Then we're back to where the whole thread started, trying to come up with super-secure passwords and entering them over and over. Let's summarize:
It's risky (as discussed in this article) to use the same password for every account, which someone might do if they have to enter their password each time they get mail etc.
You can reduce that risk by using different passwords and storing them in the OS X keychain.
But then, you'll need to log in and out of your computer several times a day. So you wind up entering your password the same number of times anyway. Plus if you don't want your roommate, significant other, etc. to read your mail, you have to demonstrate that to them by locking up the machine all the time.
The keychain reminds me of auto-completion for passwords in Internet Explorer. Any site that needs to be secure (e.g. E*Trade) blocks this feature, just like OS X will prompt for a password when you install or reconfigure anything important. Any site that doesn't block auto-completion, is at the mercy of anyone who can get physical access to your machine.
I'm using OS X (my first experience with the Mac) and don't see why the keychain is such a big deal. Maybe there's something I'm missing.
Every now and then I get a dialog that says "application X wants permission to decrypt entry Y in your keychain", and I click on "allow once" or "allow always". I never actually enter a password for anything related to the keychain.
If someone sat down at my machine while I was away, they could access all my mail and everything else that's supposed to be protected by the keychain. They just wouldn't have my password. If someone got my OS X login password, again they could break into my machine and get into all this other stuff (even though things protected with different passwords).
Anywhere you have your passwords recorded (like in a PDA), instead of the actual password use a mnemonic like 'ISP password' or 'work password'.
If you set up a new account at a web site, ideally it will be one that lets you use an e-mail address as an account name. Sign up with a service that lets you use disposable e-mail addresses, and then you can have a unique, easy-to-remember account name on every site.
If the site doesn't let you use an e-mail address, use a nonsensical login ID, and write that down (again in the PDA or wherever) along with which of your several common passwords goes with it.
I have my own code for writing down numbers so I can stick something on a combination lock with the (encoded) combination. A similar code could be used when you write down passwords, so that you write down passwords that differ in certain letters/digits from your real passwords. (In a way that you can easily decode.)
Strict password guidelines = easier to crack?
on
Users feel Password Rage
·
· Score: 3, Interesting
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
When I go to a local eatery that plays live jazz, there's always a bunch of CDs (of music played at the cafe) for sale at the front counter. The CDs are priced something like $10-12. I've never seen anyone buy one.
I can't help thinking, every time, that if they were priced at $3, just about every person who came in would buy one. They'd move truckloads of them. I've got to think that increased sales would more than make up for the extra production costs.
Excellent advice. I find that it's easy to leave important things on the to-do list if they're big and nebulous ("Do project X", "Solve problem Y"). But identifying the first small task can break the logjam. How many household chores are held up because the first step is "buy drain cleaner" or "find 3/4-inch screws"?
In the case of a student, maybe it's "look for book X in the library" or "re-read chapter Y", or "write some header comments in each file", or "write a function to parse these strings". After that, the other steps become clearer.
My Palm Pilot has flash memory that makes it instant-on. My camera has flash memory that allows me to take a picture, then pop out the card and bring it in to a photo lab for printing. (In fact, when the package from Amazon.com arrives, my camera will have substantially more RAM than my PC here at work.) My laptop has a PCMCIA slot that I can plug a CF card into. By comparison, my desktop has a card reader that I'm always plugging and unplugging and losing on my desk.
Why not better integration of CompactFlash with desktop computers? A dozen dedicated slots for different cards. Instant-on by loading startup apps and drivers from flash memory. Transportable settings by saving bookmarks, themes, frequently used documents, etc. to a CF card that can be popped into any machine I work on.
I remember being in university (must have been late '80s)and going to a seminar given by IBM at the campus about OS/2 1.x. (And this is in the farthest reaches of Canada.)
We were all writing window managers and GUI apps on our Amigas and Atari STs. The sales guy comes out and says, "This is so impressive because there's this ring 0... and it's separate from ring 1... look at this chart, showing which ring the device drivers are in". When we asked about a GUI, he said that would be in the next version.
I laughed at the time (well, we all did), but later wound up working at IBM on GUI applications under, you guessed it, OS/2. (That only lowered my original opinion of OS/2.)
Grady Booch recently spoke at our company, and his enthusiasm was infectious! It is obvious that he and the other Rational Fellows have a pretty good vision of where UML and RUP should go, and it would be a real shame if that was lost.
Hey, he was pretty enthusiastic about Ada all those years ago too...
When I was about to switch jobs, I went on a two-week vacation in Greece. No tech with me at all, totally cleared my head.
The day that I got back, I *knew* I had to get a Palm. Took care of all the details for moving from Canada to the US (numbers to call, appointments to keep, things to do, packing lists). Paid for itself many times over I'm sure.
Since then, there's never been anything as crucial that I needed it for. The to-do list grows forever with trivial little things I'll never get around to doing. The address book gets filled with phone numbers that are obsolete before I ever use them; some of the names I don't even recognize. Got a IIIc, never found a use for the colour besides Bejeweled. Synching has become a hassle with 2 separate computers to keep up-to-date plus an iMac that I can't synch to yet. (Bought the Palm serial-to-USB cable, dead on arrival, smart move spinning off the HW unit Palm!) Haven't found any free e-book sites with *interesting* content.
So I would say, in fast-paced times of turmoil, the PDA is great. When you have time to kick back and relax, when things are going good, there's not so much call for it.
If you install on 10.1.5, it gives an error about a missing symbol _localtime_r the first time it runs sqlplus (which is fairly early during database creation). Also the shell scripts use bash by default, although syntactically they seem to do OK when run under sh.
If someone needs to know about the Oracle database, I'd point them to tahiti.oracle.com. (And not just because I wrote the code!:-) It's the first system I've used that's been able to entirely take the place of printed docs for a library of any size.
You could explore some parallels and contrasts with the MS case:
MS is forced to disclose APIs -- which suggests that copy-protection schemes that people aren't allowed to reverse-engineer or even discuss are harmful to consumers.
MS is forced to allow other companies' middleware -- which suggests that limiting choice, such as by saying "you can only view this movie with this piece of software", harms consumers. This is an argument in favor of running DVDs on Linux and other freedoms that the Hollings bill is trying to limit.
It's taken years for the MS case to wind through the courts, and MS has avoided any significant sanctions on their programming practices by making arguments like "it's too hard to take IE out of Windows". Arguments about the difficulty of getting effective copy-protection, the added expense for consumer electronics, and the likelihood of buggy DRM schemes causing grief for consumers, should be given equal weight.
The CBDTPA would criminalize the activities that you and I do every day, such as using an IBM PC, listening to an iPod, or using your existing cable box to watch TV.
Prohibition didn't work out so well. In that case, at least they could make arguments about health and safety risks and what should the legal drinking age be. But the CBDTPA would criminalize digital devices used today by kids from preschool on up, used by the winners of "scientists of tomorrow" prizes, used by office workers, accountants, writers, UPS delivery people for their jobs, ad nauseum.
Imagine the public backlash from the government branding everyone in America a criminal -- unless they run right out and buy all-new electronics fitted with protection and surveillance features mandated by the government.
That would be like going back to the time of, oh I don't know, 1984!
Microsoft and analysts have been saying for some time now that they would keep chipping away at the high end, making gains as resolution / memory / processor / battery life improved enough to please the average user.
Palm had a weak response on the colour issue with the IIIc. Even in monochrome mode the battery life sucks, plus there are no compelling apps that make use of colour (besides Bubblet maybe). It's extremely irritating that even the built-in apps can either use 256 colours (just to get yellow highlighting and blue titles) or monochrome, but any other colour depth just displays as monochrome. Handspring might have slightly better colour, but it loses by association with the better-known IIIc.
It has always seemed to me that Palm was intentionally playing around with form-factor compatibility, which seemed like something of a gyp. I.e. upgrade your PDA, have to buy all-new extra cradles, keyboards, cases, etc. at $30-100 a pop. Again, Handspring might be slightly better with its Springboard, but Palms already have the reputation for incompatible add-ons and they won't attract existing Palm users to switch and obsolete their accessories.
The whole accessory situation reminds me of the Amiga days, where each new model shifted things by a few millimeters, causing much confusion among makers of add-ons.
As someone who alternates between being an early adopter and staying a generation behind the curve, I can see a PocketPC in my future, but many months down the road when there's compelling software, better battery life, cheap wireless options, and simple switching between Linux and Win CE.
Until then, it makes sense to just stick with basic organizer functionality and not buy any new accessories -- so no chance to sell me a new Palm or Handspring.
Agreed, I quit IBM to get away from Lotus Notes. It was surreal to work in the DB2 group and see people fumbling to develop "Notes database" apps trying to automate workflow.
I always fantasize about stumping the world's best cryptanalysts by using software that only exists on out-of-production or slow computers. Instead of JPG, use some image format particular to Commodore 64s. Then embed the result inside an Apple II spreadsheet. And so on and so forth.
Even assuming the NSA can make sense of a giant pile of mid-80s shareware disks that they might confiscate from you, all the decoding software runs at a comparative snail's pace, making it impractical to try a large number of combinations. (Or do crypto agencies have VIC-20 and Timex Sinclair emulators running on Crays?)
Slashdot Mirror
Then we're back to where the whole thread started, trying to come up with super-secure passwords and entering them over and over. Let's summarize:
It's risky (as discussed in this article) to use the same password for every account, which someone might do if they have to enter their password each time they get mail etc.
You can reduce that risk by using different passwords and storing them in the OS X keychain.
But then, you'll need to log in and out of your computer several times a day. So you wind up entering your password the same number of times anyway. Plus if you don't want your roommate, significant other, etc. to read your mail, you have to demonstrate that to them by locking up the machine all the time.
The keychain reminds me of auto-completion for passwords in Internet Explorer. Any site that needs to be secure (e.g. E*Trade) blocks this feature, just like OS X will prompt for a password when you install or reconfigure anything important. Any site that doesn't block auto-completion, is at the mercy of anyone who can get physical access to your machine.
I'm using OS X (my first experience with the Mac) and don't see why the keychain is such a big deal. Maybe there's something I'm missing.
Every now and then I get a dialog that says "application X wants permission to decrypt entry Y in your keychain", and I click on "allow once" or "allow always". I never actually enter a password for anything related to the keychain.
If someone sat down at my machine while I was away, they could access all my mail and everything else that's supposed to be protected by the keychain. They just wouldn't have my password. If someone got my OS X login password, again they could break into my machine and get into all this other stuff (even though things protected with different passwords).
Anywhere you have your passwords recorded (like in a PDA), instead of the actual password use a mnemonic like 'ISP password' or 'work password'.
If you set up a new account at a web site, ideally it will be one that lets you use an e-mail address as an account name. Sign up with a service that lets you use disposable e-mail addresses, and then you can have a unique, easy-to-remember account name on every site.
If the site doesn't let you use an e-mail address, use a nonsensical login ID, and write that down (again in the PDA or wherever) along with which of your several common passwords goes with it.
I have my own code for writing down numbers so I can stick something on a combination lock with the (encoded) combination. A similar code could be used when you write down passwords, so that you write down passwords that differ in certain letters/digits from your real passwords. (In a way that you can easily decode.)
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
When I go to a local eatery that plays live jazz, there's always a bunch of CDs (of music played at the cafe) for sale at the front counter. The CDs are priced something like $10-12. I've never seen anyone buy one.
I can't help thinking, every time, that if they were priced at $3, just about every person who came in would buy one. They'd move truckloads of them. I've got to think that increased sales would more than make up for the extra production costs.
In the case of a student, maybe it's "look for book X in the library" or "re-read chapter Y", or "write some header comments in each file", or "write a function to parse these strings". After that, the other steps become clearer.
Flooz, endorsed by Whoopi. Who's fronting these new services, Bobcat Goldthwaite and Engelbert Humperdinck?
My Palm Pilot has flash memory that makes it instant-on. My camera has flash memory that allows me to take a picture, then pop out the card and bring it in to a photo lab for printing. (In fact, when the package from Amazon.com arrives, my camera will have substantially more RAM than my PC here at work.) My laptop has a PCMCIA slot that I can plug a CF card into. By comparison, my desktop has a card reader that I'm always plugging and unplugging and losing on my desk.
Why not better integration of CompactFlash with desktop computers? A dozen dedicated slots for different cards. Instant-on by loading startup apps and drivers from flash memory. Transportable settings by saving bookmarks, themes, frequently used documents, etc. to a CF card that can be popped into any machine I work on.
Somehow I don't think that Mr. A. Coward will be getting many dates if that happens...
We were all writing window managers and GUI apps on our Amigas and Atari STs. The sales guy comes out and says, "This is so impressive because there's this ring 0... and it's separate from ring 1... look at this chart, showing which ring the device drivers are in". When we asked about a GUI, he said that would be in the next version.
I laughed at the time (well, we all did), but later wound up working at IBM on GUI applications under, you guessed it, OS/2. (That only lowered my original opinion of OS/2.)
Hey, he was pretty enthusiastic about Ada all those years ago too...
The day that I got back, I *knew* I had to get a Palm. Took care of all the details for moving from Canada to the US (numbers to call, appointments to keep, things to do, packing lists). Paid for itself many times over I'm sure.
Since then, there's never been anything as crucial that I needed it for. The to-do list grows forever with trivial little things I'll never get around to doing. The address book gets filled with phone numbers that are obsolete before I ever use them; some of the names I don't even recognize. Got a IIIc, never found a use for the colour besides Bejeweled. Synching has become a hassle with 2 separate computers to keep up-to-date plus an iMac that I can't synch to yet. (Bought the Palm serial-to-USB cable, dead on arrival, smart move spinning off the HW unit Palm!) Haven't found any free e-book sites with *interesting* content.
So I would say, in fast-paced times of turmoil, the PDA is great. When you have time to kick back and relax, when things are going good, there's not so much call for it.
...and for an annual subscription fee, McDonalds will make sure all your coffee is non-scalding. ($5 per degree per year.)
If you install on 10.1.5, it gives an error about a missing symbol _localtime_r the first time it runs sqlplus (which is fairly early during database creation). Also the shell scripts use bash by default, although syntactically they seem to do OK when run under sh.
I dunno... a pair of big speakers and a big Celine Dion / Whitney Houston playlist...
I guess the browser-redirection market wasn't big enough to support them AND CueCat.
If someone needs to know about the Oracle database, I'd point them to tahiti.oracle.com. (And not just because I wrote the code! :-) It's the first system I've used that's been able to entirely take the place of printed docs for a library of any size.
You could explore some parallels and contrasts with the MS case:
MS is forced to disclose APIs -- which suggests that copy-protection schemes that people aren't allowed to reverse-engineer or even discuss are harmful to consumers.
MS is forced to allow other companies' middleware -- which suggests that limiting choice, such as by saying "you can only view this movie with this piece of software", harms consumers. This is an argument in favor of running DVDs on Linux and other freedoms that the Hollings bill is trying to limit.
It's taken years for the MS case to wind through the courts, and MS has avoided any significant sanctions on their programming practices by making arguments like "it's too hard to take IE out of Windows". Arguments about the difficulty of getting effective copy-protection, the added expense for consumer electronics, and the likelihood of buggy DRM schemes causing grief for consumers, should be given equal weight.
The CBDTPA would criminalize the activities that you and I do every day, such as using an IBM PC, listening to an iPod, or using your existing cable box to watch TV.
Prohibition didn't work out so well. In that case, at least they could make arguments about health and safety risks and what should the legal drinking age be. But the CBDTPA would criminalize digital devices used today by kids from preschool on up, used by the winners of "scientists of tomorrow" prizes, used by office workers, accountants, writers, UPS delivery people for their jobs, ad nauseum.
Imagine the public backlash from the government branding everyone in America a criminal -- unless they run right out and buy all-new electronics fitted with protection and surveillance features mandated by the government.
That would be like going back to the time of, oh I don't know, 1984!
Yeah, but http://www.oradoc.com/ which was owned by aD has been kaput for a while now. :-(
Palm had a weak response on the colour issue with the IIIc. Even in monochrome mode the battery life sucks, plus there are no compelling apps that make use of colour (besides Bubblet maybe). It's extremely irritating that even the built-in apps can either use 256 colours (just to get yellow highlighting and blue titles) or monochrome, but any other colour depth just displays as monochrome. Handspring might have slightly better colour, but it loses by association with the better-known IIIc.
It has always seemed to me that Palm was intentionally playing around with form-factor compatibility, which seemed like something of a gyp. I.e. upgrade your PDA, have to buy all-new extra cradles, keyboards, cases, etc. at $30-100 a pop. Again, Handspring might be slightly better with its Springboard, but Palms already have the reputation for incompatible add-ons and they won't attract existing Palm users to switch and obsolete their accessories.
The whole accessory situation reminds me of the Amiga days, where each new model shifted things by a few millimeters, causing much confusion among makers of add-ons.
As someone who alternates between being an early adopter and staying a generation behind the curve, I can see a PocketPC in my future, but many months down the road when there's compelling software, better battery life, cheap wireless options, and simple switching between Linux and Win CE.
Until then, it makes sense to just stick with basic organizer functionality and not buy any new accessories -- so no chance to sell me a new Palm or Handspring.
German company rescues great OS from failed hardware company? Oh, like that'll work! Shades of Amiga...
That's a good one, let's add it to the Slashdot story generator.
Agreed, I quit IBM to get away from Lotus Notes. It was surreal to work in the DB2 group and see people fumbling to develop "Notes database" apps trying to automate workflow.
Even assuming the NSA can make sense of a giant pile of mid-80s shareware disks that they might confiscate from you, all the decoding software runs at a comparative snail's pace, making it impractical to try a large number of combinations. (Or do crypto agencies have VIC-20 and Timex Sinclair emulators running on Crays?)