Password considerations

A student forwarded me this article: http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/

I have long wondered why there is so much confusion over choosing strong passwords. I mean, I don't always do it, but its not that difficult to figure out. First of all I never use ridiculous garbage passwords such as "aJKEA43%@#5289sl2" that people like to use. This just means there is a book somewhere full of passwords that has to be accessible to various people.

Passwords are made of tokens. These tokens are usually thought of as characters from the alphabet, numbers, etc... The strength of passwords is usually thought of in terms of length and number of tokens possible at each position. The length makes a lot more difference, so if your passwords consist of between 6 and 10 tokens and each token can be one of 100 characters (a-z, A-Z, 0-9, !@#$^&*()_+ etc....) then the number of possible passwords in that range is 100^10 - 100^5.

However if you use dictionary words such as "wooden" this will count as only a single token and not the 6 you intend. This is because smart cracking programs will not try everything such as "..., woodel, woodem, wooden" but will use dictionaries instead. By using dictionaries, attackers increase the token count significantly, but reduce the effective length of the password. So if your password is two words long (woodenhorse for instance), and there are 50,000 common words in the English language, it will take at most 50,000^2 guesses. That is not many for a computer.

Good passphrases

If you simply pin together words, each word becomes a token and as this practice becomes more common, its no safer than short random passwords. But this can be beefed up significantly by simply throwing in some entropy. For instance, if you have a space between two words, now your two words have to be tested both with and without a space. If you have two spaces, that has to be tested as well. Instead of spaces if you use percent signs, again things get less likely.

So basically you can make simple passphrases that are not simple to crack if you understand how password crackers think.

Instead of "magiccarpetride" (3 tokens) use intentional misspellings, channel your inner dyslexia, add extra characters, etc...

"magiccarpetride" -> "jamic. .KRPT. .ride"

Magic becomes jamic, words end with a period and begin with a period except on the ends, KRPT is carpet with no vowels and in upper case. This is still using tricks that could be tried by a computer, but there are so many possible variations of these types of tricks, that it quickly becomes untenable to crack passwords by trying all possible combinations of these types of things. For instance:

"magiccarpetride" -> "maAgi ccaArpe triIde  "

In this one, double the first vowel in a word, lower then upper, alternate spacing 2 spaces then one space and move the space from the end of the previous word to the beginning of the next.

The variations are infinite, replace the first letter of each word with xz, remove the last letter, use no spaces but add them all at the end, or the beginning, and yes even using numbers for letters or vice versa these things all add to the complexity but simply exchanging letters/numbers or putting 1 at the end is not enough.

Making Thunderbird use Chrome for opening URLs

I've had to look this up twice now, so time to post it here.

Thunderbird will use Firefox to open email links, even if Chrome is your default. The solution is to go into Preferences->Attachments and change the browser used for links, however this option may or may not be present. If not, you have to go into ~/.thunderbird/<whatever profile name>/ and replace the mimeTypes.rdf with the one from the link above.

After this start firefox, and the options should now exist in Preferences->Attachments.

Stashing code with GIT

Pretty cool, I didn't know what stash was, but "git help stash" showed this example:

You can use git stash to simplify the above, like this:

# ... hack hack hack ...
$ git stash
$ edit emergency fix
$ git commit -a -m "Fix in a hurry"
$ git stash pop
# ... continue hacking ...

(note: This example is plagiarized)

Managing SSH keys

I found a GREAT post on dealing with multiple SSH keys. This makes it much easier to securely use mulitple keys so a compromised systems doesn't compromise multiple servers.
In essence, you create a "config" file in .ssh and tell SSH what private key to use based on the name of the host you are SSHing to. You can also specify user and port. I also found you can specify multiple hosts as "Host abc or xyz"

~/.ssh/config

Host *.home.lan
  IdentityFile ~/.ssh/id_dsa.home
  User kbsingh

Host *.vpn
  IdentityFile ~/.ssh/id_rsa.work
  User karanbir
  Port 44787

Host *.d0.karan.org
  IdentityFile ~/.ssh/id_rsa.d0
  User admin
  Port 21871

I added aliases to my /etc/hosts file so I could differentiate between SSH running on mulitple ports at the same server (VM Server). Now I can SSH by the alias name from the hosts file and I don't have to specify the port number or user.

Undeleting files deleted from the shell

I was just finishing about 8 hours of python programming on a simulation, and I went to delete my output files so I could be sure I regenerated them. I typed the following command:

$ rm * save

Notice that space between the "*" and the word "save"? Yeah, that was not supposed to be there.
So I removed all my source files.

I searched my repository for undelete and found something called "extundelete" I installed it, CTRL+ALT+1'd, logged in as administrator and killed my X session. I then unmounted /home and ran:

$ extundelete /dev/sda7  --restore-directory baloney

baloney is the name of my home folder. And I'll be damned if it didn't recover all but the most recent of my modified files.
The developer is named "N E Case" on SourceForge, thanks N.