Aug 292016

XKCD 936: Password StrengthMany have seen comic on the right explaining how to select a good password. Some might have even seen security expert Bruce Schneier claiming it is a wrong approach. And then there were several rebuttals. It was as close to celebrity fight as it comes in the computer industry.

As somebody who implemented password generator and a junkie for a good statistics, I’ll dare to throw bit of my opinion here.

For analysis, first thing we need to know is how fast you can crack passwords. And here assumption of 1000 guesses per second mentioned in cartoon is highly optimistic. Mind you, it is not wrong, as it specifies online attack and assumes proper hash used for computation. But, more often than not, your password will leak in one of stolen database dumps. Now attacker can do stuff offline.

With the advent of graphic cards and massively parallel processing, I believe we can go with assumption of 100 x 1012 guesses per second for basic MD5 hashing. Yes, it is highly exaggerated if password uses any stronger hash, but in the case of password strength analysis it is best to be paranoid and assume not only lousy hashing but a strong attacker with access to many computers. And do check this video to see what a “simple” server can do – it peaks at 38 billion (38 x 109) guesses per second. For a single server.

Now we take claim from cartoon of its password having entropy of 244 (17 x 1012) we can see that attacker can go over that whole search space within 5 hours assuming usage of the server from video. Using our imaginary powerful attacker, same space can be searched in less then a second. Does that mean XKCD was really wrong? Well, it’s kinda complicated…

Assumption we made is that attacker knows exact dictionary and exact way how you selected your password. Baring that, you have 25 character password that, using brute force only, would require checking of (on average) 1 x 1035 combinations. That means even our all-powerful attacker would need 30,000,000,000,000 years (again, on average) to find it. More observant might have noticed that there is a slight disparity between 1 second and 30 trillion years.

Issue at hand is how well the attacker knows you and what “rules” it feeds to its cracking engine. If it has all these words in its dictionary and it assumes you used comic as a password selection authority, you’re toast. However, if guy goes for low-hanging fruit, it will ignore everything longer than 12-14 characters and your password is safe.

And anything you add is going to make that long phrase only better. Add a three digit number at the end, you increase time by the factor of 1,000. Add it anywhere in the middle, you increase it by factor of 25,000. Add a special character, complexity goes up still. And that is for somebody who perfectly knows how your password was created. While XKCD method alone is a bit too optimistic, it is on the right track. If you select password you can remember and you spice it enough, brute force cannot touch you.

But I believe what comic omits is one important fact. Developers are lazy and some just simply don’t care. It is not uncommon for password leaks to have no password hashing at all. If you use the same password for multiple sites, sorry but you are fucked no matter which password you have.

First important rule about passwords is to never ever reuse them. Every site must have a unique password. This ensures that any password leak, even if developers were extremely lazy, only impacts a single account. For example, prevents attacker using your leaked LinkedIn password to login to your PayPal.

Second rule is to never, ever, know more than one password. XKCD is correct, humans are simply not made to handle passwords. So don’t. Remember one password and use a password manager to create and manage others.

You can use my own Bimil or you can use Password Safe – they both actually use the same file format. Or you can use something else you feel is secure enough. But, for the love of god, don’t use your web browser for remembering any password you don’t wish to leak.

XKCD 538: Security

PS: If you wish to be informed when your password leaks, do consider subscribing to ‘;–have i been pwned?. It won’t protect you, but it will at least keep you informed.

Aug 232016

Cananka board (bottom)[This post is part four in the series.]

The most difficult part of board setup is done for us – we have both dimensions and we’ve decided on components. Even better we don’t need to think about board much as our HAT specification has it all sorted out. Or does it?

If you make board based on HAT specification you won’t be able to fit official case around it. We need additional cutouts if we want it to fit – bigger on the left side and just a small one on the right. As board is not really crowded, it was easy to carve out the additional space. However, it might not be as easy for more dense layouts.

Cananka boardTop side is dominated by our DC-to-DC converter and nice 3.81 mm 4-pin CAN bus connector. Additionally there are through-hole LEDs so we can see activity and a through-hole oscillator purely because I hate SMD ones. To help with troubleshooting a few pads without solder mask are along the edge.

The whole board is essentially split into two parts. On top we can find components that can safely connect to Raspberry Pi. Most notable being MCP2515 CAN bus controller and 24C32 EEPROM needed for HAT compatibility.

Between CAN bus connector and controller we have isolation border crossed only by isolated DC-to-DC converters and ISO1050 CAN bus transceiver. Two millimeter spacing between these two universes should provide adequate protection.

It is a pretty straightforward layout mostly driven by the need to have isolation border and the size of the components.

Now, let’s get the board working.

Aug 172016

WordPress - missed scheduleIt seems with every new WordPress version there is the same issue. For one reason or another, post scheduling stops working. Exact cause is varied but most commonly it is the caching plugin playing games.

Usual solutions for this are either manually calling wp-cron.php via wget or getting WP Scheduled Plugin. I believe most sites, including mine, need another plugin as much as pig needs a wig. I am not judging if you are into either of it, but I recommend limiting both activities.

Using curl or wget to manually execute wp-cron.php might also not work on sites that are properly secured and have most of php disabled in .htaccess to start with. Yes, you can always make an exception, but there is a better way.

First step is common, just disable standard WordPress cron behavior in wp-config.php:

define('DISABLE_WP_CRON', true);

Then either use crontab -e from command line or your web provider’s task scheduling web interface (CPanel or similar) to add following command:

/usr/bin/php -q /home/user/www/wp-cron.php

This will call upon PHP to manually execute wp-cron.php bypassing Apache and .htaccess completely. Notice that you must use full paths as cron jobs are ran in limited environment.

For my needs, a daily frequency (@daily or 0 0 * * *) is actually sufficient as I schedule my posts always for midnight. Those needing more precise time might decide to go hourly (@hourly or 0 * * * *) or even more often.

Aug 112016

Bimil: Password generatorOne of major issues reported with Bimil was the lack of password generator. In this version, you have two. :)

Classic password generator will allow you selection of password length and what it will consist of. You can choose between lower and upper letters, numbers, and special characters. Length can be anywhere between 4 (you’re crazy) and 99 (you’re paranoid) characters. For those of weak heart, generated passwords can be simplified a bit. It is pretty standard stuff really.

Followers of XKCD have probably seen his word-based password cartoon. For those taking his (actually quite good) recommendation to heart, Bimil now allows for random generation of just such passwords. It has a database of over 15,000 English words and 12,000 names so it should provide reasonable variety. Additionally it allows for further strengthening by using numbers and special characters so good entropy can be achieved even if somebody knows exactly which dictionary you used.

Both will give you a highly pessimistic view on how good your password is. It assumes omnipotent enemy and exaggerates his power. It is probably a bit too paranoid but it won’t hurt a bit. Just remember that any password with an 1 year estimate is actually pretty good. Of course, aiming for Eternity rating will give you more nerd points. :)

With more and more passwords it gets rather difficult to find what is where. While title does give a hint, often a search within content is needed. Now you can search for anything appearing in any of the visible fields. It definitely helps in situations when you remember user name or some similar detail but you don’t remember exact title.

For some purposes it comes in handy to track previous passwords. If you add password history field to any item, Bimil will remember up to three password changes before it starts dropping the oldest one. Most of the time you won’t need it but it beats manual storing of password in notes when you do.

In addition to these changes, lot of small improvements have happened but I will leave you to discover them when you download Bimil or upgrade from within application.