The trouble with the password system described below is, what happens if you forget your calculator? That, in fact, is just what I did today and as a result could not enter several of my accounts.
But as I was out driving last night a wunderbar idea hit me. Select a license plate at random and then vary it a bit. The plate is easily remembered but, if not a vanity plate, presents an effectively random string.
In New Jersey, where I've been biding my time of late, the plates are six characters of the form XJG 23P, or, that is, LLLNNL, where L stands for letter and N for numeral.
Just in case an adversary might run all U.S. plates with six characters, we alter the string by adding a number or letter, making one substitution and tossing a coin to decide whether to transpose the two elements above. That is, we might write 23P XKG M or XKG 23P M or, we can place the M as the first or second element.
Even if the adversary discerns the order, as in LLLNNL(L or N), the number of combinations is (26^4 x 100 x 36)/6 = about 274 million. If the order is unknown, the adversary must contend with 36^7 = about 78 billion possibilities.
So, in order to combat identity theft, internet hacking and unwarranted government snooping, we should encourage Americans and indeed everyone to adopt this excellent password technique.
Kryptograff contains Paul Conant's thoughts on scientific and mathematical matters. Conant is a journalist who holds no scientific degrees. This blog was set up after problems at the previous address: http://kryptograff.blogspot.com. Please check there for previous posts.
Sunday, April 6, 2008
Saturday, April 5, 2008
Passwords: the weakest security link
I've been laboring under the delusion that passwords composed of words and numbers are relatively effective. Adding numbers to passphrases was recommended in order to defeat the dictionary search algorithm. But, upon reflection, I thought of a variant algorithm to tease out probable words in passphrases.
It goes like this:
Step 1. Search all words, common names and short phrases of length L, which is the length of the passphrase, if known. Even if not known, the maximum password length normally is known, and L can be set to Lmax
Step 2. If Step 1 fails, begin at character 1 and search all words of length L-1 and check all 10 numerals for the last space.
Step 3. If that fails, do the same for L-2, checking all 100 two-digit numbers for the last two spaces.
If need be, proceed to perhaps L-n = 3 (a three-letter word) and check the number combinations to the right, a not unreasonable computer task for six numerals (a million possibilities).
Then reverse the process, checking numbers of m digits followed by words of length n, where m+n = L.
If need be, check all possibilities such as
xx(dictionary word of length L-5)xxx
That is, we check all 100 numbers followed by all dictionary words followed by all 1000 numbers. Here, the number of possibilities rises to 5 x 1010 or 10 billion, which is a bit much. But, that's estimating 500,000 English words. The set of most common words is perhaps 5,000, yielding 500 million combinations. This may be doable, but still, if you must use a word-number combination in your password: break it up! That is, jack77351 is much more vulnerable that 77jack351. In the former case, there are 50 million possibilities. In the latter, 500 million.
Then there are the very long passphrases, such as those recommended by Hushmail.com. The idea is that, with 47 character keys, and 47n goes way beyond computing power for n > about 10.
However, long passphrases may be susceptible to statistical methods. First, we do a regression analysis to separate the dummies from the words and also to separate the random component(s) from the words. We then run a frequency analysis on the word component(s) and voila!, the remainder follows swiftly.
But who can remember long randomly generated strings, which are the best passwords? Well, what about the next best thing? Pseudorandom strings generated by your pocket scientific calculator (but beware, there are pseudorandom techniques that are no good).
That is, it may be better to remember a specific function or two rather than some phrase.
A shorter Yahoo password:
3.7(7.33/7) yields a decimal extension: 26851482. And we can always toss in some non-numerals, as in: b26851482n
A longer Hushmail password:
7.1(171/7 union 3.5(533/5)
we write as +]6423310989950748'+
A bit of "false" symmetry with the plus signs might slow some kind of numeral hunt.
The numerical symmetries in the functions are meant as memory aides. Yet I doubt they would show up very easily.
It goes like this:
Step 1. Search all words, common names and short phrases of length L, which is the length of the passphrase, if known. Even if not known, the maximum password length normally is known, and L can be set to Lmax
Step 2. If Step 1 fails, begin at character 1 and search all words of length L-1 and check all 10 numerals for the last space.
Step 3. If that fails, do the same for L-2, checking all 100 two-digit numbers for the last two spaces.
If need be, proceed to perhaps L-n = 3 (a three-letter word) and check the number combinations to the right, a not unreasonable computer task for six numerals (a million possibilities).
Then reverse the process, checking numbers of m digits followed by words of length n, where m+n = L.
If need be, check all possibilities such as
xx(dictionary word of length L-5)xxx
That is, we check all 100 numbers followed by all dictionary words followed by all 1000 numbers. Here, the number of possibilities rises to 5 x 1010 or 10 billion, which is a bit much. But, that's estimating 500,000 English words. The set of most common words is perhaps 5,000, yielding 500 million combinations. This may be doable, but still, if you must use a word-number combination in your password: break it up! That is, jack77351 is much more vulnerable that 77jack351. In the former case, there are 50 million possibilities. In the latter, 500 million.
Then there are the very long passphrases, such as those recommended by Hushmail.com. The idea is that, with 47 character keys, and 47n goes way beyond computing power for n > about 10.
However, long passphrases may be susceptible to statistical methods. First, we do a regression analysis to separate the dummies from the words and also to separate the random component(s) from the words. We then run a frequency analysis on the word component(s) and voila!, the remainder follows swiftly.
But who can remember long randomly generated strings, which are the best passwords? Well, what about the next best thing? Pseudorandom strings generated by your pocket scientific calculator (but beware, there are pseudorandom techniques that are no good).
That is, it may be better to remember a specific function or two rather than some phrase.
A shorter Yahoo password:
3.7(7.33/7) yields a decimal extension: 26851482. And we can always toss in some non-numerals, as in: b26851482n
A longer Hushmail password:
7.1(171/7 union 3.5(533/5)
we write as +]6423310989950748'+
A bit of "false" symmetry with the plus signs might slow some kind of numeral hunt.
The numerical symmetries in the functions are meant as memory aides. Yet I doubt they would show up very easily.
Thursday, March 6, 2008
Zeno a go go
The post below generated a lively controversy (see comments).
So now we serve up Zeno deluxe:
Consider a measuring stick. We have the segment from points 0 to 1 -- [0,1] -- which is a finite distance. Nevertheless, we can map the entire set of positive integers plus 0 onto this interval.
Now suppose we have an infinitesimal spaceship able to traverse each infinitesimal distance between n and n+1 at some infinitesimal speed. The ship would move at a finite speed from an infinitesimal perspective but that speed would be infinitely slow from our perspective. That is, an infinitesimal observer at point 1 would have to wait forever for the infinitesimal ship to cover the distance of 1 unit.
Now suppose we argue that Earth now is an infinitesimal object located at point 1. In that case, there could be a 0 point that is infinitely far in the past from our perspective but only finitely far in the past from the perspective of a "higher space."
So now we serve up Zeno deluxe:
Consider a measuring stick. We have the segment from points 0 to 1 -- [0,1] -- which is a finite distance. Nevertheless, we can map the entire set of positive integers plus 0 onto this interval.
Now suppose we have an infinitesimal spaceship able to traverse each infinitesimal distance between n and n+1 at some infinitesimal speed. The ship would move at a finite speed from an infinitesimal perspective but that speed would be infinitely slow from our perspective. That is, an infinitesimal observer at point 1 would have to wait forever for the infinitesimal ship to cover the distance of 1 unit.
Now suppose we argue that Earth now is an infinitesimal object located at point 1. In that case, there could be a 0 point that is infinitely far in the past from our perspective but only finitely far in the past from the perspective of a "higher space."
Monday, March 3, 2008
Zeno was right
It's only in the last few decades that the Big Bang theory has been accepted and the cosmos dated as being on the order of 1010 years old.
Prior to the acceptance of that theory, many scientists held that the cosmos had been around forever, though perhaps the problem of entropy might raise a question about that idea.
But now if we measure time in terms of earth years, and consider that each year can be represented as a member of the set N of whole numbers, and assume that time flows in one direction, then we are left with the paradox that we can't be here. That is, infinity never occurs as a compilation of finite steps.
The only way that we can posit an eternal past is to use our present time as origin and extrapolate backward. But, that scenario doesn't account for the usual idea of our current situation as dictated by the convergence of sequences of mechanical causes. If, say, we think of the earth as it is at 1:55 p.m. EST, March 3, 2008, as represented by the intersection of two (or any number) of waves at that time, then those waves, if we assume they move forward in time, can never have arrived in order to cross. [I'm using the wave analogy as shorthand for sets of causes and effects.]
Similarly, quantum theory vindicates Zeno.
We measure the gravitational potential energy of a swing raised to height y as mgy. But, energy is quantized. This means that we cannot raise the swing to any height between 0 and y, but only to heights which incorporate Planck's constant h. That is, there is not a continuous and infinite number of points to which the swing can be raised but a finite number of points (in the trillions, of course).
So what happens to the swing when it passes from point yn to yn+1? I suppose you would say it makes a quantum jump. It exists momentarily at height yn and would not be defined as moving during this brief time interval. Yet it doesn't move in a classical sense when it rises to yn+1 because it can't exist at a height yn < ym < yn+1.
The puzzle is compounded by the fact that the swing is composed of trillions of quantum particles each subject to quantum uncertainty. I suppose we could take the center of mass of the swing to be what is measured. That would rise only to specified heights and that would be construed as "quantum jumping."
Prior to the acceptance of that theory, many scientists held that the cosmos had been around forever, though perhaps the problem of entropy might raise a question about that idea.
But now if we measure time in terms of earth years, and consider that each year can be represented as a member of the set N of whole numbers, and assume that time flows in one direction, then we are left with the paradox that we can't be here. That is, infinity never occurs as a compilation of finite steps.
The only way that we can posit an eternal past is to use our present time as origin and extrapolate backward. But, that scenario doesn't account for the usual idea of our current situation as dictated by the convergence of sequences of mechanical causes. If, say, we think of the earth as it is at 1:55 p.m. EST, March 3, 2008, as represented by the intersection of two (or any number) of waves at that time, then those waves, if we assume they move forward in time, can never have arrived in order to cross. [I'm using the wave analogy as shorthand for sets of causes and effects.]
Similarly, quantum theory vindicates Zeno.
We measure the gravitational potential energy of a swing raised to height y as mgy. But, energy is quantized. This means that we cannot raise the swing to any height between 0 and y, but only to heights which incorporate Planck's constant h. That is, there is not a continuous and infinite number of points to which the swing can be raised but a finite number of points (in the trillions, of course).
So what happens to the swing when it passes from point yn to yn+1? I suppose you would say it makes a quantum jump. It exists momentarily at height yn and would not be defined as moving during this brief time interval. Yet it doesn't move in a classical sense when it rises to yn+1 because it can't exist at a height yn < ym < yn+1.
The puzzle is compounded by the fact that the swing is composed of trillions of quantum particles each subject to quantum uncertainty. I suppose we could take the center of mass of the swing to be what is measured. That would rise only to specified heights and that would be construed as "quantum jumping."