Blog & White

© Amazon.fr

Dans ce troisième roman du Donjon de Naheulbeuk, les aventuriers acceptent d'escorter l'Elfe, devenue reine de son peuple, vers la forêt de Folonariel. Pendant ce temps, divers villages et tribus sont attaqués par des membres de peuples avec qui ils n'ont normalement pas de problème. Étrangement, aucun de ces peuples ne revendique les attaques. Les humains de Glargh et de Waldorg, généralement ennemis, décident d'organiser un conseil à la tour de Suak pour essayer de comprendre la raison de ces attaques et éviter une guerre en Terre de Fangh. Lors du conseil, on découvre que des sorciers métamorphes ont perpétré les attaques, et qu'ils sont probablement au service de Gzor, qui cherche une fois de plus à semer le chaos, chacune des attaques ayant en fait pour but de récupérer une des sept couronnes magiques qui rendraient son armée invincible. Les sorciers attaquent de conseil, une grande bataille s'ensuit, et le Nain et le Ranger sont fait prisonners par des orcs, alliés des sorciers et de Gzor. Ils sont délivrés par leur camarades et s'enfuient dans un donjon souterrain abandonné, sous les cavernes des orcs. Ils évitent de nombreux pièges et divers monstres peu courants, et tombent par hasard sur Zangdar, dont le plan pour refaire parler de lui est de libérer les monstres dans Glargh via un portail magique. Les aventuriers profitent du portail, et laissent Zangdar se débrouiller avec les monstres. On apprend à la fin que le Nain a volé par hasard une des couronnes magiques aux sorciers de Gzor juste avant de s'enfuir de chez les orcs, l'armée de Gzor ne sera donc pas invincible, mais la guerre contre ce dernier reste cependant inévitable.

“Crystal, Black & Pale malts… Golding, Styrian & Cascade hops… with a further late addition of whole Cascade hops”

Fruity (peach?), sweet, strong beer. Contains barley malt.

Brakspear Brewing Co., Witney, Oxfordshire, England. 6.7% alcohol.

Wikipedia

Andy is going to college in a few days and does not play anymore with his old toys. Woody is the only one he plans to take with him. The toys (including Woody) are by mistake donated to a kindergarden (instead of being put into the attic as Andy planned). Andy manages to escape and ends up being picked by Bonnie, a little girl, while the other toys are savagely handled by kids too small to be able to play with them. They discover that the toys are ruled by Lotso the pink teddybear and a few goons, who assigns the newly donated toys to the smaller kids and keeps the toys prisoner at night so that they wouldn't escape. At Bonnie's place, Woody learns the truth about Lotso and decides to go and free his friends. They neutralize Lotso's goons and prepare to escape through the waste disposal system, but they are caught and end up in the trash bin and taken to the city dump. There they saved in the nick of time from the incinerator and manage to return to Andy's place just before he leaves to college. But Woody writes a not that convices Andy to give all the toys to Bonnie, who really knows how to play with them, the way he himself used to.

Passwords are difficult to generate and to remember, and once you finally know how to type yours quicky, you don't want to change it. That's usually the time when someone is forcing you to change it… Here is a synthesis of what I've found out about how to generate secure passwords.

Entropy as a measure of password strengh

The strength of a password is usually expressed as its entropy, measured in bits. In a nutshell, it expresses the total number of different passwords that can be created (given some construction rules), represented as the base 2 logarithm of that total number. For example, if you know that a password is composed of a single character which may be a letter (uppercase or lowercase), a digit, a white space or a period (which conveniently makes 64 different symbols: 26 lower case letters, plus 26 uppercase letters plus 10 digits plus 2 punctuation symbols), the entropy of that password is 6 bits (because 2⁶ = 64). Non-integer entropy values are valid, so for example a single lowercase letter has an entropy of approximately 4.7 (because 2^4.7 ≈ 26). The addition of one bit of entropy multiplies the total number of different possible passwords by 2; a password made of 2 characters (64 symbols: upper/lowercase letters, digits and 2 punctuation signs) has therefore an entropy of 12 bits and a password made of 8 lowercase letters has an entropy of 37.6 bits.

The human factor

The above entropy measurement is true only if the password is truly randomly generated, and that each symbol has an equal probability of being selected. Humans seem to be rather bad at generating random passwords, and in Special Publication 800-63, the entropy of a human-generated password of length 8 is estimated to have an entropy of 18 bits.

Moreover, if the password is a word from a natural language, the number of possible different passwords is equal to the size of the vocabulary in that language; for English language this is estimated to be between 250,000 words. The entropy of a password made of a single English word is therefore approximately 17.9 bits.

Forcing more entropy

To increase the entropy of human-generated passwords, it is quite common to enforce rules, such as a minimum length, the use of more symbols than just the 26 lowercase letters and forbidding the use of common words. The NIST report above estimates that the additional symbols add 6 bits of entropy and the dictionary check adds 5 bits. An 8 character password following all the rules above is therefore estimated to have an entropy of 30 bits. For comparison, a randonly-generated password of 8 character chosen amongst the most common symbols on a computer keyword (80 symbols) has an entropy of 50.6 bits

Such password become however difficult to remember, especially if you have to memorize several of them and are forced to change them every few months.

And they are still pretty insecure.

Cracking passwords

There are two different methods for cracking a password.

The first method consists in connecting to the service asking for the password, and trying passwords until the right one is found. This method is slow, one can expect to test at most a few dozen of passwords per second (let's say 100 passwords per second). Using the entropy to measure the strength of the attack, that represents 6.6 bits per second, or 23.0 bits/day, or 27.9 bits/month, or 31.5 bits/year.

This gives the following times:

• 18 bits password: at most 45 minutes
• 30 bits password: at most 128 days
• 50.6 bits password: at most 560,000 years

The thing here is that reasonnably secure services will not allow that many trials.

The second method for cracking passwords requires a list of encrypted passwords e.g., stolen from a badly secured service. Depending on the encryption algorithm used with those passwords and the hardware at hand, one can expect an attacker to try between 2,000 and 15,500,000,000 passwords per second (between 11 and 33.8 bits/s) with a standard desktop computer (equipped with a modern GPU).

This gives the following times:

• 18 bits password: at best 128 seconds, at worst a few microseconds
• 30 bits password: at best 6 days, at worst less than a second
• 50.6 bits password: at best 274 years, at worst 32 hours.

How many bits are needed?

The times indicated above represent the maximum time needed for cracking the password. There is a 50% chance of cracking it in half that time, and a 10% chance of cracking it in a tenth of that time.

So if a password needs to be safe for at least 1 year, the time needed for cracking it needs to be at least a year i.e., 33.8 + 24.9 = 58.7 bits (entropy of the number of passwords tested per second plus the “entropy” of the number of seconds per year). There is however a chance that the password will be cracked in less time. Adding 1 bit of entropy will reduce the attacker's chance of finding the password in a given time by half, and adding 10 bits reduces it to 1 chance out of 1024 to crack it in that time. 7 bits would reduce it to 1 chance out of 128, which may be sufficient as well.

How to generate such a password?

A 68.7 bits password means 15 lowercase letters, or 11 common-keyboard-symbols. These have to be selected by a true random process, such as dice rolls, nuclear desintegration or electronic thermal noise. 6-sided dice are easy to come by, and the Diceware method is probably the easiest one for generating secure and easy-to-remember passwords. A rolls of 5 dice allows to select one word in a list of 7,776, providing 12.9 bits of entropy. The strenght of the password therefore depends on the number of words that are selected (by repeatedly rolling 5 dice):

• 1 word: 12.9 bits, cracked in less than a microsecond
• 2 words: 25.8 bits, cracked in less than 4 milliseconds
• 3 words: 38.3 bits, cracked in less than 30 seconds
• 4 words: 51.6 bits, cracked in less than 2 days
• 5 words: 64.5 bits, cracked in less than 55 years
• 6 words: 77.4 bits, cracked in less than 423,000 years
• 7 words: 90.3 bits, cracked in less than 3231 million years

The Diceware method also allows to add a random non-letter symbol to the password, adding about 9.5 bits of entropy for a 20 character password (about 5 words). Therefore a 5-word password with one random symbol can be considered secure for at least a few years.

How long will the password be safe?

Between 2002 and 2011, CPU and GPU computing power has been multiplied by 10 and 100 respectively i.e., +0.37 and +0.74 bits/year regarding password cracking. The rate of growth will probably not remain that high, but if one wants to keep a password for more than a year or two, it should be taken into consideration. For example, if a password must remain safe for the 4 next years, add 3 bits. The 5-word password with one random symbol will therefore be safe for the next 7 years.

One must also consider that computer clusters become affordable, and that a 25-GPU computer has been built exactly for the purpose of cracking passwords. This type of machine adds about 4 bits to capacity of cracking encrypted password (the “second method” above). That makes the 5-word diceware passphrase safe for barely over a year. Finally, cloud computing and parasitic computing using cloud-based browsers may reduce the safety period even further.

Conlcusion

The only truly secure passwords are long and truly random; any other method for generating passwords will lead to easily crackable passwords, and is therefore giving a false sense of security. Long enough passwords need to be changed, but not too often; 3 years is a reasonnable lifetime. The Diceware method allows to generate such password in a simple way.

Finally, memorizing a lot of passwords is difficult and induces people to reuse the same passwords. There is a simple solution to that, promoted by Bruce Schneier: write down your password and keep it in your wallet.

“brewed using only English malts and hops”

Just another ale. Contains malted barley.

Sambrook's Brewery, Battersea, London, England. 4.2% alcohol.

I recently discussed with a friend how to read with a computer the 3-digit numbers from a device using seven-segment displays. One solution we came up with was to put a phototransistor in front of each segment, read the seven on/off signals and recognize the digits. I then wondered if it's possible to use less than seven phototransistors per digit.

A minimum of four segments is obviously required, but after a bit of computer-aided experimentation, I found out that only 5 segments are enough: if you remove the lower and the lower-right segments, you can still identify all ten digits.

So with only 15 inputs instead of 21, you can read the 3 digits, using a 16 bit I/O expander (e.g., a MCP23017; this one even has internal 100 kΩ pull-up resistors, so it may be that nothing else than the phototransistors is needed).

Wikipedia

Fantomas décide d'imposer les très riches (nobles et gangsters) d'un impôt sur le droit de vivre. Lord Edward Mac Rashley, richissime écossais victime de Fantômas, décide de faire appel à Fandor et à Juve pour attirer le gangster et l'arrêter. Fantômas est déjà sur les lieux, fait passer Juve pour fou en lui faisant voir des « fantômes », et prend rapidement la place de Lord Edward, qu'il a éliminé. Les nobles ayant fait cause commune avec les gangsters qui refusent de payer, Fantômas veut profiter d'une chasse à courre pour en enlever quelques uns pour convaincre les autres de payer. Hélène et Fandor découvrent par accident que Lord Edward est en fait Fantômas, et décident de se faire passer pour morts. Pendant ce temps, le faux Lord Edward convainc ses victimes de rassembler une fortune en diamants afin d'attirer Fantômas, avec pour but réel de disparaître avec le magot. Fandor et sa fiancée arrivent sur ces entrefaits, mais Fantômas parvient tout de même à s'échapper avec les diamants.

“spicy, fruit taste”

Just another ale. Contains malted barley.

Sambrook's Brewery, Battersea, London, England. 4.5% alcohol.

© Amazon.fr

Troisième tome des Gardiens de Ji par Pierre Grimbert. Damián parvient enfin à déchiffrer les carnets de son père, et apprend qu'à la disparition du Jal, les âmes des dieux et des démons se sont eparpillées dans le monde, certains se réincarnant dans des enfants nés au moment de la disparition, d'autres étant réincarnés en adultes simples d'esprit. Ayant appris d'Usul que leurs parents sont au Jal, les héritiers décident de partir à la recherche de la dernière porte connue, dans la Tour Profonde de Romin. Ils y affrontent la gardienne de la porte, qui leur propose de les laisser passer si en échangent ils acceptent de tuer son frère, Nol l'Étrange. Les héritiers refusent, passent en force et se retrouvent en Arkarie. Damián fait l'hypothèse que les Éthèques, inventeurs du Jal qui vivaient dans les montagnes à l'est de l'Arkarie, auraient placé le Jal au sommet d'une montagne visible depuis leurs villages. Grâce aux pouvoirs de Lorilis qui peut voir les futurs où les héritiers échouent dans leur quête, ils éliminent les endroits où le Jal ne peut pas se trouver, et se rendent dans la région la plus probable. Ils affrontent des démons réincarnés en humains simplets, et finissent par arriver à Dara, où Nol s'étonne de les voir accompagnés de Sombre, qui s'était réincarné en Guederic. On comprent alors pourquoi Maara avait pour mission secrète de tuer ce dernier.