How to Make Good Passwords

by Michael in ,

Note: This is a repost from last year. At the time I was using my tumblr as a single unified blog. That got a bit out of hand. My posts there didn't really fit tumblr all that well and my informal reposting of funny or entertaining things didn't mix well with the types of longer technology and media oriented posts I've always enjoyed making, and now put here. The post isn't really any less valuable than it was when I'm posting it and I've had more than one person mention it to me in the last few days. As such, I'm reposting it in its entirety here.

------

Everyone uses passwords pretty extensively these days. Having passwords to an ever-growing number of accounts on various systems is a by-product of functioning in today’s society. There’s no escaping it. Unfortunately, people are very bad at making good passwords.

This doesn’t seem to be a point that anyone argues. It’s more or less commonly accepted wisdom that people mostly do not make good passwords. Whether we’re looking at a serious analysis of passwords people frequently use (http://www.smartplanet.com/blog/business-brains/top-20-most-common-passwords-of-all-time-revealed-8216123456-8217-8216princess-8217-8216qwerty-8217/4519) or we’re joking about passwords (1995’s hilarious, and awesomely terrible, punk-hacker film “Hackers” jokes that the most common passwords are “Love,” “Sex,” “Secret,” and “God”), we know a lot of people use the same things for passwords. It shouldn’t be very difficult to understand that if many other people use the same password you do, it’s easier to compromise.

This points to the first, and most frequent, problem with most passwords people use: they are too common. By extension, too likely to be guessed. Here I’ll start making a list of requirements for a good password. We already have points one and two.

  1. A password should be unique.
  2. A password should be difficult to guess.

There’s a reason I’ve separated those two items instead of making them the same point. After all, if I have a one-of-a-kind name (let’s pretend my parents named me “Mykul.”) and use my first name as my password, it is a unique password but not one that is difficult to guess.

So far, I’m fairly sure I’m not telling anyone anything they don’t already know or haven’t already thought of at some point. To continue, let’s talk about another thing most people (myself included, until recently) do in their handling of passwords. Once a person has decided upon one, two, or three passwords, he or she tends to stop making new ones—instead using the same passwords to cover the entirety of their digital identity. Historically this might not have been a hugely immense issue, but recent events have shown how significantly times have changed.

Three recent huge data breaches have compromised immense numbers of user accounts: Gawker media (1.25 million accounts, 500,000 e-mails, 185,000 decrypted passwords), Epsilon (unknown number of e-mail addresses for customers of Walgreens, Citigroup, Best Buy, and many more large corporations), and of course the Sony PlayStation Network and followup Sony Online Entertainment breaches (~77 million accounts compromised, including any stored e-mail addresses, potentially passwords (unknown security there), possible credit card information, and real-world addresses in the former, 12,700 non-US Credit Cards in the latter). With the Gawker and Sony breaches, passwords either WERE compromised, or have the potential to have been (it’s still unclear in the Sony debacle how the passwords were stored—standard practices should make it so the passwords themselves were never stored, but I don’t recall Sony ever leading us to think they did this correctly—while they’ve certainly made statements that imply otherwise).

What this means is that you can’t use the same passwords everywhere. If one website or account doesn’t handle password security correctly and is compromised, someone suddenly has the password you use for huge portions of your life. This gives us a new point on our list of what makes a good password:

  1. A password should be unique.
  2. A password should be difficult to guess.
  3. A password should be unique to the specific account it is for, at least for every account with sensitive information.

Uh-oh. I think you see the snag we’ve just hit. We have so many accounts on the internet, at work, at school, and even on our home computers. To have unique passwords for even a large subset (the most important) of these accounts seems to be asking far too much of our human memories. It’s one thing if we’re using the same odd password for every account. Sheer frequency of use would embed it into muscle memory. When we have to think of the password for every different account to which we connect, though, the familiarity of use is gone.

Some people try to fix this by writing down their passwords. Bad idea. A large proportion of hacking isn’t even done through hugely technical means. Much of it is simple social engineering. Are you endeavoring to make things even easier for assailants by leaving your passwords lying around? You shouldn’t ever tell a person your password, nor should you have it written down. So that gives us our fourth and final requirement for a good password.

  1. A password should be unique.
  2. A password should be difficult to guess.
  3. A password should be unique to the specific account it is for, at least for every account with sensitive information.
  4. A password should be easy for its owner to remember.

Hmm. This is a pretty clear set of requirements. It also is a set of requirements that can prove difficult to reconcile. We’re now in a position where we want to make good passwords and know what defines a good password. That doesn’t mean we know how to make one. So, what’s a person to do? That’s what I’m here for.

Here are a few basic steps for making consistently good passwords that I’ll represent by walking you through me coming up with a new hypothetical password. It’s a system I’ve used for some time, recently extending it out to account for point 3 above. I came up with it on my own in my freshman year of college, but in discussions I’ve found that others have come up with the same system (or a similar one). It’s one that works and many people have independently come up with it.

Step 1: Think of a sentence you will not forget. It should be something very specific to you, but easy to remember. Make sure it has a proper noun or two in it. For my example here, I’ll go with the following sentence:

I think Christopher Nolan is the best director ever.

Simple enough, right? It’s easy to remember for me because, well, I think Christopher Nolan is the best director ever.

Step 2: Now take the first letter, respecting capitalization, of each word and place it next to the first letter of the word before it. In my example:

I think Christopher Nolan ithe best director ever.

becomes

ItCNitbde

Now we’re getting somewhere.

You might be tempted to stop there. After all, no one is going to guess “ItCNitbde” when trying to get into your account. Still, we’re going to take this a bit further (especially because many systems require numbers or symbols in order to try to force users to make more unique passwords).

Step 3: Think of a number that has some sort of significance to you. It really doesn’t matter what it is, as long as it’s something you can remember it. For my example, I’m going to use the year Christopher Nolan’s The Dark Knight (my personal favorite of his films—though I might argue Memento is his best) was released: 2008. Break the number into two parts. In this case, 20 and 08. Now put one part before the character string we have, and one after. This gives me:

20ItCNitbde08

This is looking promising, isn’t it?

At this point, we’ve fulfilled a few of our requirements.

  1. A password should be unique. Check
  2. A password should be difficult to guess. Check
  3. A password should be unique to the specific account it is for, at least for every account with sensitive information.
  4. A password should be easy for its owner to remember. Check. All I have to remember is the phrase and that my favorite movie came out in 2008.

Requirement 3, though, is a problem. Let’s deal with that now.

Step 4: For every account, insert a short one/two/three character string based on the name of the account either after the first numbers or before the last ones. What this means is that my passwords for the following accounts would be:

Google: 20GooItCNitbde08

Amazon: 20AmaItCNitbde08

Apple/iTunes: 20AppItCNitbde08

Yahoo: 20YahItCNitbde08

You get the idea. What this does is give you a common password system you can use across your accounts, rather than a common password, with a simple variable to change based on the website/account itself. In this situation, a single password being compromised through a system on which you have a presence will only compromise that one password. In order for someone to figure out what part of your password you’re changing from one system to the next in order to gain access to your digital identity at large, they would need to gain access to several of your passwords OR get one password and already know what system you’re using.

(You could, of course, complicate matters by changing the “Goo” or “Ama” 3-letter string to something else based on the site’s name. For instance, you could choose to hit the keys one letter before or after the first three letters of a site’s name: “Goo” would become “Fnn” and “Ama” would become “Zlz” for instance. This is probably unnecessary extra obfuscation, but it’s an option if you want it.)

You don’t have to use my exact system. The point is to have a password system that you use that fulfills all 4 requirements. Mine is just a suggestion.

So let’s review the requirements I established before:

  1. A password should be unique. Check
  2. A password should be difficult to guess. Check
  3. A password should be unique to the specific account it is for, at least for every account with sensitive information. Check
  4. A password should be easy for its owner to remember. Check

Mission Accomplished.

My take: Prospective iPad vs Vita hardware sales for March 2012

by Michael in , ,

Update (3/19/12): Follow-up at the bottom with more specific hardware sales predictions and the associated required software sales ratio.

Earlier today Ben Kuchera, formerly of Ars Technica, now of The Penny Arcade Report, tweeted this:

Wanting to respond with a from-the-hip guess, I posted this:

I was surprised to get a response from Ben:

Seeing as I love having to back up my thoughts (especially if it turns out my assumptions are wrong--after all, why stay wrong about something if I can help it?), I decided to do a little bit of digging. I quickly realized replying on twitter wasn't going to cut it.

Before I start, I do want to say a few things:

  1. I am not a game journalist, or any type of journalist. I'm an amateur who just likes talking about technology, games, and business. If I'm wrong, please let me know, but try not to chew my head off as if I'm leading people astray.
  2. It's really hard to find accurate numbers for things unless you are a business subscribing to NPD's numbers. I don't. I am taking information I'm finding from sources which seem to be giving reasonably accurate numbers. If they're wrong, I'm sorry.
  3. My goal here is really just to see if my response to Ben was a reasonable prediction to make, not to have an A-ha! I'm right and you're all wrong! moment. I have no vested interest in being "right".

Before I start giving links, I want to give my thought process for why my gut reaction was what I tweeted to Ben. The first part of my tweet simply says the iPad will sell many more hardware units than the Vita in March (despite the iPad releasing just today). Honestly, that's simply because I'm pretty certain the iPad has been consistently selling in numbers that dwarf anything video game consoles have ever done. The second part of my tweet will be harder to back, but stems from my assumption that early Vita buyers are so-called "hardcore" gamers who buy many expensive games at retail, while the iPad's buyers are probably not buying the device primarily for gaming--or at least probably not an immense proportion of those buyers. When I typed "This month's Vita buyers...", I meant to imply focusing on these particular people on a per-person/per-device basis, not total. My precise meaning was "This specific month's Vita buyers will, over the course of the device's lifetime, average more money spent on games than the people who purchase the new iPad in March will." That said, I didn't word the statement clearly and can see how it would be easily interpreted as "This month's Vita buyers, in total, will spend more money on games over the course of the Vita's lifetime than this month's new iPad model buyers will." Those are very different statements. I don't want to seem like I'm backpedaling, though, so let's explore both interpretations!

On to what I can dig up!

Argument Part 1 - Hardware

The first iPad was released just 2 years ago. Through Apple's Fiscal Q1 2012, which ended December 31 (less than 2 years of sales, if you're counting) Apple had sold a total of 55 Million iPads (Transcript of Apple CEO Tim Cook's keynote at Goldman Sachs). It sold 15.43 Million iPads in just Q1 2012 (Apple's First Quarter Press Release). That's just one quarter. Yes, it's true that's the big holiday quarter--but it's one quarter nonetheless.

The PS2 and the DS are the best selling video game systems of all time. So let's see how their sales stack up to the iPad 1 & 2 so far. According to Sony itself, the best quarter for PS2 sales since April 2006 (unfortunately Sony doesn't list quarters before that) was 6.7 Million units in Q3 of Fiscal Year 2006. The second best since 2006 was 5.4 Million units. Both of those quarters were holiday quarters. Additional data from Sony (navigable to on the same site): The PS3's best holiday quarters were both 6.5 Million units and the PSP's was 5.7 Million.

According to Wikipedia (fortunately, the sales in the chart are all linked to Nintendo's official PDF reports, so they're checkable), the best ever quarter for the DS, DS Lite, DSi, and DSi XL combined was the holiday quarter of 2008 with 11.89 Million units shipped that quarter. That was the same quarter in which the DS set the US record for most video game system sales in a single month (3.04 Million in December, versus the PS2's previous record of 2.7 Million). The Wikipedia chart only lists life-to-date numbers, so I had to subtract the previous quarter's number from the one I was checking to find a given quarter's sales.

The numbers aren't perfectly apples to apples comparisons (pun not intended). We don't really have holiday quarter sales for earlier in the PS2's life while it was at its sales peak, so the PS2's data isn't incredibly useful. The DS seems to have exceeded the PS2's sales peaks, though, and still fell short of the iPad. Suffice it to say the Vita is not currently likely to be approaching sales comparable to the PS2 and DS during their peak years. So it's spretty safe to assume the iPad will outsell the Vita by a wide margin, even with just half the month to work with.

I've spent all this time so far defending the part of my argument that nearly no one would contest. Honestly, I just did that because it was fun. Now for the truly arguable part:

Argument Part 2 - Software

As I said before, there are two different possible interpretations from the software part of my tweet. First is that this month's Vita purchasers will average more total lifetime money spent on games for their Vitas than this month's new iPad purchasers will average in total lifetime money spent on games for their iPads. Second is that this month's Vita purchasers will total more lifetime money spent on games for their Vitas than this month's new iPad purchasers will total in money spent on games for their iPads.

Back to Sony we go for software numbers. If we look at PSP software sales since 2006, we get the best single-year sales at 54.7 Million pieces of software (2006--PSP software sales decreased from then on). The same year had nowhere near the highest hardware sales for the system (at just 9.6 Million units), so 2006 easily had the highest Hardware/Software ratio for the PSP from 2006 onward: 5.7 games per system sold. Keep in mind, this isn't lifetime. Unfortunately, it's also just academic because we don't have launch numbers--so those games are being purchased by people purchasing 2006 hardware as well as people who purchased hardware in 2004 and 2005.

To help me illustrate something, though, let's look at the PS3's numbers--which Sony thankfully does have launch numbers for.

  • The PS3's 2006-2010 per-year hardware numbers are: 3.5, 9.1, 10.1, 13, and 14.3 Million units sold. So the systems sold per year have increased each year over year.
  • Its software has followed the same pattern so far, with 13.3, 57.9, 103.7, 115.6, and 147.9 Million software units sold in the same respective years.
  • That makes the attach rates for 2006-2010 into 3.8, 6.36, 10.26, 8.89, and 10.34 pieces of software sold per system sold each year.

Again: That doesn't mean everyone who purchased a PS3 in 2010 bought an average of 10.34 pieces of software. Early system purchasers are still buying software for the system. This is just giving you an idea of what the numbers look like so far. The numbers become more useful if we look at cumulative attach rates.

  • Cumulative hardware to-date for each year from 2006-2010 comes out to 3.5, 12.6, 22.7, 35.7, and 50 Million PS3s.
  • Cumulative software-to-date for each year for 2006-2010 is 13.3, 71.2, 174.9, 290.5, 438.4 pieces of PS3 software sold.
  • So the cumulative attach rate for each year is: 3.8, 5.65, 7.7, 8.14, 8.77 average pieces of software sold lifetime for every single PS3 sold through the end of fiscal year 2010.

It's probably possible to do some math with those numbers to determine sales of early adopters versus later console buyers. I started doing the math and confused myself (I was too lazy to get out a pen, paper, my graphing calculator, Excel, etc.). My hunch (which I think is probably pretty accurate) is that people who buy consoles early are more likely to buy a large collection of games than people who buy them later.

So for the PSP we have that 5.7 ratio number and for the PS3 we have an 8.77 number, both of which I think are lower than the ratios applied specifically to early purchasers. What do you expect the average selling price for PSP software is? I'll use $9 as an arbitrary pessimistic guess. So that would mean an average of $51.3 spent on games per PSP owner assuming just a $9 average software price (highly unlikely for early adopters--after all they had to buy at least one launch game at $35+). A (in my opinion) more realistic average game price for launch PSP buyers of $15 takes the total they spent on games to $85.5 if we limit them to that 5.7 ratio (which is, frankly, probably unfairly low when we're talking about launch buyers of the PSP who didn't know about the hacked firmware piracy/emulation market that would crop up later).

The PS3? If we took the cumulative 8.77 average software/hardware attach and multiply it by just $25 as average spent per game, we hit $219.25 spent on software per system. Again, we're not skewing for early adopters here.

Besides, even if the 2006 purchasers never purchased another game for their systems, they still each bought 3.8 games at launch-system pricing (there were only 2 quarters in FY2006 for the PS3, and not even for the entirety of those quarters). If you estimate low and say each of those games were purchased during the launch window at $40 (versus the standard $60 launch price), that's a bare minimum of $228 paid for PS3 games per owner in 2006 alone. If any of those initial system purchasers ever buy another game, that average goes up.

How many new iPad owners do you think will spend $228 on games alone for their iPads? Now consider that's an intentionally very low estimate for early PS3 buyers. Sure, the average selling price of games on the Vita is lower, but it's still very much gamers buying a game system with the intent to spend money on games. The numbers might be lower, but the lifetime average will certainly pass $200, if not significantly higher for these launch window buyers. After all, these numbers just go through 2010. At least some of those launch PS3 buyers are still buying games.

Realisticaly, the attach numbers for the PS Vita will probably be somewhere between the PSP and the PS3. The attach rate for the PSP was notoriously abysmal with many people buying the PSP just to crack the firmware and play free games on it. Handhelds have never had the same attach rates as home consoles, though, so we probably shouldn't expect PS3 numbers. Even so, I find it doubtful that the average new iPad buyer will end up spending multiple hundreds of dollars on games alone. (It's certainly plausible the new iPad owners will beat out Vita owners on average dollars spent on software when you combine all iOS software categories, but we're just talking about games here.)

So yes, I do believe my statement was true if we're talking averages. Totals though... that's another issue.

The total is, obviously, equal to the previously discussed average money spent on games per device times the number of hardware units sold. Because I'm fairly certain the iPad will outsell the Vita on hardware while the Vita's owners will spend more per-owner on games long-term, the issue becomes ratios. If the new iPad sells twice as many units (in half the time--since it's only on sale for half the month), its owners only have to average half the long term game dollars spent as the Vita owners. This is a tossup, as I have absolutely no projection as to what the ratio of new iPad to Vita hardware sales will be for March.

My gut, though, is to say the brand-new-as-of-March-2012 Vita owners will still end up spending more on Vita games than the brand-new-as-of-March-2012 new iPad owners will end up spending on iPad games long-term. My gut tells me this because, well, I'm an early adopter in both realms. (Luckily, I also keep all my receipts from iTunes and Amazon!) I have a 3DS on which I've actually only purchased a handful of games (only 3, in fact, so far) which I've spent a collective $116 on. I've also had an original iPad since launch as well as an iPhone 3G since launch, replaced by a current 4S. I play and purchase far more games than the average iOS owner does--and I'd bet I spend far more money on apps, and the game subgenre of apps, than the average early adopter does. iOS games are so cheap, though, that my grand total of money spent on iOS games including many I purchased for iPhone--and duplicates for which I've purchased both iPhone and iPad versions, totals $135 since I purchased my iPhone 3G in June 2008. So most of 4 years later, my total iOS game purchases are a little higher than the money I've spent on games for the 3DS--which I purchased 5 months ago.

It is highly unlikely so-called "non-gamers" will spend money buying games on their new iPads at anywhere near the rate I have, while the people buying Vita's right now are exclusively gamers buying the system so that they can purchase games for it.

So while it's highly likely the total amount of money spent on iOS games will exceed that of the Vita (or the Vita + 3DS combined), I think this particular half month of new iPad buyers will probably still total less money spent on iPad games than this particular month of Vita buyers will total money spent on Vita games long-term.

As I said before, this isn't my job and I don't have more reliable long-term data, so I did the best I could. I'd love to be able to look at guaranteed accurate quarter-by-quarter sales for all these pieces of hardware (and respective software) since launch to get more accurate predictions. I am aware that I was switching between real numbers and conjecture, but I tried to clearly label which was which. Still, I think this was enough effort to ensure my predictions and opinions are reasonable.

Now if you'll excuse me, I have to go play Mass Effect 3 on my Xbox 360 (with the iPad Mass Effect 3 Datapad app on hand, of course). If I finish this weekend it'll mean I can finally get around to reading Ben's article about the series' apparently divisive ending.

→ The New iPad's Screen Under the Microscope

by Michael in

The New iPad's Screen Under the Microscope

Lukas Mathis puts the iPad 2 and new iPad screens under a digital microscope at 80x magnification. The difference is enlightening. Then he continues to put a whole slew of other devices under it as well. Fascinating. My favorites are the 3DS's top 3D display and the e-ink Kindle. Odd ducks, both of them.

Also notable is the Nexus One's Pentile OLED display. So far OLED hasn't gotten good enough that normal pixel orientations work well, so even newer Pentile phones like the Galaxy Nexus don't look as good as other displays with same, or even somewhat lower, pixel densities. It's easier to understand this when you see the pixel orientation up close.

Why I Don't Think I'll Get the New iPad After All

by Michael in ,

The short reason: The CPU has apparently not gotten a clock speed bump--supposedly containing the same dual-core 1GHz CPU as the iPad 2 paired with a new "quad core" GPU (which doesn't mean anything significant at all) and 1GB of RAM (instead of the iPad 2's 512MB), thereby changing the combined chip's moniker from the A5 to the A5X.

That short reason doesn't tell you the whole story, though. I don't actually care that the new iPad isn't quad core. I don't care how it compares to its competitors in terms of raw CPU power. As everyone who is concerned with actually using a device should be, I am concerned with the experience of actually using the device. Apple has done an excellent job of making its operating system run much better on its hardware than most competitors have managed. It doesn't need similarly powered hardware to drive the same level (or even a superior level) of performance in areas that drive the customer experience. The iPhone 4S contains a dual-core 800MHz processor but still manages to be the most responsive phone on the market--more so than the 1.2GHz dual-core CPU in the flagship Samsung Galaxy Nexus running Ice Cream Sandwich or the numerous higher-clocked CPUs in other Android phones.

So it's not a matter of thinking the new machine won't drive a great experience. I don't care that it's not at least certainly clock speed. I do, however, care that its CPU is the same as the iPad 2's. Having the same CPU means the new iPad will be able to provide a great experience for a smaller period of time after launch than the previous iPad could.

The simple thought process is this: The only things separating performance between the new iPad and the iPad 2 are amount of RAM and the more powerful GPU. According to Apple, the new GPU in its A5X processor is twice as powerful as the one included in the A5. This won't translate very much to better performance, but rather was a necessary jump in order to support the new display (which has 4x more pixels). The speed improvement will be negligible in apps that aren't graphically intensive while many developers of graphics instensive software will have to diminish effects used in software that previously ran smoothly on the iPad 2 if they want it to run at the new iPad's native resolution. In effect, the larger resolution makes a larger performance impact for graphics instensive applications than the gains offered by the new GPU. That means, at best, the GPU won't make this iPad feel faster but will make things prettier. The RAM increase will also likely be entirely compromised by running art assets for applications using the higher resolution.

In essence, the performance of this iPad in practice should be essentially indescernible from that of the iPad 2. I happen to think that, until the new iPad, the iPad 2 was the best tablet on the market for very nearly everyone. This iPad should feel essentially exactly the same, but with LTE for faster cell access (if you use that feature) and with remarkably prettier visuals. So that means it's the new best tablet on the market. Then what's the problem?

Simple. Contrary to what many people think, I don't always buy the newest and greatest things. I used my old iPhone 3G for nearly 3.5 years before finally updating to the 4S. I spent quite a bit of money building my PC for college, but used it until it was a husk of a machine. Ditto for the 5.5+ year old white MacBook I'm hoping to replace some time this year. I spend money to get what I want, but only if I'm confident it will be a long-lived purchase.

After the 2013 iPad comes out and new software takes advantage of its increased performance, software will start to feel slow on the 2012 iPad at roughly exactly the same time it begins to feel slow on the iPad 2. The new iPad will probably be supported with software updates for longer than its predecessor, but its "feels fast" timeline essentially has the same end-date as the iPad 2, with a year-later starting point. I'm having a very hard time talking myself into that.

So, for now, it looks like I'll just deal with my original iPad until next year. If something happens to change my mind, I'll probably update here. Certainly, though, if for some reason I have to buy a new tablet this year (right...), the new iPad is the one to buy. It is definitely worth the $100 premium over the iPad 2's price. It will feel the same but look significantly nicer. Anyone in the market for their first tablet can't really do better than the new iPad. The longevity issue also doesn't matter as criticism for anyone who purchases the newest model every year. Those users aren't going to be using this year's model for long after the next one is out and won't deal with software not optimized for it.

The thing is, I have an iPad. It's nowhere near as nice, and is already losing support on some of the software out there, but it's already paid for. I also have no compulsion to buy the newest model of any yearly gadgets. So I don't feel like putting down $829 for a new product that gives me effectively 1 year less value than if I had spent that money last year. (Besides, the new one still tops out at 64GB, which has been frustratingly limiting on my original model.)

So there you have it. I still think the new one is a great product, but for someone who already has one and doesn't need the latest and greatest, it's currently a pass.

Here's to next year, which I will almost certainly pull the trigger on.

Footnote: At the end of this year, though, I will have neither the newest iPad nor the newest iPhone. But hey! A new computer and Wii U can take up the slack.