6 characters? Let me guess, were there restrictions on character space and case?
One place I had an account has a password input that restricts all of those, so it's like an 8-10 character string of all capital letters. I don't understand it at all.
Necronomicon quote? Nice. This has me thinking about what I can do to make my security answers to security questions untethered from PII. A book quote is a really good idea.
I'm guessing that having every book loaded into a password cracking database, subdivided and indexed by each leading phrase word, is still computationally infeasible for non-government actors.
If I walk into a library, pick a floor, aisle, shelf, book, and page at random (just walk, don't think about it), and use a phrase that is a minimum of 12 words long -- is that more random than what I presume happened here, where someone knew that their target liked that style of poetry and was able to concentrate their search on that genre? ( a "crib" in Bletchley Park terms)
The comments about English grammar are correct - classes of words (nouns, verbs, adverbs, etc) do fall in certain positional order and frequency analysis becomes important. A brute-force attacker would have to work through four types of passwords - the commonly used passwords like "12345" and "letmein", language-based phrases (like my not-great idea), language-based phrases with letter substitution (leet-speak, etc), and then truly random letter sequences.
What's happening is that people collect endless phrases and alter them with a ton of standard manipulation schemes, compute the corresponding private and public keys & addresses for all the variations, create a lookup table for the addresses and private keys, and as soon as they see a known keypair in use then they use the corresponding private key to swipe the funds.
See my comment above - unless I'm mistaken, taking all 2 to 24 word quotes from the most popular 1 million novels gives you about 40 bits of entropy (less than a password of length 7), and can easily be stored on one hard drive. In other words, feasible even for some script kiddie in mom's basement.
No need to have every book loaded, only the top 50000~ read by people who would use that method of passphrase generation should work fine (and be feasible for almost everyone). Cryptonomicon would probably be in that list.
Can confirm. I had a trippy experience where I had on one monitor some RTL+simulation for our chip up for view, on another I had the PCB schematic I had helped design, and on my third I had the GUI and embedded toolchain development environments up, and on my desk I had an oscilloscope measuring that PCB running that firmware. It was basically rolling through the list and really fun!
I mean, sous vide is amazing, but have you ever had your sprouts crispy? I used to be pretty indifferent to them until my fiancee cooked them up crispy.
Hmm... Now I'm thinking about food, oh look, its lunchtime.
Banning suicide is as effective as declaring pi as 3 via legislative fiat. At least in my mind.
For one, it is hard to enforce; those who choose to end their own lives may not show any signs until the attempt. If they succeed, they cannot be punished. If they fail, what is a "just" punishment? How do you effectively punish someone who wants to die so that after their punishment, they want to live?
I guess, philosophically, we do have absolute control of our bodies in practice. Making laws that defy the reality of what humans are is a path to tyranny. If people dont have absolute rights, does the state? There is talk of balancing individual rights against the state, which shallowly encouraging, but to me any system where the individual is not free to not make choices about their body will always be able to justify actions that trade more rights for "security".
These trends come and go. When they annoy me, I really am glad for "reader" views that ditch all the fancy, unreadable flourish (and social media nag-bits that just don't fucking die).
One of these days, "retro" websites might seem cool again. Just gotta wait.
This is an interesting point. Companies that try to "hire to greatness" have a steep fee to pay for their hiring approach, and it might not work for reasons that cannot possibly be squashed into, and recognized from, the sloppy "greatness" scalar used to score the possible team members.
As you said, cultivation of expertise is a better approach, and I'm happy that where I currently work fosters this carefully and deliberately.
