--- /dev/null
+---
+postid: 019
+title: Passwords versus passphrases
+excerpt: A layman's analysis of XKCD's "Password Strength".
+author: Lucian Mogoșanu
+date: February 16, 2014
+tags: asphalt, tech
+---
+
+A while ago Randall Munroe posted a comic called "Password Strength":
+
+<span><a href="http://imgs.xkcd.com/comics/password_strength.png"><img
+class="thumb" src="/images/2014/02/password_strength.png"
+style="width:700px;height:auto;" /></a></span>
+
+This sparked a lot of debate on the Internet. Although the math seems right,
+after skimming through the discussions on the [XKCD forums][1] and on [Stack
+Exchange][2], the whole thing has left me a bit skeptical, not as far as the
+mathematical matters go as much as on the assumptions on which the comic
+relies.
+
+Scientifical papers on security[^1] idiomatically define a so-called "attacker
+model", from which they derive assumptions about how someone will attempt to
+crack some particular computing system, in our case an arbitrary password-based
+authentication system. Now that we're done with the boring stuff, it's safe to
+say that assuming that any mildly experienced script kiddie will attempt a
+brute-force before a dictionary attack is completely nonsense.
+
+Now, as per the comic and the previously stated analyses, a passphrase should at
+least in theory make a dictionary attack *weaker*, since it increases the
+word-level entropy, turning it into a brute-force attack at word-level. More
+exactly, for an alphabet $\Sigma$ and a password $p$ of $l(p)$ elements from
+$\Sigma$, the brute-forcing complexity is
+
+$C(p) = \left|{\Sigma}\right|^{l(p)}$
+
+where $\left|{\cdot}\right|$ denotes set cardinality.
+
+I'll illustrate this by using the word count of the `/usr/share/dict/words` in
+my distribution[^2]:
+
+~~~~ {.bash}
+% wc -l /usr/share/dict/words
+99171 /usr/share/dict/words
+~~~~
+
+The main difference between classical brute-forcing and a "brute-force
+dictionary" is that while the first uses as a basis a fixed alphabet (i.e. the
+printable ASCII charset plus-minus some Unicode) and a large exponent (i.e. the
+password length), the second relies solely on growing the alphabet's size.
+
+So for word-level bruteforcing, we'll have:
+
+$C_w(p) = \left|{\Sigma_w}\right|^{l_w(p)} = 99171^4$
+
+where $\Sigma_w$ is a word-based alphabet and $l_w(p)$ is the number of
+words in a passphrase $p$.
+
+In contrast, for a character-based alphabet $\Sigma_c$ for which
+$\left|{\Sigma_c}\right| = 26$, the password length yielding the equivalent
+complexity would have to be about $l_c(p) = 14.1243217044885998$, give or take
+a few decimal places.
+
+One thing that I attempted to do was to find the "correct horse" passphrase's
+strength in relation to a smaller dictionary, which led me to the "tiny"
+dictionary from [Openwall][3], of about 250 words. Interestingly enough, it
+seems that none of the words chosen for the passphrase given in the comic are
+in that dictionary, which would make [words][4] a pretty strong source of
+random words, assuming that the underlying random number generator is strong
+enough.
+
+This is however only the beginning of a long, possibly neverending, intricate
+story. As passphrases become more common, I will venture to guess that "simply
+random" might not be enough and that some form of strong randomness will be
+required. For example, one might need to check that a given passphrase cannot
+be guessed by a Markov text generator based on the probability distribution
+inferred from, say, all the pages of Wikipedia. Natural language passphrases
+such as [Assange's published password][5] are thus becoming increasingly weak
+while password strength metrics vary more and more based on the attacker model.
+
+[^1]: A thing which XKCD is most definitely not. Despite the fact that Munroe
+has educated opinions on the subjects he touches in his comics, the latter
+should always be taken with a grain of salt, however "interesting" they may
+seem.
+
+[^2]: Debian Jessie, Testing at the time of writing.
+
+[1]: http://forums.xkcd.com/viewtopic.php?f=7&t=73384
+[2]: http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase
+[3]: http://openwall.com/
+[4]: https://en.wikipedia.org/wiki/Words_%28Unix%29
+[5]: https://www.schneier.com/blog/archives/2011/09/unredacted_us_d.html
--- /dev/null
+---
+postid: 01a
+title: Grim Fandango
+author: Lucian Mogoșanu
+date: February 23, 2014
+tags: gaming
+---
+
+<p style="text-align: right"><em>With bony hands I hold my partner,
+on soulless feet we cross the floor.
+The music stops as if to answer,
+an empty knocking at the door.
+It seems his skin was sweet as mango
+when last I held him to my breast.
+But now, we dance this grim fandango,
+and will for years until we rest.</em></p>
+
+Once upon a time there was this guy called Tim Schafer. You might know him from
+such epic point and click adventure games such as Day of The Tentacle, The
+Secret of Monkey Island, Monkey Island 2 or Full Throttle. Well, one day he[^1]
+decided to ruin the point and click, in fact the entire adventure genre for
+everyone by creating a non-point and click adventure game. And that game was
+called *Grim Fandango*. And it was a glorious piece of art.
+
+<span class="imgleft"><a href="/images/2014/02/grim-fandango-001.png"> <img
+class="thumb" src="/images/2014/02/grim-fandango-001-thumb.png"
+title="The Grim Reaper himself."/></a></span>
+I've never been too fond of the idea of keyboard/controller-based adventure
+games with a fixed camera. Despite my previous experience with Escape From
+Monkey Island, I decided to give Grim Fandango a try about six years ago,
+mostly due to the many praises I had heard in relation to it. Then, six years
+later, I decided to give it another try and delve even deeper into its
+universe.
+
+Grim Fandango is, in short, a very successful combination of "noir" and comedy.
+It's noir more than in the traditional sense, by having a hint of black comedy
+embedded in its core. It is, I quote the '40ish cover, "an epic tale of crime
+and corruption in the land of the dead", telling the story of a Grim Reaper
+called Manuel "Manny" Calavera who's living his life, well, his afterlife, in
+the dead people's world, trying to get through his mid-afterlife crisis like
+any guy who's been dead for too long now does.
+
+<span class="imgright"><a href="/images/2014/02/grim-fandango-003.png"> <img
+class="thumb" src="/images/2014/02/grim-fandango-003-thumb.png"
+title="A cap'n and his lady... ship... ladyship."/></a></span>
+The game goes through four years of Manny's adventure, the same period it takes
+to get to the Ninth Undeworld[^2] by foot. People who have been "good" get a
+ticket to a train called The Number Nine, which takes them directly to the
+Ninth Underworld. One of the eligible clients, whom Manny steals from his
+pompous workmate Domino Hurley, is Mercedes Colomar, the typical innocent lady.
+She is pretty much the driver of Grim Fandango's rather thick plot, which you
+are familiar with if you've played the game. If you haven't then you should be
+really playing the game right now instead of reading this.
+
+Comic relief is provided in more than one way, either subtly or obviously.
+First off, everyone and their dog is a skeleton, forming a rough sketch of
+their souls, including skin ridges or funny-looking haircuts. Besides everyone
+and their dog, the game is populated with demons used for "menial" tasks such
+as driving or taking care of the server[^3], the most notable being Manny's
+sidekick Glottis.
+
+<span class="imgleft"><a href="/images/2014/02/grim-fandango-006.png"> <img
+class="thumb" src="/images/2014/02/grim-fandango-006-thumb.png"
+title="Beautiful artwork."/></a></span>
+The graphics are not bad at all, but the aspect where the GrimE engine really
+shines is the ability to present scenes and angles in a very movie-like
+fashion. The action itself is presented from a few fixed points of view; this
+can rapidly become frustrating, as it's often hard to make the character focus
+on a specific object and interact with it. However, the cut-scenes look no less
+than amazing, more so that the voice actors did a pretty good job.
+
+Last but not least, the game's soundtrack is mostly big band jazz with some
+South American intermissions and influences, exactly what you'd expect from a
+noir-infused universe. Since I've been listening to it for about last six
+months (and counting), I can only say that it's anything but boring.
+
+I'll end the post with a quote:
+
+> All day long, Manny, I sort through pure sadness. I find evidence, and I
+> piece together stories. But none of my stories end well -- they all end here.
+> And the moral of every story is the same: we may have years, we may have
+> hours, but sooner of later, we push up flowers.
+
+* Membrillo
+
+<span><a href="/images/2014/02/grim-fandango-007.png"><img class="thumb"
+src="/images/2014/02/grim-fandango-007-thumb.png"
+title="The server guy."/></a></span>
+<span><a href="/images/2014/02/grim-fandango-005.png"><img class="thumb"
+src="/images/2014/02/grim-fandango-005-thumb.png"
+title="Happy couple."/></a></span>
+<span><a href="/images/2014/02/grim-fandango-002.png"><img class="thumb"
+src="/images/2014/02/grim-fandango-002-thumb.png"
+title="Gambling is fun, except when you've got a gambling problem."/></a></span>
+<span><a href="/images/2014/02/grim-fandango-004.png"><img class="thumb"
+src="/images/2014/02/grim-fandango-004-thumb.png"
+title=""I'm gonna let it shine"""/></a></span>
+
+[^1]: Ok, maybe not as much him as the blazingly idiotic team behind him. It
+was, y'know, experimentation, trying to reach new markets, all that mumbo-jumbo
+that companies with too much money on their hands pull out of their hats.
+Unfortunately LucasArts have had many more years to show this to the public.
+
+[^2]: The Underworld is most probably inspired from the Aztec Mythology, namely
+from [Mictlan][1]. Unfortunately, at the time of writing searching the Web for
+"Ninth Underworld" reveals a long list of crap which is supposedly related in
+some way or another to the Mayan Calendar.
+
+[^3]: Sorry, sysadmins.
+
+[1]: http://en.wikipedia.org/wiki/Mictlan
projects / thetarpit.git / commitdiff
