Where’s the peanut butter?!

If you are like the other person reading my weblog, chances are you are an internet user. assuming proposition 1 holds, then there are probably a bunch of websites you frequent that requre you log in before using its functionality. And if proposition 2 holds, you have probably had to come up with some password strategy for accessing all the sites you use. so what’s an internet user with a ton of passwords to manage to do? Here are a few of the strategies I know of or have tried.

• Use the same password everywhere - everywhere you log in you use “mypassword”. this is obviously no good, not only because “mypassword” is easily broken by a brute force dictionary attack (though that is a fine reason not to choose it) but your passwords are not unique. If someone steals or cracks “mypassword”, that person can theoretically hack into each of your email, paypal, and personal computer. Yuck.
• Mixed characters, unque per site rather than “mypassword” you chould use “MyYahooP4ssword”. You now have a slightly harder to crack password since it is not just a sequence of words and by including upper and lower case you increased the combinations by 2^(character count). The two drawbacks here are that you still need to remember your algorithm (”do i capitalize the first letter of every word or just the first word?” “capitalize the first or second letter?” “what do i hacker-encode?”) and if you are faithful to your algorithm then it may be easily decypherable by a human who gets one seed password. But this isn’t incredibly bad.
• Unique per site, non-obvious key - Instead of “MyY4hooPassword” you use “B4byOneMoreTime” and for another site “O0psIDidItAg4!n”. This is less vulnerable since the passwords are not dictionary crackable, they are unique per site with no cross-site deterministic algorithm, and draw from alpha-numeric and symbol characters. the drawback is that they are hard to remember - so how do you keep track of them? A text file on your computer may be tempting but is an awfully bad idea since a list of sites and passwords is like crack to someone wanting to hack nto your accounts. A series of index cards next to the computer is only a slight improvement. A practice I once used for this model was maintaining a PGP encrypted file with my passwords on my computer. I could transfer this file or post it to the web with relative confidence that no one would crack it since a 4k PGP key is hard to compromise. The drawback is that PGP is hard to use making this unsuitable for everyday consumption, and in time you may lose your secret key. Then you’re up a certain creek without a paddle.
• An md5 hashed key - this is the strategy I use now. It is fairly secure and incredible convenient. I copied the implementation from Nic Wolff’s site and host it personally (since you really don’t want to trust some random site like this it’s a good idea to get your own copy). This basically executes the following calculation: SitePassword = MD5Function(MasterPassword, SiteName). This produces a non-word alphanumeric password for SiteName based on your MasterPassword. There are still a bunch of problems with this approach - if MasterPassword is cracked, all the generated passwords are retrievable. The generated password from this utility is fixed (not variable) length and alphanumeric (without symbols) - both dramatically reduce the number of possible passwords. But the passwords are unique, md5 is one-way (meaning if you learned my yahoo password were 1234abcd, you could not easily reverse engineer MasterPassword), and adding a new password for YetAnotherSiteThatMakesYouRegister.com is no harder than remembering the site name. Also if you install the browser toolbar shortcut, everyone using your computer has easy access to their own personal passwords. It’s also easy to set up a second, shared MasterPassword2 that you use for common account sites (Tanya and I use the same netflix aaccount). And if you are at some foreign computer you can always access the hashing function remotely and get your site passwords.
• Software - There are also a ton of commercial software packages available that basically just add a layer on top of “keep my password list on my computer”. I personally think these are all bogus since there are free implementations that do the same thing and there’s no reason you should trust commercial software more than understanding your strategy, its problems and executing it faithfully.

In a related problem space, there is an interesting site named bugmenot which helps you bypass mandatory registration for sites where you really shouldn’t need to register. Anybody have other interesting approaches to this area?

Do not forget the clipper attachment.

Last weekend Eva and Steve came by and helped me and Tanya start
brewing our first batch of beer! It was really a lot of fun and took
much longer than I expected, but the yeast just slowed down yesterday
in the fermenting tub and we just transferred it to the carboy. We’re
about 2 weeks or so from bottling day and another two weeks away from
48 bottles of what will surely be a Scottish ale if everything goes
according to plan. Or I’m four weeks away from 5 gallons of the worst
piss imaginable. It’s kind of like collecting baseball cards - you
know approximately what’s in the package but you’ve got to lay down
some money and wait until unwrapping the package to see what you’ve
got. Anyway - after you finish brewing, “racking” is the process of
moving the beer between fermenting containers (in this case, from the
6 gallon plastic fermenting tub to a 5 gallon glass carboy).

If you’re interested in homebrewing in Seattle - so far my limited
experience with href="http://lostinseattle.com/LIS/specialtygoods/bobshomebrewsupply.html">Bob’s
Homebrew Supply in Ravenna has been great. He helped me assemble
my starter kit, was kind enough to give me another grommet for the
fermenting tub since mine seemed to disappear, and gave me advice over
the phone on brew day when Paul (who is sure to be my normal
brewmaster) was unavailable.

I don’t know why this is so but it’s endemic amongst laptop makers
that they redefine keyboard layouts in completely bogus ways. I just
got an M4 tablet for work and its default bottom row key ordering
goes: (correct) (stupid)
(unacceptable) <`~> (unacceptable) (correct).
Then the Windows key is hidden up on the upper right area of the
keyboard. Why, Toshiba, why?

• Why do you put so close to the crucial keys every
  computer user has to use? Why don’t you bury it up in some remote
  corner? I will naturally look for when I need it (since it
  is a non-standard key), so leave my standard key layout alone.
• Why did you move away from ? They are
  close friends who do not want to be separated.
• If you can’t put <`~> in the upper left corner, where it
  belongs, does Occam’s razor not dictate that the preferable solution
  would be “move it to the upper right corner” - not “move it down next
  to the spacebar and move the Windows key up to the upper right
  corner”?

It seems like the challenges to laying out a laptop keyboard are to
shuffle some keys (because of the smaller form factor) and to
introduce the key somewhere (because it is
non-standard). But hardware manufacturers reliably complicate matters
by moving other things around that make no sense to move.

Fortunately you can hack the registry to fix the scancodes or use href="http://webpages.charter.net/krumsick/">KeyTweak which is
considerably easier to remap your layout. I now have my left
and keys where I want them, <`~> out
of my way, and and swapped like I like. But
I wish I didn’t have to go through the bother.

so im finshing getting this computer set up with fedora core 4 that i want to use for some mit open courseware classes and have successfully got the OS rolling but am having trouble with the wireless networking.

i had a belkin fd5001 pci wifi card that i was happy with for a while but it’s unsupported. unfortunate but oh well, thats life. the complications come with my d-link dwl-g120 usb 802.11g adapter. i had stopped using this card a while ago because it was really flaky in windows. it worked for a while but eventually it would get into a state where it would associate with my access point and then couldn’t maintain the connecton for more that about two minutes. it would then stay disconnected until a reboot or until i removed the connection settings and reassociated (reenter the wep key and everything). but its supposed to work in linux and i love a challenge.

first, there are supposed to be some native (read reverse-engineered) drivers but the project page for that was down, so my further research led me to ndiswrapper - a wapper rumored to allow networking devices in linux to use windows drivers. this is supposed to work somehow but in my experience it just wasted a couple hours of my time.

so i smartly gave up and decided i’d just go buy an adapter that is clearly supported and use that. i didn’t start researching that device until yesterday though and by that time, prism54.org (the project page for the drivers for my d-link card) was back up. and it turns out that “what 802.11g card can i buy that will work in linux?” turns out to be a harde question to ask the web than you would expect or like. “what chipsets are supported in linux?” is answered all over the place and it’s not incredibly hard to go from there to “what cards have this chipset?” but that’s a completely backwards approach to consumer oriented software and one of the chief reasons that linux is no real immediate threat to windows in that market at all.

anyway it feels like the end of the tunnel is in sight - even if that light is just a lantern leading down the next shaft.

tonight is the winter show at the seward park clay studio - doors open at 6:30, free cups to the first 50 people with a $10 donation. this is the studio where tanya does all her pottery and all the shows i have attended have had a really great variety of art that ranges from accessible to beautiful to “dear god get this person a therapist.” it has always been time well spent - if you don’t have plans tonight you should swing by!