Posts Tagged 'Tech Tips'

February 13, 2008

The Usage Of Complex Algorithms For Password Generation

Passwords are difficult. On the first hand, you want to create a password that uncrackable by anyone, lest they be teenage hackers or CSI experts with magical hacking tools. On the other hand, the password has be rememberable by you yourself, lest only teenage hakcers and CSI experts with magical hacking tools are able to access your data.

So, how do you make passwords?

One of the more secure ways are to use a random letter generator, like random.org, to build random strings, pick one, and memorize it. It's pretty secure (random.org uses real random noise to produce it's random numbers)and with seven random alphanumeric characters, the password search space is about 2.2 trillion combinations! But are you really going to remember "QRSr0Fu" or "W96TUON" two weeks from now? (My generated set had "myELlRK" which I might be able to remember...) If you type your password every hour or so, you might remember this by muscle memory pretty quick. Just in time to have to change it, I bet.

Another way is to take a word or phrase, turn some letters into |33+sp34k, and you get something more random, but much more rememberable. So, for example, "minivan" becomes "m1n1v4n!" and "washington" becomes "w4sh1ngt0n!?!" These are actually quite rememberable; the use of non-standard characters disallows the use of rainbow tables and dictionary attacks, so they're much less suseptable to cracking. However, what happens when you forget the "!", or that "Washington" gets "?!?" or that you did NOT turn "t" into "+"? You could end up going through a few cycles trying to "guess" your own password. Again, if you use it all the time, you'll learn by muscle memory. And this lets you come up with some cool passwords, like "c4p+41nK1rk". How can you beat that?

My favorite way, however, lets you write your password down in plain sight. I tend to cycle through passwords, and if you're anything like me you have two online banking passwords, four credit card or loan company passwords, a work domain password, 6 email passwords, a home log in password, etc, etc, etc. If you take the easy way out and use the same password everywhere, you end up making kittens and security experts cry. If, however, you have a completely separate randomized combination for each account, your brain will get stuck in an infinite loop. Using this method, you get to write down your passwords and tack them to the wall. Or put 'em on a sticky note. In plain sight. Email them to yourself without a care. It uses a special type of encryption to keep your password safe. Not AES or DES or TEA or other TLAs. I call this "Hippocampy Encryption" (named in honor of the part of the brain that does memory type activities).

The key is to write down a set of clues that will tell you (but only you) what your password is. You can add symbols to help you remember what kind of encoding to use for your password. Here's a password I just made up right now as an example:


Shawn's rival ^
shout your home team
Esirpretne
Sam.

Because everything on this note is simply a hint for your specific brain to recall a password, it's specific to you. Hints don't even have to have anything to do with the subject. The hint "Red October" could tell you the word "fortworth", whereas for me, I'd be trying "R4M1US", "M1SSL3S", "jackryan", "TomClancy", etc. You can string three or four hints together for a password. Note, these create long passwords, and your coworkers may start to believe that you have a superhuman capacity for memorizing long strings of randomized data. Do not do anything to dissuade them from this belief. And, because the hints point to common words and numbers already lodged in your grey matter, you may be suprised just how fast you type in that 20 character long password. Compared to my speed on 7 character random strings, it's blazing.

And due to the pattern matching ability of your brain, remembering the passwords are easy. Lets say you've written your clue on the back of one of your business cards, so you have it handy if you need it. After a few days, just SEEING a business card will bring your new password to the front of your mind. After a while, you'll stop needing your hint sheet, as you'll just remember the password. And when it comes time to change your password, shred your card and your postit, post a new one (in a different color if you can, helps the brain), and give yourself a few days. Unlike scrawling your random digits on a paper or card, even if somebody stole your "Hippocampically Encoded" card, they would have to REALLY know you (or be a really good guesser) to get the password. Even with your card, you've reduced them to brute searching. And if your card/note turns up missing, it takes about 30 seconds to whip up a new hint sheet. Not only is your attacker brute forcing your hint sheet, but it's the wrong hint sheet anyway!

So... have you guessed my password above? It's GARYkemp!1071Max. 'Course, you'd only know that if you knew that I played Pokemon and left my rival's name at default, that I decided that "^" meant "Make it all uppercase", that my home team is the Kemp High School (and that I was talking high school football), that by "Shout" I meant "give it an exclamation point", but that the whole word should be lower case (because the hint is), that Esirpretne is "Enterprise" backwards, and that I meant to make the serial numbers backwards (but not the NCC part), and that by Sam (a very common name) I meant "Give me the name of Sam's partner in that incredibly funny cartoon by Steve Purcell, Sam and Max: Freelance Police." The period is just decoration. If you did guess it, contact the NSA. I hear they're hiring people like you.

-Zoey

June 26, 2007

TTL and propagation

Every DNS record is equipped with a TTL. The TTL (Time To Live) is basically the expiration date on that record. Long story short, it's a countdown from when it was initially received until when it is marked as invalid and discarded for a replacement record. This is a very important piece of information that I've run into often as being either outright ignored or misunderstood.

Let's say you have a domain-something awesome like awesomedomain.wow--and awesomedomain.wow has a TTL of 24 hours. When I go to visit awesomedomain.wow as a new visitor (and you know I would, because it sounds awesome) I'm going to receive a record translating awesomedomain.wow to an IP address that will be valid for 24 hours. Any other time I visit that domain in the next 24 hours, I'm going to use that cached address because the record hasn't expired yet. In 24 hours regardless of if awesomedomain.wow has moved IPs, I'm going to trash that old DNS record I've cached locally and go look it up again. The new record will then be referred to by me for the next 24 hours, at which time I'll do it all over again.

But what happens when you have to change your IP, but you want your visitors to see the smallest amount of downtime possible? My first suggestion is to mirror your sites on both IPs, but that is a different discussion entirely. The second is to manipulate your TTL. First lower it to something smaller-from a day to an hour perhaps. Then give that new record with that new TTL at least 24 hours to propagate. Now you can be certain that at the 25th hour, all of your visitors now have a record that will expire in one hour. Next, change your IP for awesomedomain.wow, the record that your visitors have cached locally will expire in an hour, and then they will have your new record with your new IP. Feel free to bump your TTL back up to what it was originally in this step, since they have the new IP. Now your visitors have only had an old record for an hour rather than 24, and they probably missed that hour it was inaccessible while they were posing for a painting or having their top hats heightened. Because all of your visitors are terribly classy.

-Joshua

Subscribe to tech-tips