This is Fun

Purple Monkey Dishwasher?

At a former employer, we weren’t allowed to use any recognizable english words.

BREAKING HARD: Cal Supreme Court to issue its opinion at 10 a.m. PST interpreting state law around ballot propositions, to send back to the 9th Circuit panel considering the challenge to Prop. H8, and whether the supporters of the initiative have standing to defend the law since the Governator, Moonbeam, and new AG Kamala Harris refuse to do so.

@SanFranLefty: New password: Gay Marriage Yes.

@Dodgerblue: I’m curious about the outcome. According to what I read about the hearing, at arguments the justices seemed sympathetic to the idea that people who support a new law should be able to defend or otherwise you’re giving the governor and the AG a de facto veto, OTOH I don’t see how they’re going to get around the SCOTUS decision on the Arizona Official English ballot initiative. Even if CSC says they have standing under state law in state court, why would that automatically mean they have standing in federal court? There’s a lot you can bring in CA court that you can’t bring in federal court, taxpayer petitions for a writ of mandate the one that comes to mind most quickly.

Can’t one just download free cracker software and defeat passwords in seconds?

Just asking.

@DElurker: Let’s get into the weeds…

At best, your free cracker software will be able to attempt a hundred cracks a second. (In practice, much less — the internet’s only so fast.) And there are different methods to use when cracking a password, which, depending on the method and password, yield results of different speeds.

So, doing the math, an eleven-character string consisting of three random common words will take your cracker software a millennium or two to crack.

That’s what all this is about: How to construct a sufficiently complex password to defeat automated cracks. And it turns out that “complex” doesn’t need to include comic-strip curse strings.

@SanFranLefty: Supremes’ website is down. Probably the gays’ fault.

@Dodgerblue: I’m on, but I don’t see nufin’

@Dodgerblue: LA Times says Supremes agreed that Prop 8 proponents have standing under state law.

I agree with Lefty’s analysis of the barriers to Fed standing.

http://latimesblogs.latimes.com/lanow/2011/11/proposition-8-california-supreme-court.html

@Walking Still: >:/

@Walking Still: I think that the CSC decision was a procedurally correct interpretation of state law, and as someone who advocates for access to justice and am horrified at the ever growing trend of conservative courts (and Congress) to deny access to the courts, I would feel intellectually dishonest to cheer for a different decision. I figure that the panel on the 9th is making sure to dot every i and cross every t – much like Walker did in his opinion – to make it that much harder to get SCOTUS/Justice Kennedy to wimp out.

And I still think that there’s a valid argument to be made that notwithstanding the CSC decision interpreting state law, that doesn’t mean it should be in federal court with federal Constitutional claims. The 9th could always kick them to state court, but I think the three judges want to rule on it.

Haven’t Prop 8 supporters already had their day in court?

Didn’t their attorneys humiliate themselves in an amateur hour performance in which they refused to present evidence?

Judge Walker already gave them the smack-down, so this ruling seems simply to allow the circus to go on for a few more years. Yeesh.

Noj: The thing about the xkcd strip you reference is that while it’s completely accurate, it’s not complete. It discusses password entropy, which is just one way of measuring password strength. For hash-comparison password crackers (which can run thousands or tens of thousands of attempts per second), English words make the attempt easier: big hunks of the passwords are conveniently packaged up into dictionaries to be guessed 3-7 letters at a time, instead of piecemeal.

Your savvy web haxx0r is not going to run password attempts against your account, they’re going to break in by using a known vulnerability and steal the hashed password file/database. Alternately, they’re going to aim a botnet at your account, and attempt hundreds of thousands of passwords per second, up to the limit of the server (and on, say, Amazon, that limit is pretty freakin’ huge). Either way, your underlying assumption about the speed of the attack is unrealistic.

Any hacker who decides they want into your account will get there, probably within a day or two. It’s the overwhelming volume of accounts and the vast profusion of banal worthlessness that keeps most of us safe.