Friday, 29 August 2014

09:19 – As usual this time of year, we’re run ragged trying to ship science kits and build more. We got orders for 17 kits overnight and so far this morning, which wouldn’t be a problem except that we’re running out of stock on some of the kits. So I’ll get the kits shipped that we do have in stock, and then go build more of what we’ve run out of.

It’s funny. I remember the day we sold our very first kit. At that point kit #100 seemed very far away. Then we sold kit #100, and kit #1,000 seemed very far away. Then we sold kit #1,000, and kit #10,000 seemed impossibly far away. But it’s probably not as far in the future as it seemed at the time, particularly once we get our classroom kits available. When that happens, instead of a good month being 100 kit sales, it’ll be 1,000 kit sales. And at that point, we’ll need a lot more space and some employees. I’m still of two minds about that.

15:06 – Wow. Talk about advice so bad it’s scary: Why Your Passwords Should be at Least 24 Characters Long

And this comes from a supposed computer security expert. I have no problem with suggesting a 24-byte password. The issue is the kind of 24-byte password the author recommends. Here’s an example: HarleyDavidsonStarbucks!!!

That’s exactly three dictionary words and three bangs. Better than a six-byte password, but it needs to be a lot better than it is. Crackers use dictionaries, too, and a supercomputer is just as capable of concatenating dictionary words as it is of working byte by byte. As a matter of fact, there are special dictionaries for crackers.

I would suggest a 24-byte password, but using purely random characters generated by a hardware random-number generator (AKA, dice or coins). So you end up with a password that is 24-bytes of random gibberish. Everyone seems concerned that such passwords are impossible to remember. So what? Write them down and let Firefox store them. Sure, doing that creates a gaping security hole, but again so what? If someone has physical access to your premises and your computer, you’re screwed anyway. What you should be worrying about is someone gaining electronic access to the hashed versions of your passwords, either on your own machines or on, say, Target’s corporate servers. If the plaintext of your passwords is 24 random characters, they can crack away to their heart’s content and not gain access to the plaintext for many decades. Unless, of course, someone figures out (or has already figured out) how to quickly factor the products of large prime numbers. If that happens/has happened, all bets are off.