Secure Passwords.

Everyone knows that security is important. I’ve talked before about DenyHosts, which watches for attempts to brute-force your SSH passwords and blocks them.

I could probably live fairly happily without DenyHosts, since my passwords aren’t going to be caught by a brute-force attack based on dictionary words and while every password is vulnerable to a brute-force attack across the total possible search space, most of the time the bad guys won’t dedicate that much time – they’ll try a dictionary-based attack, and go and find someone more vulnerable.

So life is great, and we all use passwords like ‘;D}A(RpLk#~4‘, right?

Even if I could remember that, which I couldn’t, I’d be mad to expect my users to be happy with that kind of password policy. If my users were my employees, then I might not care about their happiness – but they’re my customers, and if they get unhappy they might leave and then I’ll have really secure passwords protecting an empty server.

In my day job, where the users are also customers, I’ve come across some of the worst passwords imaginable, including ‘password‘. Mostly, these passwords are useless unless you’re already inside someone’s local network and most people take better care with their remote-access passwords, but slips can happen and a poorly chosen password can be a weak spot that lets an attack onto a trust machine, and from there you can lose your entire network.

Finding a method of producing secure passwords which users can remember is absolutely vital. In order for the passwords to remain secure, it’s best to avoid obviously ‘memorable’ password techniques, such as pronounceable strings. While that’s a much bigger search space than dictionary words, it’s harder to include punctuation – or even some numbers – in those passwords and it’s still a much smaller space than ‘eight random characters’.

For my own passwords, I use the following technique. It’s not something you can strictly enforce on users, but it is something you can include when training them on security policies.

I start with a phrase. For this example, I’m going to use ‘Stop Me If You Think You’ve Heard This One Before’, solely because the Smiths song is in my ‘Party Shuffle’ list in iTunes.

This is a nine-word phrase, which will give us a nine character password. This is a good length, and at the upper bounds of what you’d expect someone to be able to memorise using traditional techniques. This technique is simple to apply: for each word in the phrase, you substitute a character.

One possible password generated from our sample phrase could be ‘$m!y7Yht1b‘. I’ve used number and symbol replacements for the initial letters of each word where it’s possible, but not every time so as to keep a range of characters in use. With this particular example, you could push it to 10 characters by using ‘b4‘, which is one of the benefits of this technique – you have the flexibility of the whole English language to help generate the password. You can make full of use text- and leet-speak, where appropriate, to produce a password that both looks random and is easy to remember.

But that’s not all you can do with this technique. It happens to be an excellent example of Technopagan practice.

Before I explain why, I’m going to digress a bit about what ‘magic’ means to me.

I am what you might call a pragmatic Pagan. I’m not really concerned if ‘magic’ is ‘real’ or not – I’m concerned about the end result. It doesn’t matter if it’s spiritual forces or psychological forces. It doesn’t matter if I get a job because supernatual forces intervene on my behalf or if it’s because my believing in the possibility of supernatural forces simply makes me more confident and that confidence gets me the job.

This technique is a good example of pragmatic Paganism. By picking a suitable phrase you can reinforce a particular thought, or desire, every time you type your password. This is effectively the same as a daily affirmation, reinforcing a particular idea. Does it matter if you’re invoking a spirit or simply creating a positive mental attitude?

In my personal experience, I’ve found that using the same phrase for too long causes it to lose its effectiveness. Ideally you should change it every few months or so – and conveniently this coincides with good security practices too.

The only down-side to this technique that I’ve found is that it’s extremely difficult to discuss what you’re doing, as telling anyone the key phrase you’re using would compromise your password!

The other ‘adventures in technology’.

Things are quite quiet at the moment in both my day job and in the hosting.

That’s not to say that both aren’t keeping me busy, but it’s the sort of busy that’s not interesting to write about. There’s not been any fun experiments with virtualisation or other shiny toys to write about.

So I thought this would be a good time to bring up the other side of my ‘adventures in technology’ – the religious side.

Religion and technology are not normally grouped together – most overtly religious people are, at best, neutral towards the affects of technology on their belief systems, and frequently the loudest adherents of any particular religion will tend to be decidedly anti-technology.

My religion of choice is Paganism, and it is no exception. In fact, in many ways it can be worse. The mainstream view of Paganism is of Earth-worshipping tree-hugging hippies, and it’s not far wrong. If you don’t fit into those stereotypes it can be quite awkward in Pagan gatherings, where the default assumption is that everyone is an environmental activist, vegetarian (if not vegan), and in favour of a return to an agrarian society.

But this is not true for all Pagans. There is a subset of Paganism known as ‘Technopaganism’, and that’s where I find my beliefs fitting.

I work with technology all day, every day, in both my professional and private lives. I carry with me quite advanced bits of computer technology with me almost everywhere – my Windows Mobile phone, my Eee PC laptop, my iPod, and Nintendo DS. Technology is integral to all of our lives, but some choose to embrace that more than others.

I recognise that modern technology is a tool, albeit a hugely complex one. As a tool it can be used for many purposes. Just as a candle can provide light in the dark or be used for more symbolic purposes in a Pagan ritual, I feel that technology can be used for more than just its obvious uses.

As an example of this, while your average Pagan might do a ritual to improve their chances of finding a job, lighting a candle during the ritual and allowing it to burn down, I have in the past performed a similar ritual, only I ran a script on my server instead of lighting a candle.

Technopaganism offers a way to combine a modern religious practice (despite common pretense, the vast majority of Paganism is of entirely modern construction – and even those who attempt to recreate ancient Pagan religions – ‘re-constructionists’ – have to adapt and fill huge holes to produce a practice and working religion) with modern technology. People who interact with technology on a daily basis (and that would be pretty much everyone reading this) tend to project a personality onto their technology. This is no different to seeing different uses for herbs or stones in traditional Paganism, only in a less archaic manner.

Technopaganism appeals to the geek in me. It’s about enjoying and using technology. It’s about creating tools to work with. There’s no structure or hierarchy in technopaganism. It’s barely mentioned in even ‘urban’ and ‘modern’ books on Paganism. There’s no set path to walk – it’s all about striking out yourself to create your own path.

Technopaganism allows you to fulfil that oh-so-human need for something ‘greater’ – the great mystery which drives all religion, but to do it in a modern manner, using techniques and tools that are familiar to any self-respecting geek.

That brings me back to this blog, and the reason why I chose this name. The term ‘semanticist’ is normally associated with linguistics, but I choose to look at the broader meaning: someone who looks for the meaning behind things.

Sometimes that refers to finding solutions for practical real-world issues of technology, such as effective use of virtualisation. Sometimes that refers to finding new ways to use my tools of choice to try and find answers to old questions.

Whether it’s scrambling to get CentOS working under Xen, or trying to develop new techniques to integrate computers and magic, it’s always an adventure.