Archive for April, 2011

A few weeks ago a postdoc in my lab logged on to Amazon to buy the lab an extra copy of Peter Lawrence’s The Making of a Fly – a classic work in developmental biology that we – and most other Drosophila developmental biologists – consult regularly. The book, published in 1992, is out of print. But Amazon listed 17 copies for sale: 15 used from $35.54, and 2 new from $1,730,045.91 (+$3.99 shipping).

I sent a screen capture to the author  – who was appropriate amused and intrigued. But I doubt even he would argue the book is worth THAT much.

At first I thought it was a joke – a graduate student with too much time on their hands. But there were TWO new copies for sale, each be offered for well over a million dollars. And the two sellers seemed not only legit, but fairly big time (over 8,000 and 125,000 ratings in the last year respectively). The prices looked random – suggesting they were set by a computer. But how did they get so out of whack?

Amazingly, when I reloaded the page the next day, both priced had gone UP! Each was now nearly $2.8 million. And whereas previously the prices were $400,000 apart, they were now within $5,000 of each other. Now I was intrigued, and I started to follow the page incessantly. By the end of the day the higher priced copy had gone up again. This time to $3,536,675.57. And now a pattern was emerging.

On the day we discovered the million dollar prices, the copy offered by bordeebook was1.270589 times the price of the copy offered by profnath. And now the bordeebook copy was 1.270589 times profnath again. So clearly at least one of the sellers was setting their price algorithmically in response to changes in the other’s price. I continued to watch carefully and the full pattern emerged.

Once a day profnath set their price to be 0.9983 times bordeebook’s price. The prices would remain close for several hours, until bordeebook “noticed” profnath’s change and elevated their price to 1.270589 times profnath’s higher price. The pattern continued perfectly for the next week.

But two questions remained. Why were they doing this, and how long would it go on before they noticed? As I amusedly watched the price rise every day, I learned that Amazon retailers are increasingly using algorithmic pricing (something Amazon itself does on a large scale), with a number of companies offering pricing algorithms/services to retailers. Both profnath and bordeebook were clearly using automatic pricing – employing algorithms that didn’t have a built-in sanity check on the prices they produced. But the two retailers were clearly employing different strategies.

The behavior of profnath is easy to deconstruct. They presumably have a new copy of the book, and want to make sure theirs is the lowest priced – but only by a tiny bit ($9.98 compared to $10.00). Why though would bordeebook want to make sure theirs is always more expensive? Since the prices of all the sellers are posted, this would seem to guarantee they would get no sales. But maybe this isn’t right – they have a huge volume of positive feedback – far more than most others. And some buyers might choose to pay a few extra dollars for the level of confidence in the transaction this might impart. Nonetheless this seems like a fairly risky thing to rely on – most people probably don’t behave that way – and meanwhile you’ve got a book sitting on the shelf collecting dust. Unless, of course, you don’t actually have the book….

My preferred explanation for bordeebook’s pricing is that they do not actually possess the book. Rather, they noticed that someone else listed a copy for sale, and so they put it up as well – relying on their better feedback record to attract buyers. But, of course, if someone actually orders the book, they have to get it – so they have to set their price significantly higher – say 1.27059 times higher – than the price they’d have to pay to get the book elsewhere.

What’s fascinating about all this is both the seemingly endless possibilities for both chaos and mischief. It seems impossible that we stumbled onto the only example of this kind of upward pricing spiral – all it took were two sellers adjusting their prices in response to each other by factors whose products were greater than 1. And while it might have been more difficult to deconstruct, one can easily see how even more bizarre things could happen when more than two sellers are in the game. And as soon as it was clear what was going on here, I and the people I talked to about this couldn’t help but start thinking about ways to exploit our ability to predict how others would price their books down to the 5th significant digit – especially when they were clearly not paying careful attention to what their algorithms were doing.

But, alas, somebody ultimately noticed. The price peaked on April 18th, but on April 19th profnath’s price dropped to $106.23, and bordeebook soon followed suit to the predictable $106.23 * 1.27059 = $134.97. But Peter Lawrence can now comfortably boast that one of the biggest and most respected companies on Earth valued his great book at $23,698,655.93 (plus $3.99 shipping).

Pricing algorithms send prices out of whack on Amazon! A good read.

Advertisements
Media_httpwwwwordstre_zsaqi

Ignores the millions of other unproductive things that are also killing the planet but a nice infographic nevertheless.

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

So let’s dive into the world of passwords, and look at what makes a password secure in practical terms.

Update: Read the FAQ (updated January 2011)

How to hack a password

The work involved in hacking passwords is very simple. There are 5 proven ways to do so:

  1. Asking: Amazingly the most common way to gain access to someone’s password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn’t going to change this.
  2. Guessing: This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
  3. Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is “sun”, he will attempt to sign-in using “aaa, aab, aac, aad … sul, sum, sun (MATCH)“. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
  4. Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. “sum, summer, summit, sump, sun (MATCH)“.
  5. Dictionary attacks: Same concept as common word attacks – the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).

When is a password secure?

You cannot protect against “asking” and “guessing”, but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn’t going to sit around manually trying 500,000 different words to see if one of them is your password.

The measure of security must then be “how many password requests can the automated program make – e.g. per second“. The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.

This means it takes the following time to hack a simple password like “sun“:

  • Brute-force: 3 minutes
  • Common Word: 3 minutes
  • Dictionary: 1 hour 20 minutes

Note: “sun” has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263

This is of course a highly insecure password, but how much time is enough for a password to be secure?

  • a password that can be hacked in 1 minute is far too riksy
  • 10 minutes – still far too risky
  • 1 hour – still not good enough
  • 1 day – now we are getting somewhere. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.
  • 1 month – this is something that only a dedicated attacker would do.
  • 1 year – now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well – you do not have that kind of enemies, nor is your company data that interesting.
  • 10 years – Now we are talking purely theoretical.
  • A lifetime: 100 years – this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is “secure for life”

But let’s take a full swing at this. Let’s look at “100 year – secure for life”. It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.

Let’s step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack– let’s call this “secure forever“. That ought to be good enough, right?

Making usable and secure passwords

Now that we have covered the basics, let’s look at some real examples, and see just how usable we can make a password, while still being “secure forever”.

Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password – either being by the use of brute-force, common words or dictionary attacks.

First let’s look at the common 6 character password – using different methods:

In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.

Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn’t going to work. None can remember a password like “J4fS<2”, which evidently mean that it will be written on a post-it note.

To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.

Like these:

Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.

It takes:

  • 1,163,859 years using a brute-force method
  • 2,537 years using a common word attack
  • 39,637,240 years using a dictionary attack

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

If you want to be insanely secure; simply choose uncommon words as your password – like:

A usable and secure password is then not a complex one. It is one that you can remember – a simple password using 3+ words.

It is not just about passwords

One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.

All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:

  1. Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.

    It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).

  2. Add a penalty period if a person has typed a wrong password more than – say – 10 times – of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.

A hacker can hack the password “alpine fun” in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.

Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.

Interesting article on password security. More complex passwords may not necessarily be more secure.

Media_http30mediatumb_whcia

Just can’t get over this image! 🙂