Just Lofenyy Thingshttps://fediverse.blog/~/JustLofenyyThings@plume.mastodon.host/atom.xml2019-08-01T03:30:48.143574+00:00<![CDATA[Good passwords]]>https://plume.mastodon.host/~/JustLofenyyThings/the-big-password-guideline/2019-08-01T03:30:48.143574+00:00Lofenyyhttps://plume.mastodon.host/@/trashaggregate/2019-08-01T03:30:48.143574+00:00<![CDATA[<h2>Preface</h2>
<p>I've just got a brand new cellphone. The first thing I do, is factory reset the device, because it came with the setup steps already finished, not to my liking. All goes well of me refusing as many things as I can while still being able to actually use the phone, until I get to the "protection" page. Facial recognition and fingerprint scanning. Eww. I, of course, choose to go with password protection. The phone greets me by saying that the password must contain at least four characters, and must at least have one letter. Having done this before, I start rapidly pressing the 'h' key, to discover that the phone does, in fact, have a secret upper limit of 16 characters.</p>
<h2>The Fundamentals</h2>
<p>So, we have an upper limit of 16 characters and a lower limit of 4, and we're required to use one of those characters as a letter. I can express this as:</p>
<p>16 >= X >= 4, 1letter</p>
<p>This doesn't say a whole lot just yet. So, I counted up all the characters on the keyboard, tested them and luckily, they all seem to be valid for passwords. I counted 92 characters as part of the charset. Let's think about the basics of statistics.</p>
<h3>Bits of Data</h3>
<p>When rolling a die, it may land on any of its 6 sides. If a roll two, they individually may land on any of their six sides but there are a total of 36 different combinations they make up. Notice how the fractions multiply together. The numerators both multiply to make the new numerator and the two denominators multiply together to make the new denominator.</p>
<p>(1/6) * (1/6) = 1/36</p>
<p>The reciprocal of each fraction gives us the total number of possibilities for each event. If I wanted to calculate the total number of combinations possible for my password, I could express it as such:</p>
<p>(92^15)*26</p>
<p>92 of the 15 characters can be anywhere in the charset, but one of the chars must be a letter. The result is quite a huge number, and while we may assume that this must allow us to have all sorts of great passwords, we should take a step back and put that huge number in a form that we can understand:</p>
<p>ln( (92^15)*26 )/ln(2) ~= 102.6</p>
<p>The number that we have gotten from the equation above, is the number X where X would be the number that gives us the same number of combinations if we were just calculating 2^X. So what I'm trying to say, is:</p>
<p>(92^15)*26 ~= 2^102.6</p>
<p>By measuring possibilities in terms of X, we can actually try to wrap our heads around what those big numbers mean. By doing this, we're measuring possibilities as bits of data. Bits meaning binary digits. The thing is, every time we increase our number of bits by one, we multiply the total number of possibilities by two. Which means that, an increase of one bit when we had few bits to begin with, the change in the total number of possibilities is small but, if we increase by one bit and we have a lot of bits to begin with, the total jump in possibilities can be substantial.</p>
<h3>Bits of entropy</h3>
<p>Now, you may have thought about the security of using the password "password". If our charset contains only letters, you may think that because it takes 37.6 bits to store that data, then it must be a decent password. This is false, because we don't measure password security in bits of data, we measure it in bits of entropy. Let me explain, bits of entropy is the measurement of randomness, and randomness is defined by its unpredictability. Sadly, humans are hardly random, and "password" is one of the most commonly used passwords.</p>
<h3>The Real World</h3>
<p>We know how to measure password security, but how secure should a password be? For that, we have to look at our given situation. I'm picking a password for a dumb cell phone, but I want to pick one that wont be breakable for as long as I have it, which will be about three years until I get a new one. Of course, I'll still have this one, but if I get a different phone as a daily driver in the future, I'll wipe my current one and try to port an alternative OS to it, like one of the Android clones or PostmarketOS. So, how do you pick a password that's going to last? Especially against an entity who would do anything for your password? For that, we must look towards the real world, and fantasize. The biggest computing entity that performs the most cryptographic operations per second known to any layperson is the blockchain. Let's imagine they're out to get us. Using information from blockchainstats.org, as of June 2019:</p>
<p>Hash rate: 64,456,566,031.52 GH/s
Revenue: 25,391,962.28 USD
(last 24hrs of mining)</p>
<p>This says a lot. Let's pretend that the blockchain has our phone, has made as many duplicates as it likes, and the hash rate is equal to the number of tries it can attempt in a period of time:</p>
<p>64,456,566,031.52<em>10^9 = 6.445656603152</em>10^19 c/s
189216000s (2statistic const, <em>3 years</em>365d/y<em>24h/d</em>60m/h<em>60s/m)
6.445656603152</em>10^19c/s * 189216000s = possibilities we want, X</p>
<p>ln(X)/ln(2) ~= 93.3 ideal bits of entropy.</p>
<p>The 2 in the statistical constant is there because, say, if you're searching through a deck of cards for the ace of spades, and the ace could be anywhere in that deck, it'll take you on average half the time it could take you to search the entire deck until the end. Doubling the length of time ensures that the average amount of time it takes to find the password is how long we want it to take, rather than half.</p>
<h3>What password do we pick?</h3>
<p>Due to the fact that the phone only allows 102.6 bits of entropy, which is enough to fit our 93.3, we wont be able to pick a memorable password. Let's use the X variable from the previous section (2^93.3). Our charset consists of 92 characters, so to know how many characters we need minimum, we do:</p>
<p>ln(X)/ln(92) = 14.3</p>
<p>We round up the result to 15. We need a completely random password, 15 characters in length with either no 16th character or a predictable one. How lame. Consider this lesson as to why upper limits on password lengths actually harm password security, by limiting not only ones ability to create entropy, but ones ability to create secure passwords that are memorable.</p>
<h3>Creating memorable secure passwords</h3>
<p>Let's pretend that my poor cell phone has no upper limits. I can pick a password of any length I want. Please ignore the cheesy name, but diceware is a nice easy way of doing this. The Electronic Fronteir Foundation has published its own diceware lists, which I highly recommend using. First, we calculate how many dicerolls are needed in order to create a secure password.</p>
<p>ln(X)/ln(6) = 36.09</p>
<p>We always round these numbers to the nearest integer. 37 is how many we need. If we're using the long word list (reccomended) with five dice rolls per word, that would mean that we need 40 dicerolls total, for 8 words. If using the shorter list with four dice rolls per word, that's still 40 rolls, but making 10 words. Let's generate a sequence using real dice! The advantage is that you don't need to worry about a faulty RNG or a compromized computer. Just make sure that your cell phone or other devices aren't watching:</p>
<p>22536,56615,33442,42434,42264,31641,21253,52134
delirium stubbly hardcover olympics nutshell game cradling reverse</p>
<p>2253,6566,1533,4424,2434,4226,4316,4121,2535,2134
dart wired cedar perm drive mule oil lurch elope cot</p>
<h3>Final notes</h3>
<p>Please don't copy the above passwords and use it yourself. If someone knows you've read this, they might know to try the above passwords first.</p>
<ul>
<li>https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases</li>
</ul>
]]><![CDATA[FreeCiv Game Review]]>https://plume.mastodon.host/~/JustLofenyyThings/free-civ-game-review/2019-06-28T14:17:43.857911+00:00Lofenyyhttps://plume.mastodon.host/@/trashaggregate/2019-06-28T14:17:43.857911+00:00<![CDATA[<p>I haven't had the luxury of playing the original Civ games, but if they're anything like this, they're probably amazing. The game is very simple. You start out with an isometric view of the world, and a few units. It resembles playing a board game. You start by creating your first city. After that, the game really is all up to you. You advance through different stages of technology, build relationships (good and bad) with your neighboring countries, explore the world and go to war. The ways to win, from what I can tell, is either from eliminating all your enemies, or by being the first nation to make it to outer space. The course of actions that lead to those outcomes is entirely up to you.</p>
<p>I love FreeCiv. It's a huge time sink. This game can appeal to anyone that doesn't heavily dislike strategy games. It's interesting, because I myself am not a fan of strategy games. I tend to find that they're too repetitive or that certain aspects of those games require a lot of mental strain. It just gets boring after a while. While I love FreeCiv, if I set the difficulty too high, I get bored.</p>
<p>It unfortunately has a huge learning curve that really throws off new players when trying out any Civ-like game for the first time. It's what snagged me, initially. The best possible way to play this game as a beginner is to set it to the easiest of difficulties, and play through the game. Read the wiki articles to learn new things and upgrade your civilization to be the best it can be. When the handicapped enemies show up to invade, they wont be so bad. When I usually play, I set all the nations to handicapped, and then I either build a perfect civilization that's free of defects, or I invade all the others. This is how it keeps my attention.</p>
<p>Speaking of keeping my attention, if I play in a way that appeals to me, hours seem to disappear in minutes. If you have any deadlines coming up, or you need to get stuff done, I'd advise not playing this game. It's extremely addictive.</p>
<p>Also, if you're very competitive and love strategy games, it has an online mode.</p>
<p>tl;dr:</p>
<ul>
<li>7/10</li>
<li>High learning curve</li>
<li>Makes time disappear</li>
<li>Violate your handicapped neighbors personal bubbles</li>
<li>Their website should start using HTTPS instead of HTTP...</li>
<li>Their github repository for their website should have licensing info</li>
</ul>
]]><![CDATA[The Great X/10 Rating Chart]]>https://plume.mastodon.host/~/JustLofenyyThings/the-x-10-rating-chart/2019-06-28T13:58:08.811873+00:00Lofenyyhttps://plume.mastodon.host/@/trashaggregate/2019-06-28T13:58:08.811873+00:00<![CDATA[<ol start="0">
<li>
<p>If This was a rating of how bad something is, this would be a 10. Think of The Star Wars Holiday Special.</p>
</li>
<li>
<p>Awful. It has some elements which may appeal to someone with some very unique traits. Think of Windows Vista.</p>
</li>
<li>
<p>Bad. I don't like it though some do. Think of black licorice.</p>
</li>
<li>
<p>It's not bad, but could certainly be better. Think of how well the original Pokemon games where programmed.</p>
</li>
<li>
<p>Nothing special, yet somehow subpar. Think of unsalted regular potato chips.</p>
</li>
<li>
<p>Nothing special. Not bad. Good enough. Think of water.</p>
</li>
<li>
<p>Nothing special, pretty alright. Think of salted potato chips.</p>
</li>
<li>
<p>It's not totally wonderful, but it's definitely something. Think of dill pickle potato chips.</p>
</li>
<li>
<p>Wonderful. This really appeals to me though some may not like it. Think of Skyrim.</p>
</li>
<li>
<p>Excellent. If someone doesn't like it, I don't know why. Think of Grand Theft Auto: San Andreas</p>
</li>
<li>
<p>It's perfect. I have no criticisms and am likely very biased. Think of GNU/Linux. </p>
</li>
</ol>
]]>