I started this business because my mom was too lazy to roll dice
October 28, 2015 6:55 AM   Subscribe

Mira is a sixth grade student in NYC. In this century's answer to a lemonade stand, she started a business hand-crafting memorable, nearly unbreakable passwords.
posted by Mchelly (64 comments total) 30 users marked this as a favorite
 
I'm changing my passwords all to Correct Horse Battery Staple right now!
posted by xingcat at 7:00 AM on October 28, 2015 [19 favorites]


The passwords are sent by US Postal Mail which cannot be opened by the government without a search warrant.
This whole thing is fucking awesome and anyone who Well actuallys this deserves to have their lunch money stolen from them.
posted by Etrigan at 7:01 AM on October 28, 2015 [65 favorites]


Whenever I have couchsurfers visit, they get either amused or annoyed when I tell them that my router's passphrase is:

This is my router's passphrase.

Good to know I'm not too crazy.
posted by parliboy at 7:14 AM on October 28, 2015 [4 favorites]


After about two weeks of this I suppose we'll read about how she's automated the process. To cut costs. To take some of the strain off her overworked and so achey dice hand. Mostly to make time for more after school soccer
posted by notyou at 7:19 AM on October 28, 2015 [2 favorites]


So if I send this person my email address, name, physical address, and phone number, I can get a password sent to me. You'd have to really trust this kid not to try that password against your email address and every account publicly linked to your identity.

Also, her business model has already been disrupted.
posted by jedicus at 7:22 AM on October 28, 2015 [4 favorites]


She's not dreaming them up -- she's using the Diceware algorithm which provides a good, predictable level of entropy.
posted by paper chromatographologist at 7:31 AM on October 28, 2015 [3 favorites]


After about two weeks of this I suppose we'll read about how she's automated the process.

Or outsource it to a sixth grader in India.
posted by alms at 7:33 AM on October 28, 2015 [2 favorites]


Or how a class of 5th graders in China are undercutting her business on an international scale.
posted by filthy light thief at 7:36 AM on October 28, 2015


She should charge extra to make rhyming passwords.
posted by Cash4Lead at 7:37 AM on October 28, 2015 [1 favorite]


Like anybody ever bought lemonade from a kid because they actually had the most efficiently priced or tastiest lemonade in town.
posted by Sequence at 7:38 AM on October 28, 2015 [35 favorites]


"The passwords are sent by US Postal Mail which cannot be opened by the government without a search warrant."

Just like email!
posted by I-baLL at 7:39 AM on October 28, 2015 [3 favorites]


no less an authority than the XKCD comic
Tempted to make that my passphrase.
posted by ChurchHatesTucker at 7:41 AM on October 28, 2015 [3 favorites]


Smart kid. Monetizing the lazy always worked for game developers.
posted by prepmonkey at 7:41 AM on October 28, 2015 [1 favorite]


I was all set to be snarky about her use of regular ol' dice, but nope, from the diceware faq:
Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases, but might be important if you want to use dice to directly generate random numbers for statistical purposes. Guy Macon writes:

"This is a bit of overkill for what your web page is about, but I did manage to get some interesting (and useless!) information on dice.

[One gambling site on the 'net once claimed that] to beat the house with crooked dice, you need at least a 0.3167% edge, so I must assume that crooked dice must have at least that much bias. Probably a lot more if the cheater wants to make money before the dice at the table are changed."

According to one serious Casino dice collector, "Dice used in board games are crudely manufactured and always favor the higher numbers (4, 5, and 6) because more material is drilled out of those sides." However the biases are not large enough to have a material effect on the entropy of your password.
Though for $2 a password, it would be fun if she were using some very special dice.
posted by morganw at 7:43 AM on October 28, 2015 [4 favorites]


You know what sucks?

When you go through all this trouble to come up with a complex password and to memorize it and all

...and then the site you use it on ends up on http://plaintextoffenders.com/
posted by I-baLL at 7:46 AM on October 28, 2015 [5 favorites]


Also, while I see problems with the security aspect of this idea, I think that it's great that Mira had an idea, thought it out, then went and made it into a business. She's in sixth grade but she's already getting the right skills down pat. I feel like I should play catch-up.
posted by I-baLL at 7:49 AM on October 28, 2015 [4 favorites]


There's a programming teacher out there who just wrote a new lesson.
This is awesome!
posted by shenkerism at 7:49 AM on October 28, 2015


This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

As I understand his analysis, the XKCD advice just changes the tokens the crackers test from characters to words. The cracking space then becomes (# dictionary words in lower case)^4, which apparently is big, but doable.

So I do continue to use the XKCD technique, but with strings that aren't in any dictionary that I can find, place names, old rpg character names, old addesses, etc..

Mira seems to be thinking the same by adding at least a digit, but it might be nice to see a bit more variety to avoid the weakness Schneier talks about.
posted by bonehead at 7:50 AM on October 28, 2015 [1 favorite]


Hmm, that's a damned good point. I wonder if a solution is to use correcthorsebatterystaple but stick a word that's going to be kinda like a real password in there. Like: correcttest4842horsebatterystaple. Since one word is totally not a dictionary word and is alphanumberic that should make the password virtually impossible to crack (until a site stores it somewhere in plaintext and then that site gets hacked.)
posted by I-baLL at 7:53 AM on October 28, 2015


Or how a class of 5th graders in China are undercutting her business on an international scale.

While she has to compete with artisanal hipsters among people who can actually afford a locally produced quality product.
posted by effbot at 7:54 AM on October 28, 2015 [2 favorites]


Like anybody ever bought lemonade from a kid because they actually had the most efficiently priced or tastiest lemonade in town.

I generally buy lemonade from lemonade stands because I'm out for a walk and it's convenient. Under the circumstances, it is reasonably efficiently priced (given the convenience) and the tastiest beverage on the market (the market being 'my walking route').

Whereas here I can get equivalent passwords faster, cheaper, and more easily from other sources I give her A+ for follow through but a B- for the actual business model.

Since one word is totally not a dictionary word and is alphanumberic that should make the password virtually impossible to crack

Your example added another dictionary word and a number. Including all numbers up to 4 digits just adds 10,000 entries to the dictionary, which is a relatively small increase in dictionary size.
posted by jedicus at 7:58 AM on October 28, 2015 [1 favorite]


Actually, I like the idea of ordering one of these and having it sent to someone else, just as a bit of "high weirdness by mail."
posted by jedicus at 8:00 AM on October 28, 2015 [14 favorites]


After about two weeks of this I suppose we'll read about how she's automated the process. To cut costs. To take some of the strain off her overworked and so achey dice hand. Mostly to make time for more after school soccer

She just needs a machine/robot that rolls dice. Like this one.
posted by Fizz at 8:02 AM on October 28, 2015


Do the members of Camper Van Beethoven use "telephonefreelandslidevictory" as their password?
posted by tallmiddleagedgeek at 8:03 AM on October 28, 2015 [2 favorites]


"Your example added another dictionary word and a number. Including all numbers up to 4 digits just adds 10,000 entries to the dictionary, which is a relatively small increase in dictionary size."

This is why I don't roll my own crypto.
posted by I-baLL at 8:03 AM on October 28, 2015 [2 favorites]


Like anybody ever bought lemonade from a kid because they actually had the most efficiently priced or tastiest lemonade in town.

You underestimate the artisanal flavor contribution of fresh young snot.
posted by srboisvert at 8:27 AM on October 28, 2015


Do the members of Camper Van Beethoven use "telephonefreelandslidevictory" as their password?

Well, not anymore.
posted by Etrigan at 8:31 AM on October 28, 2015 [4 favorites]


Interesting idea from the schneier.com comments, which I adapted for OS X. From the command line do:
echo "somethingRandom website.com" | md5
Which will give you something like:
49c1f016104e8989cab60517524a0062
Unique, strong password for each site (just change the website.com) that you don't have to store.

Downside is, if someone knows/guesses what you're doing it's only as strong as the somethingRandom part and potentially they'll have access to ALL your passwords. Using a subset (e.g., the ten chars after the first "1") may be stronger.
posted by ChurchHatesTucker at 8:40 AM on October 28, 2015 [5 favorites]


At an old job, I made port 22 a tarpit that did nothing but just log all of the user/pw combos attempted on it.

I don't think I still have those logs, but my general impression is you are pretty safe from brute force attacks as long as your login isn't admin/root or something equally stupid.
posted by [expletive deleted] at 8:52 AM on October 28, 2015


The XKCD advice gives you "44 bits of entropy == 2^44 options == 550 years to crack at 1000 guesses/sec".

So for online services that auto-throttle attacks and keep their password files secure, XKCD four word passwords are safe. It doesn't even matter whether you can try a thousand guesses per second if every IP you try from gets panned after five.

For services that get thoroughly hacked, if the hacker is smart enough to remain uncaught they'll probably have a rootkit that just grabs your un-hashed password the next time you log in, no matter how complex it is.

For services that get hacked only briefly enough to copy a hashed password file, or for people who use local encryption on computers which might be taken by an attacker for offline password cracking, things get more interesting:

The Schneier column points out "As computers have become faster, they're able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on many machines simultaneously. For a high-profile police case, they might run for months."

At 8 million guesses per second we can crack XKCD passwords in 26 days on a single computer; one day on a reasonably sized cluster.

Picking a fifth word brings that "one day" up to "five years"; a sixth gets you into millennia. Moore's law would bring those estimates back down to "3.5 years" and "44 years", but if Moore's law actually holds for four more decades then we've probably got more interesting worries than whether your 2015 passwords are crackable.
posted by roystgnr at 8:56 AM on October 28, 2015 [7 favorites]


one of my passwords is a variation of "kill yuffie marry aeris fuck tifa", you can guess how long I've been using that.
posted by numaner at 8:58 AM on October 28, 2015 [9 favorites]


I tried the automated version, it came up with, "Desert-Dissatisfy-Somehow-Succeed-Fortunate-Nature-Spare-Solve"

Isn't that the Hero's Journey as interpreted by George Lucas??
posted by ericbop at 9:24 AM on October 28, 2015 [2 favorites]


Dang, my Mac has been making them up for free since at least 2002. I coulda been selling them to Windows users all this time!

Hit me up people! Two passwords for the price of one, any entropy level, memorable, and rock-solid!
posted by sudon't at 9:39 AM on October 28, 2015


parliboy: "Whenever I have couchsurfers visit, they get either amused or annoyed when I tell them that my router's passphrase is:
This is my router's passphrase.
"

My wifi is named Abraham Linksys and when people ask for the guest password, I say, "Oh, it's the date the Civil War started." Then I watch them squirm.

TRUST ME IT'S SO FAR UNBREAKABLE.
posted by Eyebrows McGee at 9:43 AM on October 28, 2015 [30 favorites]


I would NEVER remember correcthorsebattery.
posted by bq at 10:50 AM on October 28, 2015


I just finally broke down and paid for 1Password, and ever since then I have been recommending it to everyone. Unique passwords for everything, all the time, and I don't need to remember them.

Seriously, get a password manager. It's worth it.
posted by caution live frogs at 11:01 AM on October 28, 2015 [3 favorites]


But, but, she's been profiled in her mother's book!
posted by sfts2 at 11:23 AM on October 28, 2015


Seriously, get a password manager. It's worth it.

uh yeah and how is that secured, again?

with a password?

then you'd better pick a secure one. there's this article i saw linked upthread about a girl who has something to say about that, you may want to read it.
posted by indubitable at 11:49 AM on October 28, 2015


What I once thought of as good passwords just ended up usernames.
posted by lazycomputerkids at 12:02 PM on October 28, 2015 [1 favorite]


I use the initial letters of phrases for most of my passwords, usually from memorized song lyrics, poems, or opening lines of books.
For example, the opening line of The Who's Who Are You would give: IwuiaSdapkmn
But I still have to remember which phrase goes with each password-protected account.
posted by rocket88 at 12:10 PM on October 28, 2015


It's much easier for people to remember one good password than perform the literally impossible task of using unique, secure passwords for every application.

yes? I don't see how this conflicts with what I wrote.
posted by indubitable at 12:34 PM on October 28, 2015


My common password is the name of an album, but it's augmented with a capital letter and two symbols. It's 24 characters long and whenever anyone sees me type it in they are bewildered by it. According to howsecureismypassword.net it would take 14 octillion years at 4 billion combinations/second for it to be cracked.
posted by gucci mane at 12:46 PM on October 28, 2015


My common password ... would take 14 octillion years at 4 billion combinations/second for it to be cracked.

You only have to use it at one site with poor security practices for it to be revealed, no guessing required.
posted by jedicus at 12:53 PM on October 28, 2015 [3 favorites]


Hmm, that's a damned good point. I wonder if a solution is to use correcthorsebatterystaple but stick a word that's going to be kinda like a real password in there. Like: correcttest4842horsebatterystaple. Since one word is totally not a dictionary word and is alphanumberic that should make the password virtually impossible to crack (until a site stores it somewhere in plaintext and then that site gets hacked.)

Picking a fifth word brings that "one day" up to "five years"; a sixth gets you into millennia. Moore's law would bring those estimates back down to "3.5 years" and "44 years", but if Moore's law actually holds for four more decades then we've probably got more interesting worries than whether your 2015 passwords are crackable.

Having learned the "phrase" scheme from Diceware before XKCD, Schneier's criticism - or at least his wording of it - seems misguided. A correct implementation (like Diceware) assumes the attacker knows the scheme and the dictionary, and calculates the entropy from there. He should have made clear is that the real point is a.) four words is not quite good enough, and b.) they must be truly random.
posted by atoxyl at 12:56 PM on October 28, 2015 [1 favorite]


roystgnr I'm quoting you because you have it right
posted by atoxyl at 12:58 PM on October 28, 2015


jedicus: You only have to use it at one site with poor security practices for it to be revealed, no guessing required.

That goes for pretty much any password you use anywhere.
posted by gucci mane at 1:03 PM on October 28, 2015


password generation for good touch typists:
  1. place your hands on the home row. think of a longish phrase that is meaningful to you and that you definitely will remember (something like "correct horse battery staple" or whatever).
  2. move one or the other of your hands one row up or one row down.
  3. type the original phrase, but as if both hands were still on the home row.
  4. you now have your password.
nota bene: if your phrase contains a lot of letters from the bottom row of the keyboard, you'll probably want to shift your hands up rather than down.
posted by You Can't Tip a Buick at 1:11 PM on October 28, 2015 [2 favorites]


IwuiaSdapkmn is 12 characters upper/lower. If totally random that's a little bit stronger than 5 words of lowercase-only Diceware (which uses a dictionary of 6^5 = 7776 words) and four orders of magnitude weaker than 6 words. But to me it seems like the "more random" your phrase the more you're better off just using the phrase than condensing it, and the "less random" the less you want to be using it as the basis of anything anyway.
posted by atoxyl at 1:16 PM on October 28, 2015


So the case for condensed phrase/initialism/whatever to me is just when you're limited to 16 characters or whatever. Which does unfortunately still happen. But really you should use 16 random characters and a password manager.
posted by atoxyl at 1:22 PM on October 28, 2015


But of course often the password isn't really the weak point in a system, as multiple people have already pointed out.
posted by atoxyl at 1:23 PM on October 28, 2015


Password crackers already take keyboard transposition into account. I had an old supervisor who thought he was real clever because his password for everything was qwertyuiopzxcvbnm.
posted by odinsdream at 1:16 PM on October 28
[1 favorite −] Favorite added! [!]


[insert sound of me realizing how easy it is to derive many of my passwords from any one of them.]

it seems like the two biggest things that digital computing has taught us are 1) don't roll your own crypto, and 2) never trust code you didn't write yourself.
posted by You Can't Tip a Buick at 1:34 PM on October 28, 2015


I am willing to work as a bespoke password amanuensis for the wealthy elite. For a nominal six-figure yearly salary I will devise uncrackable passwords from the depths of my fevered brain, recording them in a secret shorthand script in a locked Moleskine notebook that I shall keep about my person at all times. Your passwords will be communicated to you via a special private language which only we shall know, spoken only in hushed tones under the din of a busy and expensive restaurant. Watch for my posting on MeFi Jobs
posted by prize bull octorok at 3:37 PM on October 28, 2015 [4 favorites]


It's from a couple years ago, but Ars Technica had a really excellent article on how most "clever" password schemes are still easily broken.
posted by Sibrax at 3:49 PM on October 28, 2015 [1 favorite]


I ordered one of these when the article was first on Ars Technica. $2.50 totally worth getting a really weird piece of mail. Can't wait!
posted by selfnoise at 4:22 PM on October 28, 2015 [2 favorites]


Inspired by the comment I mentioned above but not wanting password generation in my bash history, I whipped this python script up.

You still need to send the girl a couple bucks.
posted by ChurchHatesTucker at 6:18 PM on October 28, 2015


artisanal true randomness > soulless, mass produced python pseudorandomness

alright that tears it; i'm ordering one
posted by indubitable at 6:36 PM on October 28, 2015


I forget all of my passwords instantly, so whenever I have to log in again (monthly, usually), I have to reset them and choose new passwords. I figure it's marginally more secure than if I actually remembered and kept the same thing. I stopped trying to pick memorable passwords, since I know I have no chance of remembering anyway, and just create nonsense phrases partly in Japanese.
posted by three_red_balloons at 8:10 PM on October 28, 2015 [1 favorite]


The lemonade stand comment first showed up on Twitter, and I'll cop to it being mine (mods, please delete if this is against the rules on self-posting).

"It's a 21st century lemonade stand." (on October 25)

Ars Technica (who posted about this enterprise) responded with "Lemonade stands are so 2014." My point, which whoever posts for them so cheerfully dismissed, was this was a terrific idea that addresses need, availability, and affordability. Even if the model has been disrupted, it was/is a good business idea, and fills a niche.

And the lemonade stand model as a concept and reality does work, which is why, come cherry blossom season, the kids in Kenwood Park will have the lemonade stand up, just like every year for the past few years. They wouldn't do it if it didn't make money.
posted by datawrangler at 8:11 PM on October 28, 2015


http://motherboard.vice.com/read/another-day-another-hack-135-million-passwords-from-000webhost?utm_source=mbfb
posted by gucci mane at 4:32 AM on October 29, 2015


Idea for $5 premium service:

1. Roll 16d8 for 48 bits of pure, non-pseudo entropy.
2. Feed the bits into base64.

Yields an 8 character password. Add d8s for more bits and longer passwords.

Arguably not as human-memorable as diceware, but far less vulnerable to a dictionary attack. (And perhaps less ideal because you'll probably want a computer to do your base64ing.)
posted by whuppy at 6:22 AM on October 29, 2015


Roll 16d8

RPG polygon dice are generally pretty shit, unfortunately. I mean, they're mostly good enough for tabletop gaming*, but I wouldn't trust them as a source of entropy. Because of gambling, casino cube dice are a lot higher quality and much better understood in terms of wear issues.

*But everyone knows that Guy, the one who has the lucy die that rolls natural 20s seemingly on command.
posted by bonehead at 7:13 AM on October 29, 2015


Ugh, fine. Roll casino-grade d6s, throwing out 5s and 6s for 2 bits per roll until you've got your 48 bits.

Also, toss out any base64 string that looks guessable.

/me sideeyes his I Ching dice
posted by whuppy at 7:28 AM on October 29, 2015 [1 favorite]


Arguably not as human-memorable as diceware, but far less vulnerable to a dictionary attack.

No, see, that's one of the cool things about diceware — it's not vulnerable to dictionary attack, because it assumes the adversary knows your dictionary. It allows you to quantify the minimum amount of entropy under these worst case assumptions (7776N for an N-word passphrase).
posted by indubitable at 6:56 PM on October 29, 2015 [2 favorites]


I was playing around with the rhyming password idea Cash4Lead mentioned, and hit upon a bit of a shortcut: make the third and sixth (or second, fourth, and sixth) words Pig Latin. E.g.:
apathy howe ale-stay
ouch golly elt-fay
Rhyming helps with memory, so that would be a plus (I'm just not sure if that's true for Pig Latin, since the rhyme is forced.) It's a push in terms of key space, since you have to assume the attacker knows your scheme. I wonder if there's a negative of having a predictable element (the 'ay's) in there.
posted by ChurchHatesTucker at 5:21 PM on October 30, 2015


« Older GLAAD Finds TV Representation Better, But Still...   |   When it's good, it's great; when it's bad, it's... Newer »


This thread has been archived and is closed to new comments