Monday, 23 January 2012

Password restrictions

I've been changing a lot of my passwords lately so that none are alike. In fact they're so ridiculously random and lengthy that I wouldn't stand a chance remembering them. I've a means of obtaining these passwords though in a method known to me using encryption which requires 2 very different types of key, so remembering them isn't necessary.

However, after going around trying to change my passwords, I've noticed that many places impose restrictions upon how long a password may be, and what characters you're allowed to use.

For example, with PayPal, they absolutely require you to have at least 8 characters, but for some reason, it must not be any more than 20 characters. Why limit it at 20? Surely they hash the password anyway?... don't they? eBay have an identical restriction.

And then came my bank (a Dutch bank which shall remain nameless). They also said that it must be at least 8 characters, but no more than 12. It must also contain at least one lower-case letter, one upper-case letter, one number and one non-alphabetic character. But then it also may not use a speech mark ("), equals (=), tilde (~), less-than (<) or greater-than (>). So this not only suggests they're not hashing the password, but there's also probably some risk posted by those additional characters, meaning they may not be sanitising their data. Normally if that were the case I'd expect characters like a back-tick (`), semi-colon (;) or single-quote (') to be prohibited, but for some reason those are allowed in this case. *shrug*

Google seems to be better at this, but still imposes an arbitrary limit. In this case they require a minimum of 8 characters, and allow up to 100 characters. Why 100? Does it matter? Thankfully they allow any character you like, including spaces and all types of punctuation you can think of. But in addition to this, I have 2-factor authentication enabled, so I require a 6-digit pin generated by my phone, so the risk of someone logging into my account is minimised. Although I guess this is all moot when it comes to Google's application-specific passwords. This is necessary if you use 2-factor authentication when you wish applications to access your account (such as an Email client), because those applications can't ask you for the 6-digit pin. So Google generates a password specifically for that application which can be revoked whenever you like. Here's an example of what its generated passwords look like:

qihi jnmd irjb ytis

They always show up as just lower-case letters, and the spaces don't matter. So really, if you have application-specific passwords enabled, the security on your Google Account is only as strong as those passwords, and obviously the more you have the lower the security. Still, it's extremely unlikely anyone could get into your account using brute-force trying to find a code, but it's a shame Google doesn't allow you to enter an application-specific password of your choice.

I also recently set up an account with Good Old Games ( The limit there was 32 characters. I tried using special characters in the password but found that it caused the form to show the password field as invalid, but wouldn't say why. I figured out they only allow upper-case and lower-case letters and numbers.

Amazon fare better than the rest so far. Any characters you want, up to 128 characters.

The best I've seen is SpiderOak. I gave it a totally random mix of every type of character and a password 1024 characters long. It was fine with this. I don't know how many more characters it will take, but surely that should be enough.

So SpiderOak is the most secure out of this list. SpiderOak also can't recover your password because they don't store it. Apparently it's only used to decrypt your user data, which they can't access. In fact they boast a zero-knowledge policy, meaning they don't know your password or anything that you're storing, not even including file names.

On the opposite end is the Dutch bank who shall remain nameless. You'd expect a bank to have higher requirements than most, but it seems not. 8-12 characters? And some characters excluded? What are they playing at? They don't even offer 2-factor authentication. It's just username and password (no, not even account details).

So, anyone know why these companies place such restrictions on passwords? Does it present a denial-of-service avenue? Do they not hash it in case they want to provide the password to, say, the NSA? Any good reason?

Saturday, 7 January 2012

With a Little Help by Cory Doctorow

Look what arrived today (apologies for the poor quality pictures you're about to see).

Yes, something wrapped in a coffee burlap bag.

Which contains a rectangular hexahedron wrapped in rice paper sealed with stickers.

It's a book! A quality-looking hardback book emblazoned with a shiny faceless figure donning a cape and glasses, and there's a strip of bright orange extending from the spine of the book. There's also a 4GB SDHC memory card stuck to the front.

As you can see it's the special edition of With a Little Help by Cory Doctorow. This book is number 76 of 250. Let's have a look inside...

We appear to have a letter addressed to "Bear" from Melissa Frain from Tor (no, not the Tor project, Tor the sci-fi folk). Bear? Anyway, it's a request for the review of a manuscript. And at the back we have...

A sketch of what appears to be either a woman with a birthday cake stuck to her head, or a fairytale princess or some such variety of character.

And lastly, we have...

A personal inscription from Doctorow himself. Naturally his message alludes to the fact that he would be nothing without my help, and he's eternally grateful. (or something slightly less insane)

If you don't already know, Cory Doctorow (a Torontonian resident in the UK), amongst many other things, is a science fiction writer. This book is available for free in audio book format, on CD (MP3 or Ogg Vorbis) for a nominal fee, in several ebook formats (with a suggested donation) in paperback through on-demand publishing, or this gorgeous, unique limited edition hand-bound book. There's even the option to offer to give a book/books to institutions such as schools, prisons, hospitals etc.

So if you can get it for free, why the hell would you fork out money for it? Well for a start, it's directly re-numerating the author for the hard work they put in to make the publication you've enjoyed. That support means they'll go on to write more in future, and also affords them luxuries such as paying their energy bill and buying food to stave off death. But then the hardback book costs a fair amount. What are you getting for your money? Well, by its very nature, a limited edition item is... limited. And this one is particularly limited. The book I'm looking at is one of only 250. A personal inscription from the author isn't something you'll get with the vast majority of books (and he even spelled my name correctly). And then there's the end-papers. No-one else will have the same book as the one I have here as it has unique pieces of Cory's paper hoard that he didn't want to just throw away, so he has immortalised them forever at both ends of the book. I'm intrigued as to what this sketch is about though.

But not only that, the SD card on the front contains all the audio book files (Ogg Vorbis and MP3) every format of the ebook, and all the covers. Incidentally, the SDHC card is merely stuck into a recess in the book with some Blu-Tack, so can be easily removed and replaced.

As for the actual book itself, it says on Cory's site that these are hand-bound at the Wyvern Bindery in Clerkenwell, London, and the printing of the book is done by a family-run company called Oldacres in Hatton Garden who have been around since 1897.

The book costs the same (including P&P) regardless of where you live, except being in the UK gave me the benefit of getting it next day.

Now that the book is in my hands, I'm very pleased with my purchase and would recommend it to anyone who appreciates both good sci-fi, and beautiful, high-quality, unique well-made books. Plus the money goes directly back to the writer instead of mostly eaten away through a complicated chain of publishers, distributors and third-party sellers.

One last thing: Cory added a "feature" you don't get with most books; the opportunity to submit typo corrections with the advantage being that the typo will be fixed with a credit to yourself in the next printing of the book.

If you would like your very own copy, go get it.