Advance notice: We just got our boarding passes. We’re flying to L.A. tomorrow. So the blog’s on hiatus until we return. We’re driving back across the desert southwest in our vintage (2000) Chrysler – just like Thelma and Louise! Kate will be holding down the fort in the Rockies teaching online English from down in the basement. Meanwhile, Rachel’s driving west from DC, camping along the way. We all meet back here some time after the 4th of July: Bring pictures of any adventures had while on summer break. Also, bring whiskey… Adventures, whiskey, and the desert wind blowing through my thick luscious mane: Who could ask for anything more? A guy can dream, right?
The 300, somewhere in the desert southwest.
In the meantime, I’m giving you all an assignment. That’s right, homework. Respond with your answer to the following survey. It will guide upcoming blog posts to areas of greatest interest. Or at least it might prevent posting of deathly boring material like yesterday’s PSA on passwords, here.
Which of these blog categories is of most interest to you?
Every once in a while, purely as a public service, I like to do a post on passwords. Not because it’s critical to national security. Not for partisan political purposes. And surely not because any of you are at risk of being hacked: Nooooooo. Maybe it’s just the geek in me. But any article from Scientific American that contains obscure mathematical formulas and refers to “Moore’s Law” just tickles my fancy. So, click the link here to read the article in full (not recommended). Or, read on for the condensed version <still pretty long, but it might keep your head from exploding>.
“The Mathematics of (Hacking) Passwords”
At one time or another, we’ve all been frustrated by trying to set a password, only to have it rejected as too weak. We are also told to change our choices regularly. Obviously such measures add safety, but how exactly?
<Here’s> the mathematical rationale for some standard advice, including clarifying why six characters are not enough for a good password and why you should never use only lowercase letters. I will also explain how hackers can uncover passwords even when stolen data sets lack them.
ChOose#W!sely@*
Here’s the logic behind setting hack-resistant passwords: When you are asked to create a password of a certain length and combination of elements, your choice will fit into the realm of all unique options that conform to that rule — into the “space” of possibilities. For example, if you were told to use six lowercase letters—such as, afzjxd, auntie, secret, wwwwww — the space would contain 266, or 308,915,776, possibilities. In other words, there are 26 possible choices for the first letter, 26 possible choices for the second, and so forth. These choices are independent: you do not have to use different letters, so the size of the password space is the product of the possibilities, or 26 x 26 x 26 x 26 x 26 x 26 = 266.
If you are told to select a 12-character password that can include uppercase and lowercase letters, the 10 digits and 10 symbols (say, !, @, #, $, %, ^, &, ?, / and +), you would have 72 possibilities for each of the 12 characters of the password. The size of the possibility space would then be 7212 (19,408,409,961,765,342,806,016, or close to 19 x 1021).
That is more than 62 trillion times the size of the first space. A computer running through all the possibilities for your 12-character password one by one would take 62 trillion times longer. If your computer spent a second visiting the six-character space, it would have to devote two million years to examining each of the passwords in the 12-character space. The multitude of possibilities makes it impractical for a hacker to carry out a plan of attack that might have been feasible for the six-character space….
“Moore’s law.”
Moore’s law says that the computer-processing power available at a certain price doubles roughly every two years and it explains why a relatively weak password will not suffice for long-term use. Over time computers using brute force can find passwords faster. Although the pace of Moore’s law appears to be decreasing, it is wise to take it into account for passwords that you hope will remain secure for a long time.
For a truly strong password, you would need, say, a sequence of 16 characters, each taken from a set of 200 characters. This would make a 123-bit space, which would render the password close to impossible to memorize. Therefore, system designers are generally less demanding and accept low- or medium-strength passwords. They insist on long ones only when the passwords are automatically generated by the system, and users do not have to remember them.
There are other ways to guard against password cracking. The simplest is well known and used by credit cards: after three unsuccessful attempts, access is blocked. Alternative ideas have also been suggested, such as doubling the waiting time after each successive failed attempt but allowing the system to reset after a long period, such as 24 hours. These methods, however, are ineffective when an attacker is able to access the system without being detected or if the system cannot be configured to interrupt and disable failed attempts.
Public Service Announcement #1: Never write your password on your hand!
Weaponizing Dictionaries and Other Hacker Tricks
Quite often an attacker succeeds in obtaining encrypted passwords or password “fingerprints” from a system. If the hack has not been detected, the interloper may have days or even weeks to attempt to derive the actual passwords.
To understand the subtle processes exploited in such cases, take another look at the possibility space. When I spoke earlier of bit size and password space (or entropy), I implicitly assumed that the user consistently chooses passwords at random. But typically the choice is not random: people tend to select a password they can remember (locomotive) rather than an arbitrary string of characters (xdichqewax).
This practice poses a serious problem for security because it makes passwords vulnerable to so-called dictionary attacks. Lists of commonly used passwords have been collected and classified according to how frequently they are used. Attackers attempt to crack passwords by going through these lists systematically. This method works remarkably well because, in the absence of specific constraints, people naturally choose simple words, surnames, first names and short sentences, which considerably limits the possibilities. In other words, the nonrandom selection of passwords essentially reduces possibility space, which decreases the average number of attempts needed to uncover a password.
Below are the first 25 entries in one of these password dictionaries, listed in order, starting with the most common one. (I took the examples from a database of five million passwords that was leaked in 2017 and analyzed by SplashData.)
If you use “password” or “iloveyou,” you are not as clever as you thought. Of course, lists differ according to the country where they are collected and the Web sites involved; they also vary over time.
********
For four-digit passwords (for example, the PIN code of SIM cards on smartphones), the results are even less imaginative. In 2013, based on a collection of 3.4 million passwords each containing four digits, the DataGenetics Web site reported that the most commonly used four-digit sequence (representing 11 percent of choices) was 1234, followed by 1111 (6 percent) and 0000 (2 percent). The least-used four-digit password was 8068. Careful, though, this ranking may no longer be true now that the result has been published. The 8068 choice appeared only 25 times among the 3.4-million four-digit sequences in the database, which is much less than the 340 uses that would have occurred if each four-digit combination had been used with the same frequency. The first 20 series of four digits are: 1234; 1111; 0000; 1212; 7777; 1004; 2000; 4444; 2222; 6969; 9999; 3333; 5555; 6666; 1122; 1313; 8888; 4321; 2001; 1010.
Even without a password dictionary, using differences in frequency of letter use (or double letters) in a language makes it possible to plan an effective attack. Some attack methods also take into account that, to facilitate memorization, people may choose passwords that have a certain structure — such as A1=B2=C3, AwX2AwX2 or O0o.lli. — or that are derived by combining several simple strings, such as password123 or johnABC0000. Exploiting such regularities makes it possible to for hackers to speed up detection.
The Take-Home for Consumers
Taking all this into account, properly designed Web sites analyze the passwords proposed at the time of their creation and reject those that would be too easy to recover. It is irritating, but it’s for your own good.
The obvious conclusion for users is that they must choose their passwords randomly. Some software does provide a random password. Be aware, however, that such password-generating software may, deliberately or not, use a poor pseudo-random generator, in which case what it provides may be imperfect.
You can check whether any of your passwords has already been hacked by using a Web tool called Pwned Passwords (https://haveibeenpwned.com/Passwords). Its database includes more than 500 million passwords obtained after various attacks.
I tried e=mc2e=mc2, which I liked and believed to be secure, and received an unsettling response: “This password has been seen 114 times before.” Additional attempts show that it is difficult to come up with easy-to-memorize passwords that the database does not know. For example, aaaaaa appeared 395,299 times; a1b2c3d4, 113,550 times; abcdcba, 378 times; abczyx, 186 times; acegi, 117 times; clinton, 18,869 times; bush, 3,291 times; obama, 2,391 times; trump, 859 times.
It is still possible to be original. The Web site did not recognize the following six passwords, for example: eyahaled (my name spelled backward); bizzzzard; meaudepace and modeuxpass (two puns on the French for “password”); abcdef2019; passwaurde. Now that I’ve tried them, I wonder if the database will add them when it next updates. In that case, I won’t use them….
Survival of the Fittest
It goes without saying that hackers have their own ways of fighting back. They face a dilemma, though: their simplest options either take a lot of computing power or a lot of memory. Often neither option is viable. There is, however, a compromise approach known as the rainbow table method .
In the age of the Internet, supercomputers and computer networks, the science of password setting and cracking continues to evolve—as does the relentless struggle between those who strive to protect passwords and those who are determined to steal, and potentially abuse, them.
Here endeth the public service announcement.
And that’s just the SHORT version!
Bonus personal content: Not long ago I received an unsolicited email with a title line containing an old password I’d used years ago on a comcast email account I don’t use much anymore. Still, it was a shock, seeing that password right there in the email’s title line. More shocking was the content, which demanded payment of a specific amount into the enterprising hackers’ bank account, with threat of exposure of all my personal information – including secret habits and predilections – if I didn’t comply.
I’m not sure how they thought I’d believe they could access that last bit just from having cracked an old email password. But apparently there are enough people walking around with guilty consciences that the bad guys count on a non-zero response rate for their efforts. My own response was to turn on 2-factor authentication for that email account, in which a 6-digit numeric confirmation code is sent to a separate device any time the account is logged into. It’s a pain. But not as much of a pain as dealing with malicious hackers attempting to extort money by preying on my personal peccadilloes.
So, the takeaways from this little episode for me are two: 1) Moore’s Law is real. And 2) The world is full of idiots looking to make a fast buck. But then, we already knew that. Right?
Apologies to radostdg for stealing his Twitter tagline, but she really is: Sarah Cooper is a National Treasure. You can see her lip-syncing one of DJT’s greatest hits here. I stumbled across this recently when I googled “How to testing.” <Be sure to listen to this longer one for full effect.>
Also apologies to my better half for revealing sensitive medical information, but we both tested negative for COVID-19 antibodies when we donated blood at Vitalant recently. What this means is that neither of us have had the virus in the past 2 months, nothing more. Well, that and also that we do nothing at this point to contribute to herd immunity. Sorry folks.
<All I gotta say is, stay tuned for my tell-all memoir, “How I lost 30 lbs without any changes in diet or exercise,” coming soon to an independent bookseller near you. Disclaimer: Not gonna be available on Amazon. Sorry, Jeff Bezos.>
As for political battles of the culture wars, and all the finer nuances of more tests versus less tests, I leave it to better statistical minds than mine to resolve. One thing, though: That Sarah Cooper? She is….
Fuuuuunyyyyy!!!
Sarah Cooper: National Treasure
This amazing young woman, really very talented, and she makes videos, you know, that people can watch, so they can see the things that she does, and they like it, they are all over her, and she gets the best comments, she always gets good comments, the comments are just wonderful, they are all full of good things, and everybody knows how great she is, it’s just amazing to see, you know, when someone does a wonderful thing like that, and people really appreciate it, and that, that is important stuff for everybody, so i think we should all keep doing that. Thank you.
I’m not even gonna try to explain this one. But here is some news you can use via the DP. Titled “Here’s why this is the earliest summer solstice in over 100 years,” it explains…. Well, click the link, here, or read it yourself, below. I mean, c’mon. You’ve got all day – and it’s the longest one of the year.
********
Summer is coming early this year, and it has nothing to do with this week’s scorching weather in Denver.
The summer solstice takes place on Saturday at 3:43 p.m. MDT, making it the earliest official arrival of the summer season in 124 years. On Saturday afternoon, the sun’s rays will be directly over the Tropic of Cancer, the furthest north they’ll go all year.
As the earth orbits the sun, it wobbles around on a 23.5 degree axis, giving us seasons as the earth tilts towards the sun at varying angles. Denver’s relatively far north latitude (just shy of 40 degrees north) means the earth’s tilt is felt more strongly here than places closer to the equator.
This year’s summer solstice will be the earliest since 1896. That’s thanks to this year’s leap year.
********
We have leap years because of the amount of time it takes the earth to orbit around the sun is a bit funky. It takes approximately 365.242189 days for the earth to circle the sun. The added day every four years brings us to 365.25 days.
There are other, however, rarer corrections for the remainder of the fraction: mainly, the skipping of leap years three out of every four century-turning leap years (as in 2100, 2200, 2300, etc).
Without exploding your brain too much, leap years get earlier after centuries with a leap year. For that reason, summer solstices will, on average, get earlier and earlier until 2100, which will be a skipped leap year.
The earliest summer solstice this century will take place on the final leap year before the skipped 2100 one. On June 20, 2096, the summer solstice will take place at 12:32 a.m. MDT.
If you want extra details (warning: you’ll probably want to wear your thinking cap for this one), give this a read.
********
Now, the differences between summer solstice times are fairly minute. For example, in 2016, the summer solstice took place at 4:34 p.m. MDT – less than an hour later than this year’s solstice.
Of course, the summer solstice also marks the longest day of the year. On Saturday, the sun will rise at 5:32 a.m., and it won’t set until 8:31 p.m. in Denver. Twilight will last until 10 p.m., if not later, especially north of the metro area.
Enjoy the nearly 15 hours of official sunlight this weekend. On Sunday, the long, six-month countdown to the winter solstice will begin, with December 21st marking the shortest day of the year.
I found this photo of “The Four Pass Pup” in a DP feature called “Eight extreme day hikes in Colorado that are worth the pain.” You are welcome to read it, here. Also you’re welcome to attempt any or all of the hikes. But I share it with the following disclaimer: My days of extreme hiking are over. Nothing is worth that much pain. Don’t get me wrong. I still love hiking. But trying to compress 28 miles and 8000′ of elevation gain in the Maroon Bells into a single 24 hour window is not my idea of a good time. Likewise, sprinting up and down the 2,744 steps of the Manitou Incline (a 68% grade) just doesn’t do it for me any more. If it ever did.
The author of the article says to “get up early and take one of these extreme hikes and you’ll have accomplished a crazy feat to tell your friends about over a cold beverage — assuming you can walk the next day.” I dunno, call me crazy, but I prefer to get up late, skip the extremes, and share a cold beverage with friends next day while still being able to walk. I’ve got nothing to prove here. Except maybe my sanity.
But back to the photo.
This one just makes me happy. Can’t really say why.
Maybe because the husky hiked it and I didn’t?
Anyway, it’s about time for that cold beverage. Enjoy.
“Four Pass Pup” enjoys the view on a hike of the Four Pass Loop near Maroon Bells.
Today, POTUS 45 turns 74. Happy Birthday Mister President. And don’t let the lame stream media’s constant carping cast a cloud over your natal day, in spite of all the health related questions engendered by your ginger walk down that ramp at West Point yesterday. See the full story in the failing NY Times, here.
Back in 1962 when JFK turned 45, Marilyn Monroe raised a million eyebrows with her sexy rendition of Happy Birthday Mister President. You can see the clip in classic black and white, here. In today’s overheated climate of Tweet – counterTweet, it’s easy to forget just how scandalous POTUS 35’s behind-the-scenes antics with the blonde bombshell really were. Ah for the good old days when the MSM turned a blind eye on presidential foibles. Or not.
Of course, if JFK had any trouble walking down a ramp – or trotting stiffly up those steps to the podium in ’62 – he could always chalk it up to injuries suffered while serving on PT-109. Not so the current podiatrist’s POTUS. Ah well, you win a few, you lose a few, eh? In this case, let’s give the guy the benefit of the doubt, OK? It’s his birthday after all. And we need to be kinder to our senior citizens. Plus, the day of reckoning’s coming soon enough. Ahem.
I have written before about Waterton Canyon on the South Platte River near our place southwest of Denver. Managed by Denver Water, it’s a popular fishing/hiking/cycling/wildlife-watching venue for many folks in the metro area. The DP reports it will reopen for recreational use next Monday. Just one word for that: Hooray!
Strontia Springs Reservoir stands at the head of Waterton Canyon southwest of metro Denver, 6.5 miles upstream from the trail head near Roxborough Park.
“Walk This Way! How to Optimise Your Stride and Focus Your Mind to Get the Most From Your Daily Stroll” is one of those agonizing self-help articles from The Guardian that are useful only if you suffer from severe OCD and think the rest of the world should be suffering right along with you. I don’t recommend reading it unless you are feeling so insanely good that you need to bring yourself down a notch or two just to get your feet back on Terra Firma. In short: What a bunch of freaking BS.
Consider:
First, instead of propelling ourselves forwards by pushing off with the back foot, like an ice-skater, we try to use our stepping foot to power us along. This is because sitting down too much has made our hip flexor muscles short and tight. The necessary adjustment is the subtle difference between stepping into a space (wrong) and pushing off from a space, which will recruit the right muscles up the backs of your legs. Use your glutes and you open up the core.
The second problem is … a passive foot strike. The movement provided by the joints in our feet offers suspension and balance but we often plod along flatly instead, leaving us compromised. That’s what causes knee discomfort. It can create slight misalignment of the back, stiffness of the shoulders.
The third thing to watch out for is letting your head hang forwards. Screens, reading and desk work have made this the default position, which is a bit of a disaster. When the head is slightly forward, the muscles of the upper back and the shoulders have to contract to hold it there. The shoulders come forward and can stiffen. Back mobility becomes restricted and you will not be able to rotate your spine from the hips.
Finally, our arms tend to hang awkwardly or we force them into tense, power-walk movements, when what they want is to dangle freely. If you get steps one to three right, this should happen naturally…. <There are> various drills to help correct these bad habits, such as measuring with your hand the gap between your bottom rib and your hip, and between your collarbone and your earlobe, and then adjusting your posture to lengthen those gaps.
Got all that? Goooood.
If you, like me, are just grateful to finally be getting back out under the wide open sky, all of that stuff can safely be ignored. I mean, there’s no sense turning the perfectly natural act of walking into the equivalent of a golfer bending over a putt with a bad case of the yips. Yeah, you heard me. And you know who you are, ya dang yippee putters.
Anyway, all’s well that ends well. So get out there and walk, or putt, or whatever it is that floats yer boat. No need to try to look like an ice skater. And for God’s sake, DO NOT worry about the angle of your arms or your head. Passive foot strike? Fuggedabowdit! Just put one foot in front of the other and enjoy the scenery. You’ll be glad you did. I know I am. And that’s no freaking BS.
Back in the day, I went to a little Division 3 school on the south side of Chicago that didn’t give out athletic scholarships. We also didn’t have a marching band, aside from a few drunken students in the stands invited down to the field at half time to haphazardly wander the field humming into kazoos. But fight songs? Of those we had more than a few, summarized by uchicago.edu and displayed in full for your edification below.
Chicago Fight Songs
Heroditus, Thucydides,
Peloponnesian War,
X squared, Y squared,
H2SO4.
Who for? What for?
Who we gonna yell for?
GOOOOO, MAROONS!
SCHOLARLY YELLS
Logarithm, biorhythm,
Entropy, kinetics,
MPC, GNP, bioenergetics!
Maximize and integrate,
Titrate and Equilibrate--
GOOOOO, MAROONS!
Maximize our GNP,
Titrate their solution;
Calculate their MPC,
Crush their revolution!
GOOOOO, MAROONS!
And my personal favorite...
Repel them!
Repel them!
Make them relinquish the ball! (3x)
I thought of this recently while reading a piece in the New Yorker called “The Athenian Plague, a Cautionary Tale of Democracy’s Fragility.” (You can read it, here.) The original author of the historical account was the aforementioned Thucydides. And the point is that Coronavirus isn’t humanity’s first pandemic, nor will it be our last. Also, the civil unrest we see now has been with us in Democratic societies from long before Black Lives Matter and will continue at least as long as we do.
Of course, I don’t expect you to go re-read Thucydides, or even to click the link for the New Yorker article. Though if you’re curious, go right ahead. My only point is that this too shall pass. And, of course, will come again – if history is any indication.
As for sports – Division 3 or otherwise – I look forward to the day in the not too distant future when we can cheer for – and sing the Fight Songs for – our favorite teams, live and in person. Fight on!
