The black does have a purpleish tinge on my panels, but the other colours don't. Overall it's pretty low contrast and saturation, and unable to reproduce cyan or fuchsia even with blending through any kind of blending, which makes certain things like sky and water come through poorly.
The similar project I'm working on is looking like it'll get about a year of battery life with a typical 18650, the 5.65" version of the display and run off an ESP (refreshed once a day).
The counterintuitive trick I've used for my 5900X is to increase the minimum fan speed up to around 60% or so. It makes the base volume very slightly higher, but avoids it constantly ramping up and down through the 50% zone which is what I found the most annoying/noticeable.
For those who are wondering what is the benefit over pip freeze: pip freeze dumps you entire venv, while pip compile gets project dependancies, and infer the requirements file from that.
I'm not sure I get it -- if you had your core dependencies in setup.py / setup.cfg / pyproject.toml (for development) and then pip freeze (for creating a highly reproduced venv for applications), would that be similar?
Why would one want to infer the requirements file? Would that be like `pip list --not-required --format-freeze`?
The most efficient workflow I've found for pip so far is something along the lines of:
pip-compile # resolve and pin the dependency tree
grep '==' requirements-pinned.txt | xargs -n1 pip wheel # build every wheel in parallel
pip install *.whl # install the pre-built wheels
It may not avoid all the slowness, but when nicely integrated into a build/CI system it can avoid suffering it more than once.
Depends on your platform. If you're using ARM (like AWS Graviton, and possibly Apple M1) you might find that many wheels are not available. That might be different now, my information is 2 years old, but I remember 'pip install numpy' taking ages. Every time someone pushed a change we'd have a 15 minute job clogging the pipes. Luckily I had already created an artifact repo (AWS CodeArtifact) for our own internalpackages, so I added a step to our build process to push locally built wheels, so a painfully slow build would only happen once.
I love pronounceable passwords, but there's research indicating that such generators typically produce lower than expected entropy. Do you mind sharing what algorithm you use?
The 84-bit number 10231239242746186561668573 can be represented as: ...
In 12-bit words of 5 letters or less: hits towel bloke gala blah jimmy barry
Diceware is good too.
A word of warning: be careful playing around with stochastic text generation if you're susceptible to delusions and hallucinations. You'd have to be pretty far gone to think "hits towel bloke gala blah jimmy barry" was a message from God, but of course we all know people who have fallen into that kind of belief, and the strain on credulity gets smaller as the text model gets more sophisticated.
Wouldn't a generator like this significantly increase risk of succumbing to dictionary attacks? I probably just don't understand part of what it's doing, but I'm curious.
It depends on what your baseline is. With knowledge of the generation algorithm, a dictionary attack on a password generated that way will definitely succeed, but on average it will take 2⁸³ tries (twice that at worst). At a billion tries per second this is 300 million years, almost long enough for the Sun to engulf the Earth if your attacker devotes only a single CPU to the task. There are commonly used password hashing algorithms that can only do a few hundred tries per second per CPU, which pushes the average success time to a quadrillion years, fifty thousand times the current age of the universe.
By contrast, trying every phrase of 20 words or less in every book that has ever been published would only take something like 129 million × 19 × 500,000 = 1.225 quadrillion tries. At a billion tries a second, that's only two weeks. (And if the password hash is inadequately salted, the attacker can use a rainbow table and put in that effort ahead of time and distribute it across all the victims.)
An attacker with more resources might devote a million CPUs to the problem, which would cut the time to success from 300 million years down to only 300 years (assuming a billion tries a second). In the next few decades it will become practical to devote much larger amounts of computation to problems like this, so such an attack might succeed, but currently it is beyond the capabilities of all but a few adversaries. And, as I understand it, Grover's algorithm will enable a large enough quantum computer to solve your password in only 2⁴² tries, which is only about four trillion tries, under an hour at the billion-tries-per-second speed I suggested above. I'm not sure, but I think it would need to prevent qubit decoherence for that period of time.
You can get equivalent security with a shorter password that looks like random gibberish, such as b7fc d750 9a52 ad6a e48c a, eedgckeimbjdefhcjclmghh, mgujdlrgdfmadtlidu, 1qvrx21zego0scvyi, 17uUPBKnfX7fSNY, >4h)&crV,+E{O, or 宜潨阰揫難侌, but those are a lot harder to memorize. They're shorter to type, though, and they're less vulnerable to side-channel attacks.
Looking random isn't good enough, though. They need to actually be random.
Please don't use $RANDOM or $((RANDOM)) or standard `shuf` for password generation. These RNGs are not cryptographically secure. Use input from /dev/urandom instead.
Modulo operations like these are another thing to avoid. To get equal chances for each word, the simplest thing to do is e.g.
do
wordlistlength = 10e3
randomnumber = os.urandom(1) * 256 + os.urandom(1)
while randomnumber > wordlistlength
return wordlist[randomnumber]
(Adjust if your list length is greater than 255×256+256, of course.)
Further, I see that cracklib-small is 52k words. That's not good or bad, but it makes the default 4-word phrase 52e3⁴ ~ 63 bits of entropy, which isn't terrible but in my opinion on the short side as a default. It will be perfectly fine if you only ever want to defend against online attacks, but in some cases (think disk encryption or password manager) offline cracking should be kept in mind and for the rest you should usually use a password manager anyhow (so then memorability doesn't matter).
Or perhaps more succinctly: please don't roll your own crypto.
I understand that this is of course very unlikely to be abused if it's just for yourself and nobody knows of this weakness in your credentials (security through obscurity works... until it doesn't), but one day someone will use this as inspiration or it will spread somehow, say through an HN comment... just use good password generators or at least keep insecure ones secret.
Btw: many standard Debian(-based) installations have /usr/share/dict/words available so you don't need an extra install; I haven't seen cracklib used before but that might just be me.
LCGs are multiply followed by add followed by modulus, which is usually implied by a mask or a native word bit length rolling over. You should observe that multiplies have patterns in the lower digits which an add will only offset, and the modulus will only throw away high bits rather than mix them back in to the low bits. Consider the low digit in multiples of 7 (what you'd get picking a number between 0 and 9 inclusive via modulus):
The lowest digit has the sequence 7418529630 repeating, which isn't very random. Modulus preserves low order bits and throws away the magnitude of the number. The result is that if you want to get half-decent low-valued random numbers from an LCG, you should take x/range * limit rather than %. You can do this with integer arithmetic via multiply and shift if you have an integer twice the size of your LCG.
But again, don't use an LCG for generating your password.
[1] I looked at the source. Bash looks like it tries to use random(3) if it's available, otherwise it seems to use this, which doesn't have an add:
Sometimes I use passages from books. Easy to remember a >60 char password, can always check the book and it brings back to memory a book that I enjoyed each time I use it. For PINs I like to use a long sequence of digits of a physical/mathematical constant.
From books? Having anything that's natural language will kill your entropy, way way below correct horse battery staple. Moreso if it's indexed by Google Ngrams.
Yes. But it’s much more dramatic in the movie when the villain runs his finger along the spines of the books in your library idly but then his eyes narrow and he aggressively pulls a book off the shelf and flips it open to a well worn spot. Checkmate!
Just FYI, if there is an incentive to get your password, there are existing programs to match arbitrary length strings from books or any text source. One such program has been used to steal cryptocurrency from wallets that are generated from a passphrase like NXT.
Look at diceware.com for a good way to do that. You can calculate the entropy without "research". I use a simple python script for the purpose, filtering out the words < 7 chars long from /usr/share/dict/words instead of bothering with the official diceware list. Example output: "snored-Hoff-virtue-tab-eroded-Perl's" with estimated 87 bits of entropy. If you write the phrase on a piece of paper and refer to the paper when typing the phrase into a computer, then after a few uses you will remember the phrase without any special memorization effort. At that point you can shred or burn the paper, or possibly record it in an offline encrypted file requiring its own security efforts.
Also take a look at the EFF’s wordlists [1] as an alternative to the Diceware list. Quoting from their blog post, here are some issues with the Diceware list that they have resolved:
- It contains many rare words such as buret, novo, vacuo
- It contains unusual proper names such as della, ervin, eaton, moran
- It contains a few strange letter sequences such as aaaa, ll, nbis
- It contains some words with punctuation such as ain't, don't, he'll
- It contains individual letters and non-word bigrams like tl, wq, zf
- It contains numbers and variants such as 46, 99 and 99th
- It contains many vulgar words
- Diceware passwords need spaces to be correctly decoded, e.g. in and put are in the list as well as input
I haven't seen those in a while now. For random sites you should use a password manager anyway though, not try to remember a thousand passphrases. You're going to end up reusing passwords if you try to memorize them all, or else you'll have to write some down and then you are already using a password manager :). Or you use a system and then 1-2 cracked passwords/-phrases will likely break them all.
Note that this advice is for the average, common site. If you have special considerations for your bank, broker, or similarly high-value sites, different advice might apply of course (but this is not really the place for that and there are already enough recommendations online).
For ages I remembered this as 'battery-horse-staple-correct' but then I see loads of people saying 'correct-battery-horse-staple' so now I think I'm the one who is wrong.
I wonder which way round is actually the right way to say it?
ok typo on my part... anyhoo - does "correct" go at the front or back?! Because the way I read it, the speech bubble saying 'correct' is after the horse and the other two words.
I always find those annoying to copy (we use a lot of shared credentials, like when the customer gives us 3 accounts with different permission levels to pentest an application with) and it also simplifies the command to not have to specify all those symbols. You can also avoid the whole `fold` thing by just telling `head` to give you a certain number of -c instead of a certain number of -n.
</dev/urandom tr -dc a-zA-Z0-9 | head -c 16
(Then again, you were proposing an alias, so then command complexity/memorability doesn't really matter.)
Security level: log((26+26+10)¹⁶)/log(2) ~ 2⁹⁵ (95 bits of entropy), comparable with adding those 12 extra symbols: log((26+26+10+12)¹⁶)/log(2) ~ 2⁹⁹. (Adding a character makes more sense than adding a symbol if you want more security, all else being equal of course.) If a stupid application still has outdated password requirements (thankfully this is rare among the applications I use) then one can of course add the classic ! at the end.
Right, I forget that it's not the default to print a \n as the first character of your PS1. Doesn't make sense to me that this isn't the default, as there are quite a few commands that might not end with a newline and then it messes up the prompt position, and it doesn't impact backwards compatibility to add it now.
Arch Linux. When using Zsh the last char is always a '%'. When using Bash it does no show a '%' but there's no line break. Possibly an weird interaction with my $PS1.
You can replace "cat /usr/share/dict |" in that invokation with "</usr/share/dict" and it will be equally easy to switch between tr and sed. Yes, you can put that redirection at the start, not just at the end of a command line. Although I admit I still haven't got used to doing it.
> Please don't use $RANDOM or $((RANDOM)) or standard `shuf` for password generation. These RNGs are not cryptographically secure. Use input from /dev/urandom instead.
When using shuf for cryptographic purposes, I'd first check if it advertises as being able to be a secure cryptographic token generator when provided with a secure random source. It might very well use modulo operations, for example.
Made this for (and have not touched it since) my last job search.
Design-wise I'd like to dial back the animation and minimalism a bit, and bump the contrast. Also have been thinking about adding more written content like blog posts or technical whitepapers.
I made a palette for colour space conversions for reference: https://imgur.com/a/2vgFsT4