Attention conservation notice: probably not of interest to anyone who doesn’t read this blog via Planet Mozilla.

I currently syndicate everything on this blog to Planet Mozilla. Given the ongoing discussion of what does and does not belong there, I would like to poll the audience: How do you feel about any of the following topics appearing on Planet?

• Details of my recent trip to $COUNTRY
• Offers to give away unwanted items prior to moving
• Musings about pottery
• Musings about video game design
• Small programs that were a pain to write and might be useful to someone else maybe someday
• Various Internet-security-related topics which may or may not have anything to do with The Web
  • incredibly hypothetical ideas, zany schemes, and related philosophizing
  • detailed reports on my academic research
  • explanations for a lay audience of how to use the Internet safely
  • summaries of the research presented at $CONFERENCE

This is a sincere question, which I am asking in order to decide whether I, personally, should start filtering what gets syndicated to Planet from here.

Dara found us a hotel with all the modern conveniences and English-speaking staff in downtown Warsaw. This was nice, because it’s the first time (as an adult) I’ve been to a country where I understood not one word of the local language upon arrival, and we lost most of the first few days in-country recovering from Airplane Crud (a phenomenon not entirely unlike Con Crud); I’m glad I didn’t have to negotiate room service in Polish with my brain operating at less than 50%. We did manage to get out to the Palace of Culture and Science which was only a few blocks away, and to a luncheon party with some of Dara’s friends from the Fulbright program. When we were feeling a little better, we walked through the reconstructed Old Town (Warsaw was quite literally razed to the ground by the Germans during WWII, but the Poles rebuilt as much as they could manage after the war, working from photo and art references) and visited the castle of Stanisław II August Poniatowski, the last king of Poland (1764–1795), which is right in the middle of the old town. It currently houses two of the three Rembrandt paintings in Poland, and an exhibition on Stanisław August’s life.

We got better just in time to go to Michałowice, where other friends of Dara’s—specifically, the Szumski family, the principals of Teatr Cinema—invited us to their house party for New Year’s Eve. This was quite a journey from Warsaw, beginning with five hours on the train to Wrocław. Wrocław survived the Nazis’ hatred of all things Polish almost unscathed, because it was part of Germany during the war (they called it Breslau). It has sprawled a bit since then, and I saw some of the Soviet-era slab apartment blocks on the way out, but its old downtown is still full of gingerbread townhouses and elaborate civic architecture. We were trying to conserve our energy for the house party, so we crashed in a hostel and didn’t do very much in Wrocław the following day, just walked around a bit and took photos.

The next hop on the journey was a two-hour bus ride to Jelenia Góra, which is in the mountains west of Wrocław, almost to the border with the Czech Republic. The son of our host, and five of his buddies, picked us up from the bus stop in their van, and drove us even farther into the mountains, to the Szumski house in the small town of Michałowice. It was what you might call a country mansion, with several floors and lots of space for guest rooms on the third floor; they were putting at least ten other people up, besides us. It’s full of art, made by them or their friends.

The house party itself was fairly low-key. Dara and Pam and I had a game of pool (it is a family tradition that whenever Dara and I are in the same city, we must play a game of pool somewhere, even though both of us are terrible at it). There was a jam circle for awhile. There was lots and lots of food. We had an interesting conversation with a fellow who’s been a doctor in Poland for many years and is now moving his practice to Denmark. We went to bed pretty much immediately after midnight, being still tired and not quite well yet. Pam suggested getting up at nine to celebrate midnight-in-the-USA, but we didn’t actually manage it. I did get some nice pictures of the countryside the following day, before being driven back down the hill to Jelenia Góra to catch the bus back to Wrocław.

In Wrocław the following day, we did more walking, out to “Cathedral Island.” This was once in fact an island but has since been thoroughly merged with the north bank of the Oder. It used to be under the Catholic Church’s exclusive jurisdiction, and still houses the official Wrocław cathedral and the archbishop’s residence, plus at least two more large basilicas. Then we got the train back to Warsaw, which was mildly entertaining because—quite by accident—we were sitting in the carriage reserved for families with small children.

Still feeling a little under the weather, we scrubbed prior plans to visit Krakow and/or Gdansk, and just did a bunch of sight-seeing in Warsaw. We visited the Old Town again, and the other palace of Stanisław II August, which is on an artificial lake in Łazienki Park. As palaces go, this is more of a large house, except that it’s crammed full of art and classically inspired statuary. The park itself is huge and has lots of other stuff in it, but it was raining, so we stuck to the palace.

We also got to see the new staging of the great Polish national opera, Halka, written in 1848 by librettist Wlodzimierz Wolski and composer Stanisław Moniuszko, using traditional Polish musical styles (mazurkas, for instance). The music is inspired; the plot, unfortunately, was pretty threadbare in 1848 and is downright embarrassing today. It’s not good when you spend much of the second half thinking “now would be a great time for Granny Weatherwax to turn up and scold some sense into everyone.” The new staging was very modern, with minimal set design (except, bizarrely, at the very end), mostly modern costuming, and an initial filmed sequence. As Dara’s mentor in Warsaw (a longtime theater critic) said, this might have worked if they hadn’t then gone on to play the piece 100% straight. But they did, and it all fell rather flat. Curiously, one of the characters was acted by one person and sung by another. I’m not much of an opera buff, so I don’t know if this is common.

Warsaw has several interesting historical museums. We visited the biographical museum of Fryderyk Chopin and the Museum of the Warsaw Uprising. Chopin spent most of his adult life in France, but he grew up in Warsaw, and is still very fondly remembered here; they named the airport after him, even. Unfortunately, it’s not nearly as much a museum of his music as I would have liked, and the presentation of his life was interesting but felt a little bereft of historical context. Probably I would have appreciated it better if I’d grown up in Poland and gotten their take on history in high school.

Speaking of historical context skimped on in a USAnian education, the Museum of the Warsaw Uprising is packed full of it. Summarizing extremely: in the summer of 1944, the Red Army was advancing toward Warsaw, and the Polish resistance decided it would be a good time to rise up against the occupying German forces. They did this partly because they figured the Red Army would back them up, but also because they were afraid Stalin wanted to conquer Poland or at least set up a puppet government; this would have been harder if it was the Polish native resistance that liberated the capital. The resistance was initially quite successful, but the Red Army only made one half-assed attempt to cross the Vistula, which was repulsed. After that, they sat on the east bank and waited while the Germans first put down the resistance, then burned the city to the ground by way of vengeance. Then they moved in and pushed the Germans out. And Stalin got his vassal state, just like the Poles had feared.

I’ll close with this image, a neon sign in Plac Konstytucji, photographed out the window of the taxi taking us back to the airport to return to the USA. There are lots of these neon signs in Warsaw; they were erected in the 1960s, and are now considered part of the city’s cultural heritage. Quoting this article by David Crowley for the Neon Muzeum:

When the Eastern Bloc tried to cast off the dark shadow of Stalin, much attention was given to the appearance of Warsaw. How could it be brought back to life? For some, the answer lay in neon. Stolica, a popular magazine, led the ‘campaign’ to neonise Warsaw: Marszalkowska Residential District – with its monumental sculptural ornaments and classical colonnades – would shake off its dreary atmosphere with ‘advertising, lighting and neon’. These are ‘the elements which in the evening hours lend great liveliness and diversity to a city.’

Alice Arishat wishes to publish things for Brutus to read. Cato does not approve of what Arishat has to say, and seeks to prevent her from publishing anything.

Most online discussion of “censorship” starts from the premise that Cato is automatically in the wrong here. That’s one of the cypherpunk premises that underpin most discussion of theoretical Internet security. I want to play devil’s advocate today, though, and explore circumstances where we might choose to support Cato. In the offline world, we trade off “free speech” against all sorts of other values every day:

Cato is a government. Arishat is criticizing its policies. “Core political speech” receives consistent, strong protection from US courts, even when large groups wish it didn’t (e.g. flag desecration, neofascist marches).

Cato is a policeman on duty in a public place. Arishat is documenting his actions. This is also mostly agreed to be protected by the First Amendment, but the police don’t like it and they still try to stop people.

Cato holds the copyright on a Great Work of Literature. Arishat has written a parody, homage, fanfic, or critique with extensive quotations, without Cato’s approval. US law is broadly sympathetic to Cato; in particular, the DMCA takedown mechanism makes it very easy for him to get Arishat’s works pulled offline. Arishat may be entitled to claim the fair use exception to copyright, and actual court cases in this area tend to be on the side of parodists. However, copyright lawsuits are expensive, and Cato is likely to have a lot more money than Arishat does.

Arishat and Cato’s business partnership fell apart. Arishat is now trying to ruin Cato by publishing lies about him. This is defamation, a common-law tort; Cato can file a lawsuit and the courts will force Arishat to publish a retraction, take down the original lies, and/or pay damages. But there are a lot of restrictions; most importantly, Cato has to prove that what Arishat said was false (the precise legal standard varies by jurisdiction and whether or not Cato is a “public figure”), and Arishat can argue that Cato is abusing the courts to suppress debate of an issue of public concern. This kind of lawsuit is not nearly as expensive as copyright lawsuits, and it’s more likely that Arishat and Cato have similar amounts of money. Also, if Arishat posted the lies in a public online forum, Cato can’t sue the forum.

Cato is a private citizen. Arishat has posted embarrassing pictures of him online, and then offered to take them back down—for a fee. This is blackmail, which is a crime (not just a tort); if the police can be bothered to investigate, Arishat is going to jail.

Cato runs an internet forum devoted to gardening. Arishat is trying to stir up some lulz by posting disturbing cartoon images, categorist “jokes,” and/or off-topic logorrhea on random threads. As long as Cato is a private citizen, it is perfectly legal for Cato to delete everything Arishat posts, on sight; this is considered the same as throwing a drunk asshole out of your house party before they ruin it for everyone else. Further, all evidence from the last 20+ years of online fora is that if Cato doesn’t do something to get Arishat to stop, it will become impossible to talk about gardening on his forum. However, in any case that is not perfectly clear-cut, and some that are, Cato is likely to be subject to endless, vicious criticism of his decisions.

When Cato is not a private citizen, his ability to keep the trolls out may be limited lest he use that as an excuse to suppress legitimate arguments. Similarly, US jurisdictions do not agree whether shopping mall owners have to permit people to do anything but shop in their space.

We can also write the threat model from Brutus’s perspective:

Brutus wishes to read things Arishat has published. Cato wishes to prevent Brutus from reading anything he considers inappropriate.

and produce another list of difficult scenarios:

Brutus is a child, Cato is his father. Most people will agree that most children are not ready to experience the full variety of material that adults are expected to handle. Most people will also agree that no two children are the same and parents are in the best position to judge what their own children are ready for. However, you can make a strong case that Brutus should be taught certain things whether or not Cato approves, such as reading, arithmetic, and the theory of evolution.

Brutus wishes to watch videos of people having sex. Cato thinks that will turn Brutus into a sexual predator. Cato is wrong; access to pornography appears to reduce the incidence of rape, contra an awful lot of fulmination on the subject.

Brutus wants to know whether Cato’s restaurant is any good. Cato would rather he not find any negative reviews. We understand where Cato is coming from but we don’t see why we should help, unless the negative reviews are being posted by disgruntled ex-employee Arishat, which may be a case of defamation (see above).

Cato is the present government of a country that engaged in crimes against humanity quite some time ago. They are so ashamed of this that they wish to erase all public legacy of the ruling ideology of the time; therefore they criminalize the use of all its symbols and the sale of related memorabilia. Again, we understand where Cato is coming from, but we suspect the tactic is counterproductive. Actual instances of this particular Cato all have neo-ideological movements. Note that in at least one case, one such country has tried to make these laws extend to actions committed on foreign soil (but visible to its nationals).

Brutus wants to know whether or not he should vote for Cato in the next election. Cato doesn’t want him to find any news articles about his alleged cocaine habit. Now we’re back to core political speech.

We have a whole bunch of difficult scenarios here, and deciding which scenario we’re in requires human judgement. A computer (short of a fully fledged human-equivalent AI) cannot, even in principle, tell whether or not the string of bits that Arishat posted online is protected free speech. This is part of why the cypherpunks take the position that Cato is always wrong: that’s a position you can enforce with code. However, I would argue that this is too inflexible and leads to undesirable consequences. Via entirely social means, it is already well-nigh impossible to make something completely disappear once it has been put online, and we can easily find cases where that was a bad thing.

So here’s a proposal: I conjecture that the following statements of principle are an appropriate synthesis of Arishat, Brutus, and Cato’s legitimate interests:

• Arishat should be able to publish online while concealing her offline identity versus anything short of legal process.
• Arishat should be able to publish whatever she likes in cyberspace she controls without first getting Cato’s approval.
• Brutus should be able to access Arishat’s publication space, and Cato should be completely unable to tell whether or not he has done this.
• Cato should be able to control what appears in his own space, however, if he permits any third-party material to appear, his editing or removal of that material should be subject to audit by the general public.
• Cato should have some recourse after the fact if Arishat posts something in her own space that is genuinely harmful to his interests, but this should involve a heavyweight, public, transparent process with a disinterested arbiter, such as a lawsuit.

Discuss.

Song links go to Youtube.

the man

• Working Undercover for the Man (They Might Be Giants)
• Clampdown (The Clash)
• Born in the USA (Bruce Springsteen)
• For What It’s Worth (Buffalo Springfield)
• The Dogs of War (Pink Floyd)
• Operation: Mindcrime (Queensrÿche) (the song, not the whole album)
• Republican Party Reptile (Big Country)
• I Should Be Allowed to Think (TMBG)
• Mothers of the Disappeared (U2)

stalker

• Where Your Eyes Don’t Go (TMBG)
• Debbie (Throwing Toasters)
• Deadline (Blue Öyster Cult)
• Too Young for the Blues (Ella Fitzgerald)
• Barrel Of A Gun (Guster)
• DWDTG (?)
• Hall of Heads (TMBG) (best recording I could find, sorry)

solipsist

• Center of Attention (Guster)
• World Leader Pretend (REM)
• Don’t Worry About the Government (Talking Heads)

game

• Mistakes Were Made (Stefan “Twoflower” Gagne)
• Wear My Face (Cats Laughing)
• Policy of Truth (Depeche Mode)
• Chains (Brother)
• Welcome to the Machine (Pink Floyd)
• Black Knight’s Work (Cats Laughing)
• Knight Moves (Suzanne Vega)

fight back

• How the Mighty Fall (The Alarm)
• Power Underneath Despair (Blue Öyster Cult)
• Gimme Some Truth (Pearl Jam)
• Land of Confusion (Genesis)
• Masters of War (Bob Dylan)
• Won’t Get Fooled Again (The Who)
• Fly Away (Brother)

misc

• All That She Wants (Ace of Base)
• Put Your Hand Inside the Puppet Head (TMBG)
• Debt Collector (?)
• Get Together (HST intro) (?)
• Master of Puppets (instrumental) (probably Apocalyptica)
• Little Too Clean (Soul Asylum)

My current tastes say there should be less pop and more goth. And some electronica. And probably also some Cake.

Do you suffer from mysteriously hanging autotools processes? Or perhaps other mysteriously hanging processes? If so, you may have a problem with your file locking, and the IJWAHOT Foundation recommends you compile and run this program on the computer with the problem, preferably under strace or equivalent. If it, too, hangs, then you do indeed have a problem with your file locking. The Foundation does not presently know the cause of this problem, but we suspect that it is NFS’s fault somehow. If you do know the cause of this problem, we would love to hear about it in the comments.

Attention conservation notice: 900 words of inside baseball about Mozilla. No security content whatsoever.

The Mozilla Project has been taking a whole lot of flak recently over its new “rapid release cycle”, in which there is a new major version of Firefox (and Thunderbird) every six weeks, and it potentially breaks all your extensions. Especially the big complicated extensions like Firebug that people cannot live without. One might reasonably ask, what the hell? Why would any software development team in their right mind—especially a team developing a critical piece of system infrastructure, which is what Web browsers are these days, like it or not—inflict unpredictable breakage on all their users at six-week intervals?

The first thing to know is that Firefox’s core developers are really focused on making the Web better. If we weren’t, we would be hacking on something other than a Web browser. The old release cycle was way too slow for us to do that effectively; as Jono Xia describes in his blog post “It’s Not About the Version Numbers,” anything we did might not get out to end users for over a year. When David Baron fixed visited-link history sniffing, he patched Firefox first—but Chrome and Safari shipped the change before we did.

You should read Jono’s post now. I’ll be here when you get back.

Shipping new versions of the browser every six weeks is clearly a better way to improve the Web rapidly, than shipping a new version only once a year or so. But what’s stopping the Mozilla team from shipping a new batch of under-the-hood improvements to the Web every six weeks without breaking anything? Why do we need to break things?

Well, we tried not breaking things for ten years, give or take, and it didn’t work. The second thing to know is that the core browser (“Gecko”) suffers from enormous technical debt. Like any large, 15-year-old piece of software, we have code in abundance that was written under too much time pressure to get it right, was written so long ago that nobody remembers how it works, isn’t comprehensively tested, or any combination of the above. We also have major components that reasonably seemed like good ideas at the time, but have since proven to be a hindrance (XUL, XBL, XPConnect, etc). We have other major components that should have been recognized as bad ideas at the time, but weren’t (XPCOM, NSPR, etc). And we have code for which there is no excuse at all (Firefox still had code using the infamous “Mork” file format until just this summer, and I understand it’s still live in Thunderbird).

It gets worse: many of the bugs can’t be fixed without breaking stuff. For example, take bug 234856. That’s a seven-year-old display glitch. What could possibly be an excuse for not fixing a simple display glitch for seven years? Well, the root cause of that bug (described more clearly in bug 643041, where the actual fix is posted) is an error in an XPCOM interface that, until we decided we weren’t going to do this anymore (post-FF4), was “frozen”—it could not be changed even though it was wrong, precisely so that extensions could depend on it not changing. There are thousands of XPCOM interfaces, and extensions can use all of them. That’s a great strength: it lets Firefox extensions do far more than, say, Chrome extensions can. That’s also a huge problem for people trying to make the core better. (Only about 200 of these interfaces were permanently frozen, but pre-FF4 we tried to avoid changing even the un-frozen ones as much as possible.) You’ll notice that the change in bug 643041 makes it easier to write extensions that manipulate SSL certificates, because now there’s just one nsIX509Cert interface, not three. But taking away nsIX509Cert2 and nsIX509Cert3 breaks code that was using them.

Some bugs can’t even be fixed without breaking Web sites. Any time Gecko doesn’t do the same thing Webkit and/or IE do, we (and the Webkit and IE people) want to make that difference go away—but to do that, at least one of the three has to change, and there may be sites out there relying on the behavior that just got taken away. In some cases, adding features breaks the web. For instance, if you write ‘<element onevent="do_something()">’ directly in your HTML, when the event fires, the JavaScript interpreter will try to call a method of element’s DOM API named do_something before it tries to call a global function with that name. Which means that adding DOM methods to any HTML element potentially breaks websites. (This is not a problem if you assign to element.onevent from a <script>.)

This is why Mozilla core developers can seem so callous to the needs of extension and website developers built on Gecko. We know that we depend on both groups for our continued relevance—a browser is no use at all with no websites to browse, and without extensions there is not much reason to pick one browser over another. But we feel that right now it is more important to fix the problems with our existing platform than to provide stability. In the long run, we will have a better platform for both groups to work with. And in the long run, stability will come back. There are many bugs to fix first, but there are not infinitely many bugs, even if it seems like it sometimes. Having said that, there are some things we could be doing right now to make extension and website developers’ lives better … but I’m going to save them for the next post. 900 words is enough.

Note to commenters: I know lots of people are unhappy with the UX changes post-FF3.6, but let’s keep this to discussion of API breakage, please.

It occurred to me while I was watching, that there is a standard futuristic city used in demos like this one. It’s night. You can’t see the ground. Skyscrapers stretch all the way to the horizon. Said skyscrapers are glass oblongs, for the most part; this demo mixed it up quite a bit with interesting cross-sections, but still had hardly any ornamentation, terracing, or what-have-you. All the skyscrapers’ windows are lit up. There may be flying vehicles between or around the towers, but there is no sign of any other type of transportation. It is, in short, the future of the Futurists of the nineteen-teens, the city of Metropolis, Blade Runner, and Neuromancer.

Now the thing is, no city in the real world has ever looked like that. Even in the densest and most skyscraper-ful urban areas—have a look at these aerial videos of Manhattan and Hong Kong, for instance—there are buildings that are less than ten stories tall (these are in fact the majority in Manhattan, although possibly not in Hong Kong); there are parks and other open spaces; and by no means are all of the buildings boring oblongs. Furthermore, people doing actual urban design argue, vehemently, over whether or not dense skyscraper-ful cities are best (e.g.: pro, con) and I think nobody would argue, anymore, that open space is unnecessary.

And yet, when we want an icon of the city of the Future, the Futurists’ vision is what we turn to. Why? Perhaps because it’s instantly recognizable, or because it’s easy to build 3D models for. But I claim this is causing this discredited vision to occupy a share of the casual imagination that it does not deserve anymore. It crowds out other visions with its readiness to hand. Let’s invent some new icons for the future city. Let’s make the next demo flythrough be of something like this or this or this. (But watch out for the just-as-discredited “Radiant City” vision, please.)

 <!-- jQuery 1.5.2 -->
 <script src="h:sha1,b8dcaa1c866905c0bdb0b70c8e564ff1c3fe27ad"></script>

Now the problem with this is, these hexadecimal strings are inconveniently long and are only going to get longer. SHA-1 (as shown above) produces 160-bit hashes, which take 40 characters to represent in hex. That algorithm is looking kinda creaky these days; the most convenient replacement is SHA-256. As the name implies, it produces 256-bit hashes, which take 64 characters to write out in hex. The next generation of secure hash algorithms, currently under development at NIST, are also going to produce 256-bit (and up) hashes. The inconvenience of these lengthy hashes becomes even worse if we want to use them as components of a URI with structure to it (as opposed to being the entirety of a URN, as above). Clearly some encoding other than hex, with its 2x expansion, is desirable.

Hashes are incompressible, so we can’t hope to pack a 256-bit hash into fewer than 32 characters, or a 160-bit hash into fewer than 20 characters. And we can’t just dump the raw binary string into our HTML, because HTML is not designed for that—there is no way to tell the HTML parser “the next 20 characters are a binary literal”. However, what we can do is find 256 printable, letter-like characters within the first few hundred Unicode code points and use them as an encoding of the 256 possible bytes. Continuing with the jQuery example, that might look something like this:

<script src="h:sha1,пՎЦbηúFԱщблMπĒÇճԴցmЩ"></script><!-- jQuery 1.5.2 -->

See how we can fit the annotation on the same line now? Even with sha256, it’s still a little shorter than the original in hex:

<!-- jQuery 1.5.2 -->
<script src="h:sha256,ρKZհνàêþГJEχdKmՌYψիցyԷթνлшъÁÐFДÂ"></script>

Here’s my proposed encoding table:

    0              0 1              1
    0123456789ABCDEF 0123456789ABCDEF
 00 ABCDEFGHIJKLMNOP QRSTUVWXYZÞabcde
 20 fghijklmnopqrstu vwxyzþ0123456789
 40 ÀÈÌÒÙÁÉÍÓÚÂÊÎÔÛÇ ÄËÏÖÜĀĒĪŌŪĂĔĬŎŬÐ
 60 àèìòùáéíóúâêîôûç äëïöüāēīōūăĕĭŏŭð
 80 αβγδεζηθικλμνξπρ ςστυφχψωϐϑϒϕϖϞϰϱ
 A0 БГДЖЗИЙЛПФЦЧШЩЪЬ бгджзийлпфцчшщъь
 C0 ԱԲԳԴԵԶԷԸԹԺԻԽԾԿՀՁ ՂՃՄՅՆՇՈՉՊՋՌՍՎՐՑՒ
 E0 աբգդեզէըթժիխծկհձ ղճմյնշոչպջռսվրցւ

All of the characters in this table have one- or two-byte encodings in UTF-8. Every punctuation character below U+007F is given special meaning in some context or other, so I didn’t use any of them. This unfortunately does mean that only 62 of the 256 bytes get one-byte encodings, but storage compactness is not the point here, and it’s no worse than hex, anyway. What this gets us is display compactness: a 256-bit hash will occupy exactly 32 columns in your text editor, leaving room for at least a few other things on the same line.

Choosing the characters is a little tricky. A whole lot of the code space below U+07FF is taken up by characters we can’t use for this purpose—composing diacritics, control characters, punctuation, and right-to-left scripts. I didn’t want to use diacritics (even in precomposed form) or pairs of characters that might be visually identical to each other in some (combination of) fonts. Unfortunately, even with the rich well of Cyrillic and Armenian to work with, I wasn’t able to avoid using a bunch of Latin-alphabet diacritics. Someone a little more familiar with the repertoire might be able to do better.

You have probably heard that you shouldn’t reuse the same password on many different websites, and that your passwords should be long, contain numbers and punctuation, and avoid dictionary words. But you probably haven’t heard anyone explain why, and you probably have noticed that these two pieces of advice are hard to follow at the same time, because long gibberish passwords are hard to remember even if you only have one of them. I’m going to tell you why you should do these things, and how to do them without too much grief.

Don’t use the same password on many different websites

No matter how good your password is, the bad guys might discover what it is. For instance, if you log into an unencrypted website over an unencrypted wireless network, anyone else on the same wireless network can listen in on the radio traffic and discover your password. (It’s just like eavesdropping on a private conversation.) Or you might accidentally type your password into a website that looks like the real thing but is actually a fake created to trick you.

Suppose the bad guys have discovered your password for a Web forum. That’s not a big deal, because someone impersonating you on one forum probably isn’t a big deal. You might have to apologize to some people for letting some schmuck insult them while pretending to be you. But the bad guys know that people often use the same password on many different websites, so they’re going to try to log into your email with that password, and your bank, and so on. If they succeed—if you did use the same password—they might be able to ruin your life, or at least steal some of your money. But if you always use different passwords on different websites, the bad guys have to discover the password you use for your bank (and nothing else) in order to steal your money.

How do you manage to remember lots of different passwords, especially when (as I’m about to explain) they all need to be long and complicated? The best way is to let the computer—specifically, your browser’s password manager—do it for you. This may seem unsafe, but it’s actually much safer than using the same password for everything. The password manager cannot be fooled by phishing sites, and it has no trouble remembering lots of long complicated passwords. Yes, all the passwords are in a file on your computer. But the only way the bad guys can get at that is by physically stealing your computer, or installing spyware on it remotely. If you keep your computer up to date with security patches, you don’t have to worry about spyware much. If your computer is in danger of being physically stolen (e.g. it’s a laptop) you should use the master password mode of your browser’s password manager, so that the file on your computer is encrypted. Whether or not you have to worry about theft, you should enable Sync, or equivalent feature, even if you have no other computer to sync with; that way, if your computer breaks, there’s still a backup of all your passwords out there in the cloud (safely encrypted).

Use long, complicated passwords

The other way the bad guys discover passwords is by breaking into servers that store entire databases of them. If these databases have been designed correctly, that doesn’t tell them anything by itself, because the passwords are hashed. Hashing deserves a little explanation: suppose my password on some site is “12345” (the kind of thing that an idiot would have on his luggage). The server doesn’t store “12345” in its database, it stores “827ccb0eea8a706c4c34a16891f84e7b”, which is the result of running “12345” through a cryptographic hash, in this case MD5. It’s easy to convert a password into its hash, but it’s prohibitively hard to do the reverse. MD5 is old and no longer considered a good choice for passwords (or anything, for that matter), but the fastest computer ever built would still take so long to recover “12345” from “827ccb0eea8a706c4c34a16891f84e7b” that the Sun would burn out before it was done.

So the bad guys can’t just read the passwords from a database once they have it. But they can guess passwords, run the guesses through MD5 (or whatever was used), and compare the results to the database entries. (They can guess passwords even if they haven’t stolen a database, by feeding the guesses to the site’s login form—but that’s much slower and the site admins are likely to notice.) “12345” isn’t a good password because it’s easy to guess—but so is any five-digit number: a cheap laptop can calculate the MD5 of all 100,000 five-digit (or smaller) numbers in less than a second. There are something like 250,000 words in English—that’s maybe five seconds’ worth of work for the same laptop—so any word in the dictionary is bad, too. You can buy a 40-million-entry word list for $30 that has not only all the words in 20 different languages, but mangled versions of them (e.g. “f0od”)—that might take an hour or two to process.

The longer and more complicated your password is, the harder it is to guess; but that makes it harder to remember as well. Adding punctuation and numbers doesn’t help as much as one would like. There are 95 characters that you can type on a US keyboard, so there are ${95}^8$, or about a quadrillion (short scale) possible eight-character passwords, if you use all those characters. A quadrillion possibilities is out of the reach of a cheap laptop, but it’s a few weeks’ effort for a small cluster of beefy computers—a determined bad guy could do this for maybe $25,000.

The good news is, you can have passwords that can’t be guessed this way but are still easy to remember. The trick is to use phrases rather than words. One random English word is 250,000 possibilities. Two random English words are 62.5 billion possiblities—250,000 squared. That’s still not enough. But ten random English words is ${\mathrm{250,000}}^{10}={10}^{54}$ possibilities, which is safely in “still guessing when the Sun burns out” territory.

You can’t take just any phrase, though. The bad guys could easily try every phrase in the Concise Oxford Dictionary of Quotations, because there are only 9000 of them. I haven’t worked out the math, but I think guessing every sentence in the complete works of Shakespeare is doable. But nobody has a database of every sentence in every work of literature that was written with the Latin alphabet. A phrase taken from somewhere in the middle of an obscure but lengthy book is a good choice. Or you could follow this procedure:

1. Go to Wikipedia and click on “random article”. (You can use any site with a “random article” feature for this step, if you’d rather.)
2. Copy the URL of the page you get, and paste it into the Eater of Meaning. Leave the drop-down on “Eat word endings.”
3. Choose ten consecutive words from the result. They don’t have to all come from the same sentence.

Don’t worry about finding a sentence that you can remember yourself, because you’re going to have the password manager do it (unless you’re trying to pick the master password).

Some sites have limits on the length of their passwords. This is bad, and you should complain; but until they fix it, just use the first letter of each word in your ten-word phrase, with some numbers and punctuation if they insist on numbers and punctuation. That kind of password is theoretically crackable, as I said earlier, but it’s likely to be better than lots of other passwords in the database. So if the bad guys get the database, they will crack so many other people’s passwords before they get to yours that they don’t feel they have to bother cracking yours. (It’s kind of like the joke about how fast you need to run away from a lion.)

If there’s no limit on the length of the password, but the site still insists on numbers and/or punctuation, put them in between the words; that’s easier to type.