Where’s the peanut butter?!

If you are like the other person reading my weblog, chances are you are an internet user. assuming proposition 1 holds, then there are probably a bunch of websites you frequent that requre you log in before using its functionality. And if proposition 2 holds, you have probably had to come up with some password strategy for accessing all the sites you use. so what’s an internet user with a ton of passwords to manage to do? Here are a few of the strategies I know of or have tried.

• Use the same password everywhere - everywhere you log in you use “mypassword”. this is obviously no good, not only because “mypassword” is easily broken by a brute force dictionary attack (though that is a fine reason not to choose it) but your passwords are not unique. If someone steals or cracks “mypassword”, that person can theoretically hack into each of your email, paypal, and personal computer. Yuck.
• Mixed characters, unque per site rather than “mypassword” you chould use “MyYahooP4ssword”. You now have a slightly harder to crack password since it is not just a sequence of words and by including upper and lower case you increased the combinations by 2^(character count). The two drawbacks here are that you still need to remember your algorithm (”do i capitalize the first letter of every word or just the first word?” “capitalize the first or second letter?” “what do i hacker-encode?”) and if you are faithful to your algorithm then it may be easily decypherable by a human who gets one seed password. But this isn’t incredibly bad.
• Unique per site, non-obvious key - Instead of “MyY4hooPassword” you use “B4byOneMoreTime” and for another site “O0psIDidItAg4!n”. This is less vulnerable since the passwords are not dictionary crackable, they are unique per site with no cross-site deterministic algorithm, and draw from alpha-numeric and symbol characters. the drawback is that they are hard to remember - so how do you keep track of them? A text file on your computer may be tempting but is an awfully bad idea since a list of sites and passwords is like crack to someone wanting to hack nto your accounts. A series of index cards next to the computer is only a slight improvement. A practice I once used for this model was maintaining a PGP encrypted file with my passwords on my computer. I could transfer this file or post it to the web with relative confidence that no one would crack it since a 4k PGP key is hard to compromise. The drawback is that PGP is hard to use making this unsuitable for everyday consumption, and in time you may lose your secret key. Then you’re up a certain creek without a paddle.
• An md5 hashed key - this is the strategy I use now. It is fairly secure and incredible convenient. I copied the implementation from Nic Wolff’s site and host it personally (since you really don’t want to trust some random site like this it’s a good idea to get your own copy). This basically executes the following calculation: SitePassword = MD5Function(MasterPassword, SiteName). This produces a non-word alphanumeric password for SiteName based on your MasterPassword. There are still a bunch of problems with this approach - if MasterPassword is cracked, all the generated passwords are retrievable. The generated password from this utility is fixed (not variable) length and alphanumeric (without symbols) - both dramatically reduce the number of possible passwords. But the passwords are unique, md5 is one-way (meaning if you learned my yahoo password were 1234abcd, you could not easily reverse engineer MasterPassword), and adding a new password for YetAnotherSiteThatMakesYouRegister.com is no harder than remembering the site name. Also if you install the browser toolbar shortcut, everyone using your computer has easy access to their own personal passwords. It’s also easy to set up a second, shared MasterPassword2 that you use for common account sites (Tanya and I use the same netflix aaccount). And if you are at some foreign computer you can always access the hashing function remotely and get your site passwords.
• Software - There are also a ton of commercial software packages available that basically just add a layer on top of “keep my password list on my computer”. I personally think these are all bogus since there are free implementations that do the same thing and there’s no reason you should trust commercial software more than understanding your strategy, its problems and executing it faithfully.

In a related problem space, there is an interesting site named bugmenot which helps you bypass mandatory registration for sites where you really shouldn’t need to register. Anybody have other interesting approaches to this area?

Do not forget the clipper attachment.

Last weekend Eva and Steve came by and helped me and Tanya start
brewing our first batch of beer! It was really a lot of fun and took
much longer than I expected, but the yeast just slowed down yesterday
in the fermenting tub and we just transferred it to the carboy. We’re
about 2 weeks or so from bottling day and another two weeks away from
48 bottles of what will surely be a Scottish ale if everything goes
according to plan. Or I’m four weeks away from 5 gallons of the worst
piss imaginable. It’s kind of like collecting baseball cards - you
know approximately what’s in the package but you’ve got to lay down
some money and wait until unwrapping the package to see what you’ve
got. Anyway - after you finish brewing, “racking” is the process of
moving the beer between fermenting containers (in this case, from the
6 gallon plastic fermenting tub to a 5 gallon glass carboy).

If you’re interested in homebrewing in Seattle - so far my limited
experience with href="http://lostinseattle.com/LIS/specialtygoods/bobshomebrewsupply.html">Bob’s
Homebrew Supply in Ravenna has been great. He helped me assemble
my starter kit, was kind enough to give me another grommet for the
fermenting tub since mine seemed to disappear, and gave me advice over
the phone on brew day when Paul (who is sure to be my normal
brewmaster) was unavailable.