once present stocks were exhausted, no more standard floppies would be sold. In 2009, Hewlett-Packard stopped supplying standard floppy drives on business desktops.
Are you sure you're not confusing 192 kb/s with 192 KHz?
What you're talking about is a different sort of process from what the article is discussing.
With respect to language, any given language involves mapping sounds to syntax, in a process which simplifies what's heard for the purposes of language processing. Two sounds that are slightly different are both mapped to the same syntactic unit, like an "L" sound. Different accents, dialects, different languages that are closely related, can have slightly different maps, so that one person hears an "L" when another hears an "R". And, no language attached syntactic significance to every sound. Those that are not mapped to a syntactic unit are, for the purpose of language processing, ignored. This is why it can be difficult for learners of a new language to reproduce certain sounds: sometimes it's obvious that a speaker is making a specific sound that is a syntactic unit, but it falls between the sounds for two syntactic units with which you're familiar; or, it's a sound you're not used to having any syntactic meaning at all.
That's very different from the issue the article discusses, however. Language sounds are all well within the range of human hearing, whether you attach syntactic significance to a sound or not. The article was discussing the range of sounds that it is physically possible for a human being to hear, because of the physical characteristics of hairs attached to neurons in a human ear: about 20 Hz to 20 KHz. There's some individual variation: one person in this thread said he was tested as able to hear 21 KHz. But no one can hear 192 KHz.