Password Strategy for the Rest of us

Put all your eggs in the one basket and — WATCH THAT BASKET.
(Mark Twain in “The Tragedy of Pudd’nhead Wilson”)

There are several options to manage your passwords:

  1. One strong password
  2. Many simple passwords
  3. Keep a list of all your passwords
  4. Password manager (Keepass, 1Password)
  5. Context based password strategy
  6. Lose your mind and go crazy

A single strong password is fine until you enter it in a service which does not care about your safety and saves it as plain text, sends it in a confirmation mail or something like that. Boom, all credentials are compromised.

Many simple passwords is the worst option. That way, every login is prone to standard attacks.

The advantage of carrying around a list of passwords is that you can choose pretty long ones. But loose the list and all your passwords are gone. Bummer.

Password managers are a good solution, probably the most secure as you can generate 30+ characters long passwords for each service. You only have to remember a single strong master password. I tried 1Password for a couple of days but for me it is too fiddly, especially on mobile devices.

Context Based Passwords

At the moment I am pretty happy with this strategy. It meets several password safety requirements:

  • long enough (12+ characters)
  • one password per service
  • easy to remember
  • no need to write them down
  • not vulnerable to dictionary attacks

The passwords consist of two parts: A static and a context based one. The job of the first part is to guarantee high length and entropy. Something like 9RainbowWhiteboards!, My2ndComing,right? or even def self.foo(bar={}). Just make sure it’s pretty long, easy to remember and contains not only lowercase letters. It might seem cumbersome to type but once you get used to it, your muscle memory will kick in and you will type that part in no time.

The second part is context based and requires a little creativity. What is the context? The name of the domain or program is a good choice. Now, invent a little algorithm that’s easy to remember and doesn’t take too long to apply. A couple ideas, feel free to steal and combine:

  • nth character of the name (Yeah, there are 3 and now even 1 character domain names. You can still use n > 3 using modulo calculations)
  • nth character of the name incremented or decreased by some steps in the alphabet
  • maybe you have already memorized the ascii table for characters? Convert them to numbers!
  • use the length of the service name and apply some math (subtract, square, negate)

Be creative but don’t overdo. If it takes you several minutes to determine your password, it’s probably not worth it. The main idea is that when one password gets compromised, the attackers can’t just log into all other services.

Examples for www.farbeyondprogramming.com are GbS62 and -20ef. A completed password may be GbS629RainbowWhiteboards!. See what I have done here? The dynamic part ends with a number and the static part begins with one. It’s just playing around but the attacker would need two of my passwords plain text to be certain about what’s the static part.

Migrating to a new Password System

Now, you have decided to do the transition. I recommend two strategies to smoothen the process:

Take an afternoon to migrate all the services that come to your mind. The “I’ll do the transition whenever I log in with my old password” approach did not work for me. It’s easy to fool yourself into thinking you don’t have time at the moment to change the password.

But there will be services you forget. When you encounter a login window and are not sure if you have already changed the password, assume you have and try the new password. If you haven’t, force yourself to change it before doing anything else. It takes a minute or two, so you can’t make excuses to yourself by referencing GTD and creating a task.

Enjoy your new passwords! :)

Resources

Do I like my Standing Desk?

This is a follow up post to My Standing Desk Experiment. About 6 weeks ago, I rearranged my workplace to allow standing while working. Do I like the experience?

What I like

Flexibility – It’s easy to take a step to the window or walk to the whiteboard when you’re already standing. When facing a problem, I tend to walk away from my workplace more often than before. That’s definitely an improvement as thinking without distraction is more practical than staring at a blinking cursor.

Feels Good – I like to stand to work and write. I started the morning habit to wake up, grab a coffee, launch iA Writer and just write. Standing in the morning wakes my body even before the coffee kicks in.

What I don’t like

Not suitable for long periods of time – It took a couple of weeks but now it’s no big deal for me to stand about three or four hours nonstop. But that’s not healthy in the long run (similar to sitting for hours without interruption), so I ordered a barstool to allow alternation between sitting and standing. That’s okayish but the stool is for short resting phases only as it’s not too comfortable. The ideal solution would be a height-adjustable desk so I can switch between sitting in a comfy chair and standing whenever it suits me.

Sucks for lean-back-activities – Reading articles, watching videos, playing games. These are activities you don’t want to be standing to. The only solution that comes to my mind is, again, the height-adjustable desk.

My desk is a mess – With all the Amazon boxes on top to bootstrap the standing desk environment, my desk looks cluttered. You might’ve already guessed the one possible solution: Buy a height-adjustable desk.

Conclusion & Upcoming

Apart from the flexibility issues, I love my setup. The next step seems to be getting a new desk. They’re quite expensive, though. So I might switch back and forth between sitting and standing for a couple of weeks each until I’m sure enough to commit to the expenses.

Does it sound interesting to you? Then definitely give it a shot! If for nothing else, it’s easy to setup with some spare boxes and a fun experience.

How to deploy a WordPress Plugin with git-svn

UPDATE If you are looking for a recommended way to deploy your WordPress plugins, skip to the UPDATE-section at the end of the article. If you’re interested in a git-svn workflow, read on. Thanks!

Git rocks and GitHub makes it even better. But if you develop a WordPress plugin and aim to share it with the world, you need to use svn. No way!

git-svn to the rescue! (please play your favorite hero-appears-to-save-the-day soundfile)

I assume you have your plugin on GitHub, requested a WordPress.org plugin repository and just received the confirmation mail. What now?

Setup

$ git svn init --trunk=trunk http://plugins.svn.wordpress.org/yourpluginnamehere
$ git svn fetch

That might take a while. It’s svn.

$ git branch -a # Lists remotes/trunk
$ git rebase --onto remotes/trunk --root master

Woozaa, git rebase magic! Well, it basically applies your linear history (master branch) to the svn repo (remotes/trunk). Now all that’s left is sending the history to the svn repo.

$ git svn dcommit

Oh my god, I hope you don’t have hundreds of commits yet because that will commit each one separately! You probably like to keep your history in svn, so git-svn needs to send each and every commit separately. For me, it took about 30 seconds per commit. So you can estimate how long it might take for you. Gosh. Well, go grab a cup of your favorite hot (or cold, depends on the weather) beverage and enjoy the process. Oh, and WordPress.org will happily send you an email for every commit. Jeez.

Congratulations, you’re done with the unpleasant part – enjoy your WordPress plugin development with git.

Everyday Usage

Develop as you’re used to with git. When you’re ready to release a new plugin version with svn, these are the required steps.

$ git svn dcommit
$ git svn tag 1.3 # substitute with your version number

That’s it.

Troubleshooting

You might get errors like W: Refspec glob conflict (ref: refs/remotes/trunk):. Open your .git/config and look for the [svn-remote "svn"] block. Mine looks like this.

[svn-remote "svn"]
  url = http://plugins.svn.wordpress.org
  fetch = archivist-custom-archive-templates/trunk:refs/remotes/trunk
  branches = archivist-custom-archive-templates/branches/*:refs/remotes/*
  tags = archivist-custom-archive-templates/tags/*:refs/remotes/tags/*

For some reason, I had multiple lines starting with branches and tags. That confused git. Make sure there’s only one line for each option.

Happy developing!

Update

Do not do this. It looks like this workflow is unwelcome as it creates more commits than necessary.

Anyway, I’m already doing it differently now. Develop in git to your liking. When you’re ready to release, bump your version number and simply deploy the current plugin state via svn:

$ svn commit -m "v1.2"
$ svn copy http://plugins.svn.wordpress.org/myplugin/trunk http://plugins.svn.wordpress.org/myplugin/tags/1.2

To keep both repos clean, add the line .svn to your .gitignore. Then, type svn propedit svn:ignore . in the plugin root. Add .git and .gitignore on separate lines.

Sources & Further Reading

My Standing Desk Experiment

I’ve read about standing desks some time ago. Since then, an untouched project sits in my ToDo app. Today I was bored enough to give it a shot. My desk looks quite funny now with all the boxes on top. Hurray, I’ve done it!

I’ve done it mostly out of curiosity. There are some researches claiming that sitting all day is bad for your health, but you can find similar results for standing all day. That’s just how it is: Too much of anything is bad for you. That’s no real surprise, is it?

Besides, all the cool people stand to work: Shawn Blanc, Marco Arment (Instapaper), Hemingway, Churchill, …

Alright, that’s it. I’ll tell you how it works out for me in a couple of weeks!

Sources & Further Reading

In an artificial world, only extremists live naturally

This is a quote from an essay by Paul Graham called “You weren’t meant to have a Boss”. It is about the question of becoming a freelancer / startup founder or signing up at a company. Thereby he draws magnificent analogies to nature.

Lions in the wild seem about ten times more alive. They’re like different animals. I suspect that working for oneself feels better to humans in much the same way that living in the wild must feel better to a wide-ranging predator like a lion. Life in a zoo is easier, but it isn’t the life they were designed for.

Go, read it!

Source: http://www.paulgraham.com/boss.html (2008)

« Older posts