 |
| Deadites about to meet my chainsaw-arm and shotgun! |
It's not fair that all these great games are coming around to distract my writing. :)
Sunday, June 19, 2011
Deadites! On my iPhone!
One of my favorite movies is Army of Darkness. As such, I was delighted to see that the Army of Darkness iPhone game was available for free today.
The gameplay is easy to learn, and the challenge mild. Where this game really wins is in the music and the fun (and faithful!) movie quotes that are liberally interspersed in normal gameplay.
It's not fair that all these great games are coming around to distract my writing. :)
It's not fair that all these great games are coming around to distract my writing. :)
Saturday, June 18, 2011
A Post From the Road
Recently, I have been dealing with back pain and temporary carpal tunnel syndrome. Fortunately, I am recovering well.
The experience, however, has left me with the need to explore technologies that can assist with the transcription of text. This message, for instance, is being transcribed by the Dragon Dictation application for my iPhone.
Personally, I find the quality of the transcription to be remarkable. I am still getting used to using such tools, but I believe that I will be able to use them more effectively (and efficiently) on the road or
on my frequent walks.
Now, if only this transcription software could handle mathematical symbols!
The experience, however, has left me with the need to explore technologies that can assist with the transcription of text. This message, for instance, is being transcribed by the Dragon Dictation application for my iPhone.
Personally, I find the quality of the transcription to be remarkable. I am still getting used to using such tools, but I believe that I will be able to use them more effectively (and efficiently) on the road or
on my frequent walks.
Now, if only this transcription software could handle mathematical symbols!
Monday, June 13, 2011
PvZ
I have been, and am presently addicted to Plants vs. Zombies for iPhone following its recent update.
It is very fun, and I highly recommend it on any of the many platforms it is available upon.
That it all. Back to thesis writing!
It is very fun, and I highly recommend it on any of the many platforms it is available upon.
That it all. Back to thesis writing!
Password Activism, Part II
I have received a response from my medical representatives regarding password security, and am pleasantly surprised by the response rate.
Let's just say that if the third-party vendor that performed this implementation knows this and enforced such a limit anyway, I hope that a fourth party was responsible for implementing the encryption practices for the actual medical records! :P
Given the invitation to reply, here's what I fired back:
Thank you for your feedback, and as it appears you already know it is industry standard to store a hash value of the password. I assure you that your password is not in fact stored as is in our database, it is stored by some type of hash value. I am not entirely sure by which standard our software vendor encrypts this data, but it is protected. If you lose your password our standard procedure is to have you reset it, because we are unable to retrieve your old password information from our database. If you have any further questions or concerns please do not hesitate to contact us.Grammatical errors aside, there is an assertion that a hash is used in password authentication. If that's the case, then why enforce an upper character limit on the passwords? The nice thing about a cryptographic hash is that -- by design -- will reduce an arbitrary-length input to a fixed-size, obfuscated token that can be stored for purposes of authentication.
Let's just say that if the third-party vendor that performed this implementation knows this and enforced such a limit anyway, I hope that a fourth party was responsible for implementing the encryption practices for the actual medical records! :P
Given the invitation to reply, here's what I fired back:
Thank you for your prompt reply.Hopefully the message can go up the chain and fall on the right person's desk.
In light of your assertion that a password-derived hash is what is used for purposes of authentication, I have a website enhancement request that I would appreciate you forwarding to the appropriate technical or vendor representative.
In particular, please remove the upper limit on password length that is presently enforced at 15 characters. (The minimum password length requirement remains a good idea.) This should not pose any technical burden, as a cryptographic hash function, by design, can take an arbitrarily-long input and produce a fixed-size, obfuscated output that is suitable for storage in the authentication database.
Such an improvement would significantly enhance the overall strength of the website's password system, and bring it in-line with practices used at financial institutions.
Thank you once again for your responses. I appreciate your assistance in forwarding this suggestion to the appropriate representatives, and would appreciate a response should action be taken to address it.
Saturday, June 11, 2011
A Little Password Activism
My medical professionals have recently upgraded their websites to provide an e-portal for secure messaging, sharing test results, and the like.
I think that such electronic access is a fantastic idea. However, I had a bit of pause with the user registration process, which required me to have a limited-length password.
This irks me to no end, especially when this password is supposed to guard access to medical or financial records. Here's why: such a restriction implies that a database field is being used to store the password for purposes of authentication checks (or worse, password recovery!)
I wrote the following to the webmasters, and fully expect it to fall on deaf ears. At least I've tried!
Here's hoping that letters like this can start making password storage more secure -- especially in light of epic failures like the Sony breach!
I think that such electronic access is a fantastic idea. However, I had a bit of pause with the user registration process, which required me to have a limited-length password.
This irks me to no end, especially when this password is supposed to guard access to medical or financial records. Here's why: such a restriction implies that a database field is being used to store the password for purposes of authentication checks (or worse, password recovery!)
I wrote the following to the webmasters, and fully expect it to fall on deaf ears. At least I've tried!
Hello,The nice thing about the salted hash approach is that one can still store a fixed-length field in the database, but the password itself can be of arbitrary length. Plus, the authentication system doesn't know what the password is -- just something that is derived from it.
Thank you for providing me secure online access to my medical records, test results, and service providers.
I am writing to let you know of a potential security issue regarding password storage for the system's online authentication. In particular, during the user registration process, a password must be created consistent with a length of 6 to 15 characters containing at least one number and one letter.
Such a length restriction implies that the password itself is being stored in your database(s) for purposes of validating authentication attempts. This is an insecure practice. A secure approach -- and industry best practice -- is to store a salted cryptographic hash of the password that does not require the actual passwords itself to be stored, but instead something derived from it. Please see the following document from the National Institute of Standards and Technology for more information on this subject: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
I would appreciate your comments regarding these issues at your earliest convenience.
Here's hoping that letters like this can start making password storage more secure -- especially in light of epic failures like the Sony breach!
Saturday, June 4, 2011
The Courage of Rick Santorum
Yes, Rick Santorum is running for President.
Will he win? Of course not.
Why waste valuable blog space then? Because I was very surprised (and slightly amused) to see him being described as a "frothy, third-tier candidate."
It's good to see that the left leaning media can get away with that one; here's hoping that more media outlets ask him about his true namesake!
Subscribe to:
Posts (Atom)