Archive for January, 2010

Airnergy? Really?

Wednesday, January 20th, 2010

Found recently: A device that supposedly charges USB devices from ambient WiFi-fields. Interesting, there should be enough energy in Wifi fields for that? Let’s do the math: In Europe, Wifi devices are limited to 100 mW transmission power (EIRP). Looking at that device, I would suggest a surface of about 10 cm x 10 cm is not a bad estimate. Given a distance from the access point of about 1 m, it can harvest about \frac{(10 cm)^2}{4 \pi (1 m)^2} \approx \frac{1}{100} of that, so about 1 mW. That’s not much… and even given several sources, I think it would be very optimistic to assume that they are all as close a 1 m. And then, the power received drops quadratically.

At this rate, to charge a normal mobile phone battery (typically several Wh) takes thousands of hours, assuming 100% efficiency and continuous transmission. The only way to really get down to a number where you could seriously consider it would be putting that device just flat on top of your access point, which can giv you 50% of its transmission power at best and would make it 20 hours.

Let’s just say that is incredibly stupid. The only comfort you’ve won is not having to plug it in (remember you still have to plug in your mobile phone into the Airnergy, AND you would have to put that device directly on top of the access point for a day). But it kind of defeats the point of the access point if you put something directly on top that will block all radiation. So it is basically mostly running to charge this battery, which is incredibly inefficient. Something must be wrong, right?

Now, in the article, they claim:

At CES, the device’s battery, which I believe was precharged with Wi-Fi power, was able to charge a BlackBerry from 30% power to full power in about 90 minutes.

Well, that was basically a nice PR stunt. The 90 minute number is obviously completely meaningless, as that was from the Airnergy’s battery. I would think it is quite improbable that it was actually charged using Wifi. And even if it was, then certainly in a way quite different from what the author expects …

A further comment: Even in inside, closed rooms, solar cells would give you a much better yield than that. And still, most people don’t use this to charge their phones (devices exist, though …). Guess why …

Well, if you ever come across these, don’t buy.

Posted in Computers | No Comments »

Please include at least one character from the Voynich manuscript.

Thursday, January 14th, 2010

How often do you see these? You want to choose a new password on a website, and it tells you

The password you have chosen is not secure enough. Please choose a password that is at least 6 characters long and includes

  • lower and upper case characters
  • numbers
  • punctuation marks
  • and at least one character from the Voynich manuscript.

(from XKCD)

OK, I just made up that last point, but except for that, this is exactly what one of these systems wanted from me today. Now, what I hate about these is really the parts which want you to include characters different from just lower case latin alphabet ones. Because I can easily make up and remember an arbitrarily long password as long as it only includes lower case characters, for example just make up a sentence and use the initials. I can make that as long as 10 or 20 characters if you want me to, and I will never have to write it down if I at least use it every now and then. There are many other easy systems to remember this kind of password.

However, each of the additional requirements makes it a lot harder to remember the password. Remembering which characters were upper case (or whether there were any upper case characters at all) requires much more sophisticated systems (which, honestly, I haven’t yet thought about), or you will forget it after a short time. Remembering numbers requires either a high level of creativity so that the mnemonic phrase actually includes the number in a nontrivial way (“a tiger eats 16 oven mitts” doesn’t help you to remember the number 16) or a special system for remembering numbers, which most people, I suppose, don’t have at hands. Similar arguments go for the punctuation marks. So what does it lead to? Well, if people cannot remember their passwords, this will lead to one breach of security or another, which may include

  • just using a trivial way to include the extra characters, e.g. replacing an “o” (oh) by a “0″ (zero), capitalising the first letter and putting a period in the end. Well, at least this does not make the password worse than just the lower-case alphabetic one. But most probably
  • people will write passwords down. Now, I consider it a lot more probable that someone finds and exploits a password that I have written down than that someone actually brute-force cracks my password.
  • Also typically, people take one password and use it everywhere. The danger of this is obvious: If it is broken in one place, access to all accounts is established. Well, whether this is actually dangerous depends mostly on the websites you register to… if one of them is broken or run by someone who actually just wanted to get your password, you are in trouble …
  • Or, they might just invent a cool system to remember their passwords or find one on the net.

Guess which one I think is the least probable.

OK, but maybe we need passwords to include all these different kinds of characters for passwords to be secure. So let us examine this. Let’s start with a simple 8 character alphabetic lower-case password. There are 26^{8} \approx 2\cdot 10^{11} possibilities. Suppose we have a 10 MB/s connection to the website and to try one password requires 1 kb of data exchange (this is including all overhead, you will rarely get it that easily, but just for this consideration, suppose it’s true). Then you will need about 20 million seconds or just more than 240 days to get through all possible passwords, which means that on average, an attacker would need 120 days to get your password under these circumstances. Well, it is quite unlikely that this will go unnoticed for such a long time. Still, we certainly do not want to settle for this kind of security, but also, we do not have to. It would be enough to temporarily deactivate the login after three failed attempts for a short amount of time, say 300 seconds in order to make the calculation easy — then, this time would go up by a factor of one million and push the average time to above 300,000 years. That’s okay for most purposes I guess. Also, it does not rely on the assumption that general internet bandwidth does not increase dramatically, which it likely will. And for concerns about Denial of Service attacks, we could limit the ban to an IP range.

OK, we have established that 8 lower-case characters should be enough for most people. Not let’s take the requirements from the introduction, which except for the Voynich part were from a real website. The length should be 6 characters, which include upper- and lowercase characters (=52), numbers (+10) and punctuation marks (+10) [I have no idea exactly what they consider a punctuation mark, but I guess most people would restrict themselves to .!?-, which would only make 5, so I think I rather overestimate the number of possibilities here]. That makes us choose from 72 characters which gives 72^{6} \approx 1.4 \cdot 10^{11} possibilities. That’s less than we had for the previous case! Although not much, so given the right security measures, I would still consider it to be secure enough. But still! They would not let me choose an 8 character, lower case password, and someone else can slip through by with just six characters, a password which is actually less secure! So they are forcing all this extra crap on their users, which probably makes them do something stupid with their passwords anyways, and gain nothing in security at all.

So what is my suggestion? I don’t worry about the kind of restrictions you impose on short passwords. Just give me the possibility to use an all-lowercase, simple, but longer password. There is no reason not to allow me using an 8 character lower case password, if someone else can get away with 6! Imposing 8 characters mixed case and everything will make it more secure, but again, we could just as well use 10 or 11 lower chase characters. Why not allow that?

So, in case you are surprised why enlarging the character set so much, by even including mixed case, numbers and punctuations marks, is overcome by just adding two characters to the simple non-fancy password, stay here for the maths. If you make your password from a set of k characters of length n, then there are k^n possibilities. If you consider this as a function of k, the size of the character set, it is a simple polynomial function. Whereas as a function of n, it is an exponential function. As we all learn in school, exponentials grow much faster than polynomials. That is why, if you go for security, length matters! The number of characters included not so much.

So, can we now finally go back to plain passwords?

Posted in Computers, Maths, Personal | No Comments »