Chris Johnson

Password Security

There are four ways of cracking a password.

1. Guess the password
2. Brute Force the password
3. Go around the password authentication
4. Trick the password from the owner

If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.

Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.

Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.

I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.

Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.

There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.

And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.

I opened because it was from my wife. It had a good subject line. It looked legit.

It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.

Besides phishing, there is looking for the passwords that people have written down.

Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.

There is no need to guess, force or phish when the password is just given to you.

The Balancing Act

It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.

On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work

When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.

The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.

Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.

There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.

If you think you have found something clever that will make your password “unguessable”, you are mistaken.

Long Passwords Are Better(?)

Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.

This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.

Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.

But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.

But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.

Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.

My default is 12 characters.

Creating Strong Passwords You Can Remember

When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?

That symbol set is the set of all common English words.

What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.

This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.

So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.

For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”

Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.

Password Managers

Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.

I, personally, use four password managers and have used a fifth.

The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.

I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.

I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.

Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.

The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.

I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.

Chicken and Egg

The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.

Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.

Memorize those four words. Then you can use that as your master password.

Make the move to a good password manager. Use one that distrusts the government.

Two Factor Authentication

I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.

In honor of the Georgia peanut farmer

Another dog whistle that only leftists can hear.

This was in reply to a moron who claimed that this was just par for the course because “…he tried to have a rally on Juneteenth in Tulsa.”

The original post:

I don’t even want to go looking for what the accusation actually is. They have a clip of Trump saying something, but I don’t trust anything posted until I can examine it in context.

Resiliency is a goal. I’m not sure if we ever actually reach it.

In my configuration, I’ve decided that the loss of a single node should be tolerated. This means that any hardware failure that takes a node of line is considered to be within the redundancy tolerance of the data center.

This means that while every node has at least two network interfaces, I am not going to require separate PSUs with dual NIC’s, each with two 10Gbit interfaces. Instead, each node has two 10Gbit interfaces and a management port at 1 to 2.5 gigabits RJ45 copper.

Each node is connected to two switches. Each switch has a separate fiber, run via a separate path, back to a primary router. Those primary routers are cross connected with two fibers, via two different paths.

Each of the primary routers has a fiber link to each of the egress points. I.e., two paths in/out of the DC.

The NAS is a distributed system where we can lose any room and not lose access to any data. We can lose any fiber, and it will have NO effect on the NAS. We can lose any switch and not have it affect the NAS.

We can lose any one router and not impact the NAS.

So far, so good.

Each compute node (hypervisor and/or swarm member) is connected to the NAS for shared disk storage. Each compute node is part of the “work” OVN network. This means that the compute nodes are isolated from the physical network design.

Our load balancer runs as a virtual machine with two interfaces, one is an interface on the physical network. The other is on the OVN work network.

This means that the VM can migrate to any of the hypervisors with no network disruption. Tested and verified. The hypervisor are monitored, if the load balancer becomes unavailable, they automaticity reboot the load balancer on another hypervisor.

So what’s the issue?

That damn Load Balancer can’t find the workers if one specific node goes down. The LB is still there. It is still responding. It just stops giving answers.

I am so frustrated.

So I’m going to throw some hardware at it.

We’ll pick up a pair of routers running pfSense. pfSense will be augmented with FRR and HAProxy to provide load balancing.

Maybe, just maybe, that will stabilize this issue.

This is a problem I will be able to resolve, once I can spend time running diagnostics without having clients down.

In upgrading from copper to fiber, I’ve been exploring the different options and learning as I go. Some learning curves have been steep, others have been “relearning” what I already knew.

One of the biggest things I needed to learn is that there are “switches” that are actually “routers”. That was mind-bending.

The other is that the network dudes talk about VLAN and Tagged VLAN. They are different things. In the environments I’ve been working in, there are only tagged VLANs which are called “VLAN”. Same name, different meaning.

The starting place when moving from copper to fiber is to understand what a Small Form-Factor Pluggable is. This is the magic that makes it all happen. This is standardized into SFP and SFP+. The SFP standard only supports 1G and lower speeds.

The SFP+ supports higher speed modules. 10G, 25G, 40G and 100G are all standards I’ve seen.

I’m only working with 10G modules, at this time.

They have modules that are RJ45 copper that will run at slower speeds or up to 10G. The only issue is that they draw more power and run hot. Can’t touch them when running hot.

The fix for this is to purchase a switch or router that has RJ45 Ethernet ports and at least one SFP+ port.

I found a small, six port, switch. This comes with 4 RJ45 ports, rated at 2.5G each, and 2 SFP+ ports rated at 10G each. Cool.

This allows me to daisy-chain them if I wanted.

In reality, it meant that I had one host connected at 10G while the others were at 2.5G.

I also found a L2/L3 “switch” that looks much like the switch above.

Having done the upgrades, I started looking into upgrading the router between the outside world and the DMZ. The routers I’ve been getting to not support any crypto, so they don’t have good VPN capability, something I want.

So I went looking. Looking for a “motherboard with SFP”. Something interesting popped. A mini ITX motherboard with 4 SFP+ ports and 4 RJ45 ports along with HDMI, VGA and the standard USB ports. It also provided space for two M.2 SSD modules, 2 DDR4 slots and two 6GByte SATA ports.

It might not be the fastest computer on the block, but it looks like a good starting point.

This leads me to other motherboards of the same ilk. And what I found was a bunch of these motherboards. And the port layouts all look the same. The specifications all look the same.

What we have is a “standard” motherboard which is put in a “standard” case along with a wall wart, HDMI cable and a mounting bracket. The branding stays the same.

I have an L2 switch that I’m going to take apart in a bit. It has a limit of 1550 byte packets, making it useless for my new network. I wonder if I will find an M.2 module in that box or something else that allows me to change the software.

Meanwhile, that motherboard is on my wish list. I’ll load pfSense on it along with FRR and replace my current router. Giving me a considerable boost in capabilities and letting me dispense with the VyOS configuration language. Which I really don’t like.

Christmas is past for another year. It was better than expected.

Watching movies with the family was good. My wife insists on “A Christmas Story”, as it is her favorite. I picked “Red One” on a recommendation from Scott Adams on X. The final movie was “A Christmas Story Christmas”.

This last hit a bit hard.

Regardless, friends came through, and we were able to give back to our friends.

My wife’s best friend’s husband passed earlier this month. We had her over for Christmas Eve dinner (tacos) and Christmas Dinner (Turkey with fixings).

Our tradition is to go around the table and each person gives thanks for something that happened that day. Sometimes it leads to discussions, sometimes it is just a little thing, “Thank you for a dinner, I really like.”

The goal is to stop perseverating on the bad that is happening around you, the things that are getting you down, and to acknowledge, to search for, the good that you have.

My friend from the NVL called on Christmas Eve. That was a good talk. The only bobble was when he let his distrust of Elon slip out. We have agreed not to talk politics. We are still friends.

My best friend died in November 2000. I don’t think I ever recovered from that day. He was not only my friend, he was my mentor.

He was the first person I met that could program better than I could. He was a better man than I, by far.

I found myself competing with him in programming to be better. He never competed with me. He just won. After a while, it stopped being a competition and became a lifelong friendship.

Through Mike, I met Max. Max called me on Christmas Eve. Talking to him made me feel better. Friends can do that.

So on this day, after you have finished with what’s under the tree, had the first of a week’s worth of leftovers, take a moment to reach out to a friend and let them know what they mean to you.

Here is hoping that the happy man in the red suit brought you all you wish.

More importantly, I wish you health and happiness in the coming years.

-Chris

So far it is only Gray v. Jennings, but it is still early.

We, at Vine of Liberty, wish you all a Merry Christmas and a Happy New Year.

I own a pocket watch. It is beautiful, but I don’t use it very often.

I know that I own a couple of watches. One of them is a battery powered solar recharging thing.

My standard “watch” today is my cell phone.

When I was in high school, I was very interested in accurate time keeping. As was my father.

This meant that we would call the “time” phone number to set our watches, at least once a week.

My grandfather had a “railroad watch”. This was a wristwatch that was approved by the railroad for time keeping. It was approved by the SooLine for use as a time keeping device. Amazing, until that model of watch was approved, the railroad required the use of pocket watches.

This was because a level of accuracy was required that only pocket watches or well regulated wristwatches could maintain.

The big thing in my youth were “quartz” watches. Instead of using a tuning fork or a mechanical balance/regulator, they used the vibrations of a quartz crystal to keep track of the time.

What this meant was that you had devices that were now able to maintain the same wrong time over an extended period of time.

The user had to set them correctly.

As an example, for years, maybe even to today, my wife would set her car clock (and many other clocks) 10 minutes fast. “So she would be on time for appointments.”

I set my car to my phone’s reported time.

One of the fun things that I did as a kid was to call up the Naval Observatory to get the current time. This was reported from their atomic clock. One of the most accurate time keeping devices in the world.

Accurate Time

Many protocols require accurate time. It is wonderful that you have a time piece that is accurate to within 1 second per year, but if it is reporting the wrong time, it is not particularly useful to the protocol.

What we want, is to know what time it is right now, and then to set our time to that.

We get the current time from a known, accurate time source. Today, that is often GPS satellites.

If you have ever wondered how GPS works, it works because your device knows where each satellite is at any instant of time. Each satellite transmits its ID and the current time. Over and over again.

That is all they do.

And here is the magic, if your device knows what time it is, and it knows where the satellite should be at his time, it can calculate the distance by comparing the difference in time.

If you are directly under a GPS satellite, it takes about 67ms for the signal to reach your device. From this, we can use the speed of light to figure out the distance traveled. Then some simple math and we know the location of your device.

We can also get accurate time by listening for the atomic clocks via radio. If you know where you are, and you know where the clock is, you can calculate the delay between the atomic clock and your device, then match your device to the atomic clock.

Today, when people want to use that type of process, they use a GPS device and get the time ticks from the device.

How long did it take?

This is where it starts to get complicated.

The standard for communications with a GPS device is 4800 or 9600 baud across a 3 wire serial connection. The protocol, the text being transmitted, specifies the time when the last character is transmitted.

That data is being received. Your device is processing it. Your device takes a certain amount of time to process the record it just received. It takes time to process that record. All of that is latency.

If you do not know the latency in your device, you do not know what time it is. For grins, just think of that serial link being 300,000,000 meters long. That would put a 1-second latency by itself.

There are ways of calculating the latency, but I do not remember what they are.

Latency is the important piece of information.

Calculating Latency

Many network people have run ping. It is a tool for testing reachability and latency between your device and some other device on the Internet.


ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=11.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=11.1 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=11.0 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 11.022/11.179/11.616/0.220 ms


This is a test from one of my faster machines to a Google DNS server. This tells me that it takes 11.179 ms to reach that DNS server. Testing to one of my network timeservers, the average is 78.094 ms.

This means that the time reported by the timeserver will be off by some amount. In a simple world, we would guess that it is 1/2 of 78.094.

But, I use NTP. NTP does many transmissions to multiple timeservers to discover the actual time. It is reporting that the latency is 78.163512 ms. A little more accurate. It tells me that the dispersion is 0.000092 ms.

How does it know this? Because of many samples and because of four different time stamps.

When my device sends an NTP request packet, it puts the current time in it. When the server receives the packet, it puts the current time in it. When the server transmits the response, it adds the current time again. Finally, when the reply is received, the current time is added to the packet. This gives us four different time stamps from two different sources.

We compute the total latency via mine(R)-mine(S). We know the processing time by server(S)-server(R). The difference between server(R)-mine(S) and mine(R)-server(S) as the symmetry between the two paths the request and response traveled.

From these values, we can calculate the network distance, in seconds, between us and them.

Assume we transmit at time 0(M), it is received at 100(S), the response is transmitted at 105(S) and we receive it at 78(M).

How can we receive our reply before the server sent it? Easy, we have to different views of what time it is.

The latency is 78. This means that the halfway point was at 38. It took 5 to process the reply and get it on the wire again. If we do simple stuff, this means that our time is off from their time by 67.

But we can do better. By looking at the reported latency between the two legs, we can actually calculate how long it took for us to receive the reply.

NTP uses multiple timeservers to get a consensus as to the time. It monitors each timeserver to determine which one jitters the least.

All of this means that we can have very accurate times.

And having accurate measurements of the time, NTP will calculate how much the computer’s clock drifts over time. It will then modify the clock rate in parts per million to get the drift as close to zero as possible.

This means, that the longer your device runs NTP, the more accurate it becomes.