Thinking Of Password Strength Like Slot Machines

Instead of communicating password strength—specifically unpredictability—as ‘bits,’ let’s consider using slot machines as a metaphor. Bits of entropy are the traditional way of describing the randomness and variety, though it can be intimidating or too abstract for some users. It can also overlook that each ‘character’ in the equation is actually an entire word, since those are easier for users to remember. Slots are relatively simple machines which randomly rotate among variations of options and line up together like letters or words in a passphrase. So this metaphor may help users better understand the strength of their passwords.

Let’s imagine that slot players are thieves looking to steal the money in your bank account. Slot positions or wheels can be thought of as each character or word in your password or phrase. And the varieties of slot fruits represent the possible characters or words in your secret. Now if a player happens to line up each of them they’ll strike jackpot and get access to all your money. Preventing unwanted jackpots like that requires choosing passwords or phrases that are unpredictable. So we want a lot of different fruit (characters/words), as many slot positions as practical (as long as possible), and no pattern among the slot choices (no relationship between them). More is stronger.

It’s important to keep in mind that if we choose a password as a collection of words (not random characters) then our ‘fruit’ or dictionary cannot be counted as each character. In that case it must be counted as each whole word. Attackers know that people often use words because of frequent passwords leaks. So any pattern we choose should be considered public knowledge.

Now, to gauge how strong a password (jackpot) is we can multiply the number of possible words/characters (fruit) together repeatedly, one for each slot position. Consider that three words with two slots is 3 x 3 or 9 possible values. Put another way we take it to the exponent: 3 ^ 2 = 9. Guessing randomly the attacker/player would probably hit the jackpot in half as much, on average. So that password would typically require 9 / 2 or 4.5 guesses to get right. That’s really weak.

Expressing that as attempts gets out of hand quickly since at 1000 words/characters with 3 slots we’ve got 1,000 ^ 3 or 1,000,000,000 which is one billion. A dictionary or fruit basket of 10K with 5 slots would be 100,000,000,000,000,000,000 or one hundred quintillion, on average guessed in fifty quintillion attempts. If these numbers are too unwieldy we could use the ‘bits’ method to make these numbers easier to read and reason about. Then our 10,000-5-slot password would be log base 2 of 100 quintillion or about 66.4 bits. Still it would be important to remember to take care when filling in the ‘fruit’ or dictionary number to avoid counting characters when we’re actually using words.

P.S.

Each of the password requirements (many kinds of ‘fruit’, multiple slot positions, unrelated ‘fruit’ choices) is important, and that makes strong password/phrase choices hard to remember. Typically we also have many accounts with a variety of website and services. Ideally each account should use a different, unrelated password than all the others. For this reason a password manager makes life more practical. Properly designed they can encrypt all the random passwords or phrases with one, strong-yet-memorable password. If you aren’t using one please try making it a part of your daily routine for a month. It could save you a lot of time and headache by avoiding the loss of your accounts or funds.

“User-Agent” Headers Holding Back The Web

Every time you visit a website the name and version of your browser is sent to the service. In fact with every requested image, video, and style sheet the same data is sent again and again. This not only wastes bandwidth, it also subtly encourages web makers to rely upon it as a shortcut to make services work consistently across platforms. Later browsers then include more tokens in their “User-Agent” header to maintain compatibility with these fragile services. Over time the header becomes larger and the web more brittle. For example, Internet Explorer 11 identifies itself as “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”. Can you tell which part communicates that it is Microsoft’s Internet Explorer?

Of course it’s impractical for every web site/service to test every possible combination of browsers and platforms. So those of us developing sites and services only test the most popular browsers at the moment. Over time this leads to a web which caters to a mix of the most popular browser of the past and present, depending upon the time any given service was last made. As more and more devices leverage HTTP for the Internet-of-things this problem may grow more complex. Web standards and feature detection can help.

With well defined standards and run-time detection of features it’s possible to avoid the trap of ‘sniffing’ the browser from it’s UA headers. And while cutting edge features and services may benefit in the short-term from taking the shortcut of browser detection, they can also leverage vendor-specific prefixes of features in flux. Once standardized the prefixes can be replaced with official and non-prefixed names.

My experience detecting significantly different platforms such as mobile or internet-of-things (IOT) devices do still have some valid uses for the UA header. But ultimately they may be better served by a new, simpler header or more platform-independent designs. Until then Mozilla’s recommendations are a reasonable place to start.

In recent years even the once-dominant Microsoft notes the weaknesses and problems with UA headers. Sadly, my experiments sending an empty or minimal UA header have found too many sites broken to recommend the approach to non-technical users.

How about you? What do you think of UA headers?

Is Ad Blocking A Form Of Looting?

One description of the increase in ad blocking is that it’s a kind of boycott. While that may be the view of blockers the content producers may see it differently. For them advertising pays for their effort to create the content. So when people consume their content without any payment (in the form of attention) then their incentive to produce suffers.

This ‘boycott’ of advertising—while still taking the ad-supported services—appears to have much more in common with looting. Looting often occurs when large numbers of people feel deprived or exploited. Like a kind of vigilante justice one could argue the careless and invasive advertisers have pushed users to this extreme.

Of course a boycott sounds a lot more noble. But if I’m not mistaken that would involve avoiding the entire business, not using their services while dodging payment. Picketing is another feature that can accompany boycotts. Those bothered by ads do have options to express their discontent on social media, forums, and comments; though, admitted not always directly on the site of the business itself.

Alternatives to ad-funding do hold promise: micro payments, donations, and subscriptions. Each has some friction for users to get involved. Perhaps when doing so is easier than installing an ad-blocker things will turn around.

So what do you think? Is ad blocking more like a boycott or looting? Something else entirely?

VirtuaWin Vs. Windows 10 Virtual Desktops

VirtuaWin‘s virtual desktops has long provided the ability to expand your Windows work-space without adding extra physical screens. Now that Windows 10 includes its own virtual desktop/work-space feature I’ve found it both an improvement and a small step backwards. After a few months with both let’s break down how they compare.

Here is a table documenting my findings as of January 2016. (Since Windows 10 and VirtuaWin may evolve in the future I’ll try to keep this up-to-date.)

behavior or capability VirtuaWin Win. 10 Desktops
Boss key to hide other screens Yes No
Compatibility issues with some Intel drivers Yes No
Customize number of screens Yes (up to 20) Yes (100+)
Customize shortcuts Yes No*
Jump-to-screen shortcuts Yes No
Show a window on all screens Yes No
Switching from windows with admin. privileges Yes Requires extra key press
Switching from certain** modal windows No Yes
Vertically aligned screens Yes No
Windows with admin. privileges appear on all screens (bug?) Yes No
Wrap around when switching from first/last screen Yes No
*It’s possible to make alternative shortcuts for Windows 10 desktops using 3rd-party tools like AutoHotKey.
**My LockyWindow product has used a modal window when unlocking to prevent manipulating the underlying KeePass window. VirtuaWin’s switching feature is disrupted by such windows.

While VirtuaWin is more feature packed I personally don’t miss most of the capabilities absent in Windows 10’s desktops. Those most lacking were the jump-to shortcuts and the option to wrap around from the first/last screen. Still, the ability to switch away while administrative windows have focus is much appreciated. Window management in Windows 10 Desktops also feels more user friendly than VirtuaWin’s tray pop-out.

How about you? Do you use virtual desktops? If so which solution works best for you?

Does The DOS Gaming Era Standout?

Plenty of us enjoy a game to relax after a long day at work, school, or life. Yet why is it that some gamers are drawn to games before their time? My experiences with games preceding my youth has almost universally produced boredom, disgust, or both. And what is it about the DOS-era of gaming that is unique?

Anyone who has watched the React channel can probably understand the generational gap in media, especially games. Watching kids react to old games and computers with shock only reinforces my jaded experience looking back on those before my time. Still, as I frequent DOS gaming sites and podcasts to get a nostalgia fix there are often comments or calls from gamers who didn’t grow up with them.

Perhaps it’s because there are so many games today and there were so few back in the day. So getting a critical mass of fans was easier since players had fewer choices. Then the kids of those fans were (and continue to be) inevitably exposed to their parents’ favorites. If there had been more games available to their parents the influence of these ‘classics’ on this next generation would probably have been less concentrated.

Another possible reason is that the DOS era spans a wide range of experiences. The first games were merely black-and-white text while some of the last were high(er) resolution, 3D accelerated, Internet-enabled games rivaling the best consoles of the time. In the beginning a top-of-the-line game could easily be made by one person. By the late 1999’s some games were multi-million-dollar efforts.

DOS also saw wide-spread use over nearly two decades. Apparently consoles only have about about six years of development. That means DOS had about three times as long to innovate, make impressions, and establish a brand. And for many of those users during that period it was the default choice for their computer because of business, school, or other reasons.

Am I blind by nostalgia, or is there something truly unique about this era in gaming and technology?

How Much Pact Pays Me To Exercise [Updated 2017-07]

UPDATE: As of July 2017 the Pact service has shutdown.

The idea of getting charged for failing to meet my fitness goals was off-putting at first. Now the idea of being paid for meeting them was a lot more appealing. Pact is a mobile app which encourages healthier behavior by charging users who fail to meet their goals and rewarding those who meet them. Before starting it I wanted to know if the rewards were worth the work. Some articles mentioned vague amounts after a few months of use, but nothing with a breakdown per activity. So I’ve made one that is automatically updated weekly from my data.

Graph of max possible last week
This completionist graph shows that one can typically earn the most from veggies in a week. Though at 5 per day that’s a total of 35 photos to submit.

Graph of earnings per activity
As can be seen each individual activity does not pay much, and clearly exercise is the highest payout. But committing to a dozen or so activities per week does provide a nice little bonus for exercise and healthier eating. So far I get about $8 per month by exercising 6 days, logging one day, and recording veggies half the week. Even if the reward were only a few pennies I’ve found the bonus improves my consistency. Avoiding being charged for failure certainly motivates as well.

Around the 2014 holidays the payout was a little higher. So I imagine the busyness and temptations of that season made reaching these goals more challenging. Regardless, despite some misses, these kinds of pacts can provide the needed push to get one moving more and eating healthier. If you’re on the fence I’d recommend giving it a try with some modest goals.

Disclosure: I’m not affiliated with Pact, Inc. (a.k.a. Gym-Pact) except as a user of their app and service. The data provided is my own, and it cannot predict future earnings.

VeraCrypt Is Too Slow And Complex

Now that more Truecrypt weaknesses have been revealed the open-source solution taking its place appears to be VeraCrypt. Yet its extra-secure encryption of the system partition adds so many rounds booting is slowed and the extra PIM concept mandates an extra step to every startup. This situation makes it even less suited to non-technical users than TrueCrypt before it.

Steve Gibson may be ready to recommend VeraCrypt, but I don’t think it’s ready for the masses; up to version 1.15 anyway. After clocking my boot time with system encryption it took an extra 85 seconds. Talking non-technical friends and family through even basic use of TrueCrypt volumes was challenging enough. VeraCrypt’s additional Personal Iteration Multiplier certainly adds more security. Still, the extra step and forgettable-yet-necessary element is only making it less novice friendly.

Another long term problem is VeraCrypt’s lack of Secure Boot support. This prevents booting with whole-disk encryption on machines locked down within UEFI’s boot-loader signing. Hopefully VeraCryp support will be done before Secure Boot becomes widespread.

Now having tried the built-in encryption features of Windows, OS X, and Ubuntu Linux the VeraCrypt software does still offer a nice cross-platform solution. The VeraCrypt UI is also easier than Linux, though it has a way to go before being as easy as Windows and OS X. With a little UX love and simpler defaults VeraCrypt has the potential to offer a compelling alternative for regular folks.

Exercise That Saves Me Hundreds Per Year

Needing more exercise and reducing fossil fuel use are two birds. My bicycle is one stone, and with it I hit them both by schlepping groceries and other purchases after shopping. Let’s call it ‘schlopping’. My guess is that in the past 2 years of doing so I’ve saved about $1600 and 670 gallons of fuel. It’s also helped me stay in shape.

Having a desk job for over a decade has not made me the healthiest worker. So after my bike’s saddle bags spent a year rotting in the basement I finally got around to installing them. Since then any trip around town has been a good excuse to get some exercise. As long as there isn’t too much snow, ice, or salt in the way it can work well. Even in northern Ohio this has only prevented me from riding twice.

Safety equipment like a helmet, lights, and gloves also reduce some of the risk factors. Careful riding also helps. But to be honest, it is tempting to cut corners and ignore traffic laws; especially on long rides. Thankfully, I’ve only had one moderately serious accident thus far. Strangely enough it was not one of my frequent shopping runs but a relatively rare joy ride.

Still, keep in mind that all our sitting has risks too, more so when when driving/riding. Of course how the risks of walking/riding vs. driving/riding stack up to each other vary quite a bit. Things like distance of trips, traffic volumes, kind of vehicle, physical health, and availability of bicycle lanes are complicating factors. Your mileage may vary.

Despite the modest costs, different risks, and extra time involved in bicycling or walking the gains are certainly worth it for me. Improved health, reduced environmental impact, and net savings of hundreds per year are too much to pass up.

Unused Work Does Not Have To Be Discouraging

Soon after being hired my boss told the story of a project he worked on for a significant amount of time; like months. It never saw the light of day. Subconsciously I think I denied that would ever happen to me, at least not for any major work. Four years later I had not yet encountered such hardship. Yet soon enough that all changed.

Worse than seeing my work tossed, I had to make the call to discard a coworker’s serious effort. After a long delay a key component of the work had been lost. So instead I had to redo the entire project from scratch. Ironically enough my effort turned out to be doomed as well.

At the very end of the rewrite, with only one feature left, I discovered the platform vendor’s latest development kit lacked any encryption libraries. (Finding out so late was a rookie mistake on my part.) When they finally produced a suitable kit the platform had changed so much I couldn’t port my rewrite in a timely manner. So with much chagrin I rewrote it again with the suitable kit and all was well–except for my ego.

Despite wasted time and resources one can typically find something good whenever work goes unused. Over the years I’ve been reminded of a few:

  • It is a learning opportunity
  • Helps avoid getting overly attached
  • New ideas often accompany do overs
  • Practice
  • Redos are a chance to develop grit

Of course these rarely add up to match the lost time or money. But if the learning opportunities are maximized it can save a lot more in the future.

It can be especially frustrating for those of us who are technical to accept non-technical reasons for work to be mothballed. For us “business reasons” can feel so abstract and intangible. It’s almost as if it’s arbitrary and frivolous. Still, businesses exist to produce a profit, and even organizations have to make trade-offs when their resources are limited.

Until time travel is sorted out, forecasting client needs or project requirements will almost certainly remain an inexact science. While we wait for our future overlords to return let’s take solace by remembering the good that can be salvaged from the ashes of our abandoned work.

You Can Raise Any Price Except ‘Free’

When prices go up existing customers feel like they got in at the right time. Prospective customers who missed the sale may feel left out, unless there is a hope for sale in the future or price increases are consistent. But there is one price that seems to have more inertia than any other: free.

A while back on This Week In Enterprise Tech one of the hosts made the point that permanently lowering a price is challenging because of the potential for resentment. After all, no customer wants to find out what they just paid good money which they could have saved. Yet they also mentioned that raising the price is typically not a problem. As a consumer I’d say this is true.

Products improvements and inflation have conditioned me to expect most of the products or services I enjoy to increase in price: appliances, movie tickets, food, and so on. (Preferably this is gradual or otherwise feels justified.) So why is it that seeing a product go from free to paid often involves a backlash? Examples include LogMeIn, ZenDesk, and more recently Steam mods. My guess is the mental gap between free and even one dollar is larger than from one dollar to five.

Initially my preference for free products was driven by the desire to save money. Though over time I became fixated on the other benefits as well:

  • Easier sharing with friends and family
  • Feeling secure that I won’t forfeit the purchase when changing platforms
  • Simpler experimentation without having to go back and pay for what works best (such as for evaluation-only trials)

Of course nothing is truly free of cost. This was often clear in the quality of free offerings compared to paid ones. Microsoft Paint was included with Windows for free while PaintShop Pro was a paid product. Ultimately I got more use out of PSP. Doom modding tools were free, still I found myself far more productive with the non-free Klik & Play; albeit making simpler projects.

Even in mobile gaming where ‘free’ now dominates, typically with quality included, the shifting and hiding of costs is increasingly distasteful to me. Producers are tempted to not only make things enjoyable but rather tease players into paying ever more. Sometimes it manifests as pay-to-progress or pay-to-win. And while ‘shareware’ and trial editions have a similar model they are often explicit, one-time payments. Producers are less likely to string players along.

Now that I’m older and more patient paying for quality products and waiting for sales appeals a lot more to me than in past. Being a producer has also changed my perspective on what ‘free’ really means. Yet there’s still that twinge of discomfort when the ‘buy’ button is in the way. Perhaps it’s the feeling of lost opportunity since I could spend the money on something else. But once I’ve paid the bills and saved enough for long-term goals there’s very little reason to hold back. After all, I can’t take it with me.