Sane Password Strength Validation for Django with zxcvbn

While many admins and blog posts tell users that length is by far the most important factor in creating strong passwords/passphrases, the majority of password input fields are giving them a set of hide-bound rules: Eight characters, at least one upper- and one lowercase letter, some digits and punctuation marks, etc.

Even though it includes dictionary words, a passphrase like:

Sgt. Pepper's Mr. Kite

is far stronger than:


(there’s a world of difference between 22 characters and 9, from a cracking perspective). But many password input fields would reject the first one. No wonder users are confused by the process of creating strong passwords!
Continue reading “Sane Password Strength Validation for Django with zxcvbn”

The NSA’s Massive Data Center

When Wired published their piece on the massive Utah Data Center (“The Matrix”) more than a year ago, designed to capture and process data from virtually every sort of phone and internet transmission imaginable, I thought the story would explode. It was a fascinating expose’ on a government project with immense implications for privacy. It got some retweets in the technosphere at the time, but never rose to public awareness. That baffled me.

The datacenter had been ten years in the making (so be careful about blaming it all on Obama):

“It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration”

… and was funded by the tens of billions of cash thrown at the NSA in post-9/11 budget awards.

The facility consists of four 25,000 sq ft buildings packed top-to-bottom with servers and data pipes, all kept chill by *60,000 tons of cooling equipment.* They’re not messing around.


Just read it. We can’t say we didn’t know this was coming.

Password Hygiene for Regular People

Even the passwords we once considered “strong”  have become almost trivially easy for sophisticated crackers to break. With massive arrays of very-fast processors, lightning fast graphics cards, and extremely sophisticated cracking techniques, hackers are making mincemeat out of stolen password databases, and openly trading them on the black market.

Most “average user” passwords now fall so easily that some in the security community feel the username/password mechnanism itself must be traded in for something entirely different, like biometrics. But until that time comes, you need to be doing everything you can to make your passwords as secure as possible.


The purpose of this piece is not to scare you, but to give you the tools you need to stay safe.

There’s a ton of advice floating around out there on what makes for a good password, how to create memorable (and easy-to-type) passwords, and how to keep track of lots of different passwords. Unfortunately, a lot of that advice is written by geeks for geeks, while the people who generally need the advice the most are “regular” (non-geek) users. If you’re a geek, chances are you’re probably already doing most of this stuff. This article is an attempt to summarize the best password hygiene advice out there for your parents, bosses, aunts and uncles, and non-geek friends.

There’s a twist at the end, plus an explanation of the graphic above, so please read all the way through.
Continue reading “Password Hygiene for Regular People”

OpenID: The Missing Link

The OpenID light went on today, after a little setup and testing. I can now go to a blog or CMS or discussion board or other service that supports OpenID and type in “” – no username, no password. Hit Return, and I’m in. If I’ve never been there before, I get standard user-level permissions. If I’ve been there before and an admin has escalated my privs, I’m in as admin. Securely. How is this possible?

Created an ID for myself at MyOpenID (though you could use any OpenID provider). Doing so gave me an identity URL through that provider. But here’s the dirty little OpenID secret that shouldn’t be a secret: The protocol supports “delegation” — by adding a couple of meta lines to the header of any URL you control (the homepage, in my case), that URL can stand in as your identity URL. So when I typed “” into a blog that supported OpenID earlier today, it fetched that URI and read its delegation headers. It then knew my “real” identity URL at the provider. The provider was able to determine that I was already logged into their service and pass “true” back to the blog I was trying to access. If I hadn’t been logged into MyOpenID at the time, I would have been prompted to log in there first, as a middle step in a seamless process.

Once authenticated to the blog, which had the WordPress OpenID plugin installed, a user-level account in that blog was created automatically for me. The admin could then escalate my privileges to admin or whatever, and I’d still only need to type “” to log in there as admin. And you can’t. So there.

Distributed single sign-on works. Totally elegant.

A while back, Six Apart launched TypeKey, a single sign-on mechanism first made available for Movable Type blogs. TK never really took off, for a couple of reasons. First, most blog owners had already discovered that requiring any kind of sign-on had a chilling effect on blog conversation — any barrier to commenting was too high, and tended to stop casual “stopper-by” conversation dead. Second, a lot of people didn’t want to put all their identity eggs in the Six Apart basket, didn’t feel comfortable having a corporation behind the critical task of identity maintenance. That assumption was bogus – TypeKey was always an open API – but a lot of people didn’t feel comfortable with it. TypeKey isn’t dead, but there aren’t many sites using it.

Lots of identity conversation at SXSW this year, with OpenID emerging as the “final” solution to the distributed identity problem. Ended up not attending that panel, but did get to eat sushi with Kaliya “identity is a commons that no one can own” Hamlin, who (by some accounts) is single-handedly responsible for wrangling the monolithic corporate gargoyles (who all wanted to sell the world on their own proprietary silo identity systems and end up falling into the same hole that swallowed TypeKey), tying them up in a room and making them take mushrooms and hug until they agreed to adopt OpenID. Now even AOL is an OpenID provider.

Free love works!

Thanks Milan

Music: Linton Kwesi Johnson :: Brain Smashing Dub

reducer: bad ips –> firewall

At the end of my rope with server loads caused by weblog and email spammers. SpamAssassin and Akismet etc. may keep spam away from users, but all that stuff still needs to be processed (and we’re talking about a huge percentage of all traffic).

Recently switched from the APF firewall to ConfigServer’s excellent CSF, which is integrated into WebHost Manager (the admin back-end for cPanel systems), and got thinking — the most heavily trafficked blogs here are already using spam rating systems that track IPs. The right script could harvest and rank those IPs and load them into the firewall in near real-time. Spent the past few evenings building a shell script to do just that.

reducer: Harvests bad IP addresses from multiple sources and adds them to the CSF firewall for cPanel systems. This version works with WordPress and Movable Type weblogs, and optionally the exim ACL deny system. Future versions will scan other sources for bad IPs as well.

Update, April 2008: Birdhouse Hosting has been running reducer system-wide for almost two years now, with great success. At this point, we wouldn’t even consider running a hosting business without it.

Download reducer here.