do_While(True)

I think GameSwap is a great idea, and actually something I've been wanting for a long time. The idea is that you put up used games that you've tired of to trade to people who haven't, and in exchange can trade other people for games you DO want. There's a HUGE turn-over rate for video games, especially for hard-core gamers who get better value renting than buying, and none of the places like GameStop of FuncoLand offers a suitable buy-back or exchange rate. With this service, you can get a good value for your old game and fine the old, out-of-stock titles you'd like to own.

It's all mail-based and it's not free -- it runs on a credit system, which you either get for swapping games to other people or purchase yourself from the GameSwap site -- but it's completely legal (nothing wrong with selling or bartering objects you own) and a great idea for anyone with old, unused games laying around. (I don't THINK they have a reverse function to give you money back for credits earned, but it might be something they should look into; if I can 'sell' my games on GameSwap then everyone wins once I decide I'm done gaming; no reason to swap them for credits I can't use if I can just hawk them at a garage sale.)

A friend linked to This the other day, and I think it's worth passing around. I think there's a lot that I could say, but I'm not really sure how. Part of me thinks that some of the things he says just highlight some of what's wrong in the world today.

Hey, they've got some new neat tricks with lj markup, particularly the lj:// link tags.

Boy Kidnapped in California.

The further this goes a long the weak a connection it will be, but a classmates' friends' brother has disappeared. The family believes it to be a kidnapping, as he was last seen being followed by a strange man, but the police are marking it as a runaway and won't raise it, so they're looking for grass-roots help in finding him. The linked page gives details. I know most of you on here aren't anywhere near California, and it's a big state even at that, but I figure it might be helpful to see if we can spread the information around some, through LJ or other channels, in hopes of finding him.

So, a friend of mine recently got a message from LiveJournal telling her that her password was weak and that she should change it. Like so many users, she's was confused, because surely there was no way that anyone could guess her password. Someone else commented that they got the same, and their password was really hard to guess, too.

The thing is, yes, 'wubbliewoo' may be very hard for a human to guess, but we're not concerned with people sitting at the login screen trying to guess your password themselves. The problem is that a computer program may be trying to crack your password, in which case 'wubbliewoo' is trivial.

Special attacks aside, a computer program can do a Brute Force attack, where it tries all possible combinations of characters based on the alphabet in use and the length of the password. It tries 'a' then 'b' then 'c' moving onto 'aa' and 'ab' and 'ac' into 'ba', 'bb', 'bc' until it's trying 'hyttj' and 'hyttk' and so on. It tries everything, and when it finds a match, it has your password.

Brute Force will find your password, guaranteed. But it's a relatively slow process, if you make your password sufficiently difficult to guess 'for a computer.' This means a long password made of characters from a large alphabet. If you have only lower case letters in your password, you have an alphabet of 26 characters. If your password is then 4 characters long, there are 26^4 possible strings it could be, from 'aaaa' through 'zzzz'. That's nearly 500,000 strings, but we're talking about a machine that can make hundreds of thousands of guesses in a second. if you add a capitol letter to your password (even one capitol is enough to make the program have to try harder) then your alphabet is 52 characters, and 52^4 is a lot bigger than 26^4. Generally speaking, a strong password is considered to be at least 8 characters in length, using three of the four types of characters (upper case, lower case, numbers, and symbols). This puts you in the range of 92^8 or so, which will take a computer 6 to 12 months to break -- and presumably you'll have changed it by then. These policies about password make-up and duration aren't made to make your life difficult -- I've personally used a program that could crack a 52^8 password in under 5 hours, max.

The math in all of this is fascinating, but I'm saving you all from most of it.

"But how will I remember it?" My friend asks. Well, if you have a weak password, it's not hard to do minor changes (as far as a human's concerned) that will make it significantly harder for a computer to guess. The password 'foobar' is not the same as 'Foob@r', and just those two changes bump it from a 26^6 password to a 92^6 password. Additionally, though they say "don't write your password down," as long as you aren't concerned about someone in your immediate vicinity cracking your account, and you take precautions to keep it mostly-hidden from visitors, there's no reason not to. it's a bad idea for a manager to write down his password at work and leave it on his desk, but an LJ password at home is a significantly different situation.

DO NOT post your password online, anywhere. Seriously. if something's online, it can be found, period. The internet is so complex, and the 'rules' can be gotten around so simply by someone who knows what they're doing, that it's just a supremely bad idea. I'd advise stenciling your password to the side of you monitor before posting it online; much, much safer.

Caveat: OK, I really don't like making people paranoid, so I thought I'd add this in here. Yes, the internet is a dangerous place. if it's on here, it can be found. And yeah, if someone wants to crack your password badly enough, they will. But that brings us to the biggest protection anyone has on the internet: you're simply not important enough. And I don't mean that personally; in general, none of us are that important. If someone got my Bank info, he might be able to get, I don't know, a couple hundred dollars. If they hijacked my LJ, they could probably make me look pretty bad socially. But with the effort needed for either, the pay off just isn't that big. Now, someone like TheFerret, who's so well known her gets a mention in blog entries totally unrelated to him by people who don't even read his stuff -- he might want to be particularly careful about his security. The point is, you aren't important enough to put a lot of effort into, but if you have a weak password, it's not a lot of effort. No one's going to run a program for three months to hijack your account (unless you're the aforementioned TheFerret, maybe), but if they just have to run it for 5.2 seconds, it's trivial. The point is to make the payoff not worth the effort.