Password protected

An average internet user has 25 accounts online, but uses less than 7 passwords to protect them, according to Microsoft research(pdf).

And at least one of those accounts has probably suffered a security breach at some point. According to Matt Weir, whose PhD involved researching the availability of stolen login details:

You can look online and you can generally find passwords for just about everyone at some point. I’ve found my own username and passwords on several different sites. If you think every single website you have an account on is secure and has never been hacked, you’re a much more optimistic person than I am.

Sites generally don’t store your password itself, but its hash. A hash is the output after a [known] procedure has been performed on your password. If your password is 4, and the procedure is ‘add 2’, then the hash stored with your login name is 6. When you login what is being compared is not whether your password is 4, but whether the thing you typed in the password field, with 2 added, is 6.

So if a site is hacked then normally it is the 6 that has been discovered. It might seem trivial to deduce the password (simply subtract 2) but in practice the procedure performed involves many steps and is actually very difficult to do backwards (e.g., ‘subtract as many 3s as possible and use the remainder in the next step. Putting a 7 in would give 1 out – but so would 4, 10, 13, 83467, etc… If you’re doing the steps in reverse and have a 1, where do you go next?).

Hackers therefore don’t work backwards (through the e.g., 80 steps of SHA-1), but instead try running lots of potential passwords through the procedure and seeing if what comes out is the hash. And they can do this quickly. LinkedIn.com had 6.5m password hashes stolen and posted online earlier this year:

It took independent security researcher Jeremi Gosney 6 days to convert 90% of the hashes exposed in the LinkedIn breach. He cracked a fifth of the 6.5m passwords in the first 30 seconds.

You need to avoid using anyone else’s password that’s ever been hacked – the remaining 10% of difficult hashes would be ones that have not been used before, and which are too long and unusual to mount dictionary or brute force attacks against. Dictionary attacks (where the hacker tries every word in the dictionary to see if one produces the same hash as your password) have been greatly aided by the publication of hundreds of millions of stolen and solved passwords from scores of sites over the years.

‘pa55word’ isn’t in the Oxford English dictionary but you can bet it’s in the 500m-word corpus the hacker’s trying at 15.5 billion guesses per second against the 6.5m hashes he just got because someone somewhere has had that password-hash pair stolen in the last 20 years.

Using the same password on more than one site, combined with having e-mail addresses as user names, means that once hackers have stolen login credentials from one company, they often have the means to compromise other accounts – so ideally you need to use a different password for every site.

How do you make yourself unique, difficult passwords to crack?

Memorise a minimum 15-character sequence, either several words joined together or using a mnemonic, which should be particular to you and have a fair chance of never having been used before (don’t do this with popular song titles – people have being doing that and having them compromised for a while). One such sequence might be:

nawtfpTwOtmI:1969

which comes from ‘Neil Armstrong was the first person to walk on the moon in: 1969’ and in which I’ve capitalised the prepositions, and used a symbol and numbers too. What a good boy.

Then insert an extra letter into e.g., the 10th position depending on the website the password is for. So for Facebook you use:

nawtfpTwOFtmI:1969

Whereas for Hotmail it is:

nawtfpTwOHtmI:1969

That said, we already know how/why we should protect ourselves online, we just never get round to it due to hyperbolic discounting; Most people will never be hacked in a damaging way, but there’s a real cost now in setting up stronger passwords which will only pay dividends in some far-off hypothetical future. If you only make one password unique and stronger, make it the one for your email account (like the one for this guy where all his password resets and reminders for all his other accounts got sent to).
XKCD argues for the several words joined together route:

 

XKCD comic on password strength

Advertisements

Get rich or die tryin’ (to spend it)

My boss pulled up in his brand new BMW today and I couldn’t help but admire it.

“Nice car,” I said as he got out.

“Well,” he said, noticing my admiring looks, “Work hard, put the hours in, and I’ll have an even better one next year.”

Paraphrasing from a good article by Paul Graham:

Someone graduating from college thinks, and is told, that he needs to get a job. A more direct way to put it: you need to start doing something people want. You don’t need to join a company to do that but for many people the best plan probably is to go to work for some existing company. This means doing something people want, averaged together with everyone else in that company.

However, is that averaging disadvantageous for you? In a big company you get paid a fairly predictable salary for working fairly predictable hours. You can’t go to your boss and say, I’d like to start working ten times as hard, so will you please pay me ten times as much? For one thing, the official fiction is that you are already working as hard as you can.

Economically, you can think of a startup/working independently as a way to compress your whole working life into a few years. Instead of working at a low intensity for forty years, you work as hard as you possibly can for four.

You could probably work twice as many hours as a corporate employee, and if you focus you can probably get three times as much done in an hour. You should get another multiple of two, at least, by eliminating the drag of the middle manager who would be your boss in a big company. Then there is one more multiple: how much smarter are you than your job description expects you to be? Suppose another multiple of three.  If a fairly good hacker is worth $80,000 a year at a big company, then a smart hacker working very hard without any corporate bullshit to slow him down should be able to do work worth about $3 million a year.

Like all back-of-the-envelope calculations, this one has a lot of wiggle room. I wouldn’t try to defend the actual numbers. But I stand by the structure of the calculation. I’m not claiming the multiplier is precisely 36, but it is certainly more than 10.

And once you have all that money, then paraphrasing from an article at messymatters.com on savings:

The risk of dying with too much money should be taken just as seriously as the risk of dying poor. After all, that excess money in old age represents forgone opportunities earlier in life.

Spend money on anything that shifts your focus from the mundane to things that give your life meaning. Donating to charities that are meaningful to you is a great way to do that. Traveling to visit friends and family should rank highly for the same reason. Improving the world, having fun adventures, relationships with friends and family, satisfying intellectual curiosity…

Certain kinds of adventures you may not be physically capable of at retirement age. And don’t forget the possibility that you’ll die young. Or there could be a financial collapse that sparks hyperinflation, destroying your hard-earned savings. Or there could be technological explosions that change everyone’s level of wealth.

Have a bias for enjoying things now; it’s worth some amount of risk of being poorer than you’d like to be in retirement. Consider the strategy of throughout your life, taking, say, a month of unpaid leave every time you accumulate several thousand dollars in excess savings. If you keep obsessively saving past a reasonable target then you are, in a very literal sense, wasting money, by letting it sit as excess savings instead of doing something with it that makes your life better.

Improve your life by outsourcing tasks you do not enjoy. For example, don’t do your own taxes or change your own oil or clean your own house if you don’t enjoy those things, especially if you enjoy your job more than those tasks and your effective hourly rate is not much lower than (or is higher than) the hourly cost of the outsourcing.

Also, consider getting your retirement setup in place sometime before you retire.

Behind Bolt

Today’s 16-yr-old age group world record holder would have won a bronze medal in the 1980 100m Olympics.

Here’s a graph from the New York Times showing how far other Olympic medal winners would be behind Usain Bolt at the finish line of the 100m:

Usain Bolt Compared to Other 100m Runners

Usain Bolt could run the 100m dash in 9.44s, given the right legal conditions.

Two sleeps per night

Now we have so much artificial light that after a 1994 earthquake knocked out power, some concerned residents of Los Angeles called the police to report a “giant, silvery cloud” in the sky above them. It was the Milky Way. They had never seen it before.

From an article on how it was once normal to have two sleeps per night:

Before this electrically illuminated age, our ancestors slept in two distinct chunks each night. The so-called first sleep took place not long after the sun went down and lasted until a little after midnight. A person would then wake up for an hour or so before heading back to the so-called second sleep.