Archive for March, 2013

Passwords

Constant bane of our computing life, but here are some resources:

Update (25 June 2017): Comparitech added.

A little commentary …

Security of a password when it comes to brute force hacking of passwords depends very much on the number of characters used in the password, since the number of combinations to be tried increases exponentially (well, not precisely exponentially in pure mathematical terms, but you know what I mean from a layman’s perspective. The maths would bore you) as more characters are added.

The common rules applied to make a password 8 characters (or at least more than 6) with at least one upper case, one digit and one special character are well and good, but really are not super-effective against a concerted hack, especially if one uses a “standard” type of password. What do I mean by a “standard” type of password? Well, in many instances, people use a word, with a capital as the first letter, then a special character (sometimes optional) then 1 or 2 digits at the end. The whole string is only 8 to 10 characters in length maximum. Knowing this type of behaviour, a hacker will apply some heuristics in their crack-search, to vastly reduce the amount of time to crack the password.

Thus, the first site above suggests that a 6 character only password with 1 capital letter could be cracked in 2 seconds and a 2 digit number could be cracked in 10 nanoseconds. If you had an 8 character password with 6 letters beginning with 1 capital and then 2 digits at the end, the site suggests it would take 6 hours to crack it (brute force approach), whereas cracking each independently and then trying all combinations of the two sets being brute-forced independently as one went would theoretically only take 20 seconds (hopefully my maths is correct).

Say adding the extra complexity of a special character just before the 2 digits would add an extra 2 nanoseconds for the special character and take 40 seconds for the whole lot to be cracked.

The same would apply if one turned the digits and special characters around (digits first, then special character then letters).

Furthermore, using a word search through a known dictionary even further reduces the number of permutations to search and the time to crack (very substantially).

The following snippet from a Wikipedia article on the subject is very informative:

Human-generated passwords

People are notoriously poor at achieving sufficient entropy to produce satisfactory passwords. According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.[8] Some stage magicians exploit this inability for amusement, in a minor way, by divining supposed random choices (of numbers, say) made by audience members.

Thus, in one analysis of over 3 million eight-character passwords, the letter “e” was used over 1.5 million times, while the letter “f” was used only 250,000 times. A uniform distribution would have had each character being used about 900,000 times. The most common number used is “1”, whereas the most common letters are a, e, o, and r.[9]

Users rarely make full use of larger character sets in forming passwords. For example, hacking results obtained from a MySpace phishing scheme in 2006 revealed 34,000 passwords, of which only 8.3% used mixed case, numbers, and symbols.[10]

The full strength associated with using the entire ASCII character set (numerals, mixed case letters and special characters) is only achieved if each possible password is equally likely. This seems to suggest that all passwords must contain characters from each of several character classes, perhaps upper and lower case letters, numbers, and non-alphanumeric characters. In fact, such a requirement is a pattern in password choice and can be expected to reduce an attacker’s “work factor” (in Claude Shannon’s terms). This is a reduction in password “strength”. A better requirement would be to require a password NOT to contain any word in an online dictionary, or list of names, or any license plate pattern from any state (in the US) or country (as in the EU). In fact if patterned choices are required, humans are likely to use them in predictable ways, such a capitalizing a letter, adding one or two numbers, and a special character. If the numbers and special character are added in predictable ways, say at the beginning and end of the password,[11] they could even lower password strength compared to an all-letter, randomly selected, password of the same length.

The take-away: read all the Wikipedia articles on passwords and cracking etc, and follow the latest advice. At the moment, it appears to be to use a longer phrase (the more characters the better) and insert special characters and digits in random places in the phrase, if possible (not just at the front and the end).

 

No Comments

Mental Practice Makes Perfect

PsyBlog – http://www.spring.org.uk/2013/03/mental-practice-makes-perfect.php


Surgeons do it. Tennis players do it. But do the rest of us undervalue the mental rehearsal of challenging activities?

If you were to undergo brain surgery, would you care if the surgeon regularly carried out mental practice of the operation? Or, would you only be interested in the physical practice?

(By mental practice I don’t mean getting ‘psyched up’ or making plans or getting in the right frame of mind; I mean mentally running through the physical movements required for the operation.)

Quite naturally you’d probably be much more interested in how often the surgeon had carried out the operation in real life, rather than in his imagination.

But should you be? What is the value of mental practice, not just in surgery, but in life in general? How much benefit is there to mental rehearsal and do we undervalue the power of mental practice?

Rehearsal

For neurosurgery specifically there is no study looking at what difference mental practice can make (although some surgeons do carry out this sort of rehearsal). But we do know that for basic surgical techniques, mental practice can benefit performance.

One study by Sanders et al. (2008) was carried out on medical students. On top of their usual training—which included physical practice—half were trained in mental imagery techniques, while the other half studied their textbooks.

When the students carried out live surgery, those who’d used mental imagery performed better, on average, than those assigned the book learning.

Another study looking at laparoscopic surgery has also shown benefits for mental practice for novice surgeons (Arora et al., 2011).

Away from the operating theatre, the main way we’re used to hearing about mental rehearsal is in sports. Whether it’s an amateur tennis player or Roger Federer, sports-people often talk about how mental rehearsal improves their performance.

My favourite example is the British Formula 1 driver, Jenson Button. In practice he sits on an inflatable gym ball, with a steering wheel in his hands, shuts his eyes, and drives a lap of the circuit, all the while tapping out the gear changes. He does this in close to real time so that when he opens his eyes he’s not far off his actual lap time.

Powerful pinkies

The reason that sports-people, surgeons and many others are interested in the benefits of mental practice is that they can be so dramatic, plus they are effectively free.

Here’s a great example from a simple study in which some participants trained up a muscle in their little fingers using just the power of mental practice (Ranganathan et al., 2004). In the study participants were split into four groups:

  1. These people performed ‘mental contractions’ of their little finger. In other words, they imagined exercising their pinkies.
  2. Same as (1), but they performed mental contractions on their elbows, not their little fingers.
  3. Did no training at all.
  4. Carried out physical training on their little finger.

They all practised (or not) in the various different ways for four weeks. Afterwards, the muscle strength in their fingers and elbows was tested. Unsurprisingly those who’d done nothing hadn’t improved, while those who’d trained physically improved their muscle strength by an average of 53%.

The two mental practice groups couldn’t beat physical training, but they still did surprisingly well. Those imagining flexing their elbow increased their strength by 13.5% and those imagining flexing their little finger increased their strength by 35%. That’s surprisingly close to the 53% from physical training; I bet you wouldn’t have expected it to be that close.

Thinking practice

This is just strength training, but as we’ve seen there’s evidence that mental rehearsal of skills also produces benefits. Examples include mentally practising a music instrument, during rehabilitation from brain injuries and so on; the studies are starting to mount up.

Indeed some of these have shown that mental practice seems to work best for tasks that involve cognitive elements, in other words that aren’t just about physical actions (Driskell et al., 1994).

So it’s about more than mentally rehearsing your cross-court forehand. Rehearsal could also be useful for a job interview or important meeting; not just in what you’ll say but how you’ll talk, carry yourself and interact with others. Mental rehearsal could also be useful in how you deal with your children, or make a difficult phone call or how you’ll accomplish the most challenging parts of your job.

Notice the type of mental imagery I’m talking about here. It’s not so much about visualising ultimate success, with all its attendant pitfalls, but about visualising the process. What works is thinking through the steps that are involved and, with motor skills, the exact actions that you will perform.

To be effective, though, mental practice has to be like real practice: it should be systematic and as close to reality as you can make it. Just daydreaming won’t work. So if you make a mistake, you should work out why and mentally correct it. You should also make the practice as vivid as possible by tuning in to the sensory experience: what you can see, hear, feel and even smell, whatever is important.

If it can work for surgeons, elite athletes and little-finger-muscle-builders, then it can work for all of us.

Image credit: Adam Rhoades

 

 

No Comments