## Saturday, April 12, 2014

### Heartbleed and Passphrase

The news has been filled with stories about Heartbleed, a flaw in OpenSSL that puts web sites and information at risk. We're told to change passwords immediately.

What a pain! I've got usernames and passwords all over the web. Changing all of them, keeping track, and remembering later will be incredibly difficult. The Internet has a password problem. I can't wait until I have my own quantum cryptographic key generator so I don't have to remember.

So what to do? I came across a nice site called Diceware that spells out a recipe for generating pass phrases. I have a backgammon board in the house, which means that I have four dice handy at all times. But a fifth? I can't use the doubling cube very easily, can I? The idea of manually rolling dice to generate a key, going to the wordlist to look up a word, and recording that pass phrase for a given site seems like too much work, too many steps. So low tech!

Being a computer programmer, I'd rather spend a day coding a solution to a problem that would take five minutes to do by hand. So that's what I started working on last night. I finished it today and uploaded the result to a Github repository. It includes the source code for two Java classes: Die (a six-sided die that uses a random number generator to produce rolls) and PassphraseGenerator (a command line app that generates a random pass phrase using the Diceware recipe), the Diceware word list, and an executable JAR that makes execution in a command shell easy.

This exercise recalled the wonderful xkcd comic about password strength. I always loved the entropy calculation that gave a measure of password strength, so I incorporated the calculations into my application. I also gave a way to calculate the entropy of a given pass phrase using command line arguments. The first argument is the pass phrase, surrounded by double quotes if it contains spaces, and the second is the alphabet size used to generate the pass phrase. I've been using simple pass phrases on my work computer for years now. I put the one that I currently use in to see what its entropy was. It has 42 bits of entropy. At 1000 guesses per second, it would take 241 years to crack if my calculations are correct.

It was a fun and fruitful exercise. It made me happy, like my Mandelbrot solution from a few years back. I need to do more of that.

The last remaining problem is that most sites have ridiculous rules for passwords (e.g. "between 8 and 15 characters; must include one capital, one number, one special character") that actually make them weaker and harder to remember. I'd much rather generate some four word pass phrases and use those!

I'm struggling with software development lately. I'm trying to swallow a lot of new techniques. It makes me happy when I can solve a small problem like this once and for all. Uploading it to Github lends an air of permanence that I love: "Don't have to think about that problem anymore!"

Maybe that's the answer to all hard software problems: Decompose the big problems into lots of small ones that you can solve and upload to Github. Solve and forget that problem, make yourself happy, and move on to the next.