Category Archives: Fun

Bots, passwords, short strings, and simple characters

About a month ago I got curious about bots that target WordPress sites. I use the Limit Login Attempts plugin and every time I got an alert that an IP had been limited it was always for the username ‘admin’. I had never thought much about it, but it makes sense as an attack vector given how many people probably do use that name. What I wondered was what sorts of attacks they were trying. In particular, the passwords they used seemed most interesting.

So I started writing a new plugin, Admin Login Notifier, which you can also fork it on Github if you’re into that kind of thing. Admin Login Notifier does pretty much what it sounds like — it grabs the password when someone tries to login as ‘admin’ and notifies you. Originally it sent an email for each attempt, now it saves them in a dashboard page and sends a daily email digest.

It’s been running on my site for a couple weeks and, as of this morning, has caught over 1,000 attempts. I decided it would be interesting to look at the list and see what these bots are up to. Until recently, the passwords were all in emails (and not saved elsewhere) so aggregating them was a bit of a pain. Because of some different formats I used in the emails, I ended up only exporting 920 of them, which you can see here.

I was especially curious about the strength of passwords used by bots, which I decided to break down into four really basic metrics:

  • Length — Just the number of characters in a password
  • Uniqueness — The number of unique characters in a password
  • Complexity — The number of character types in a password, like uppercase letters, or symbols
  • Repetition — How often bots tried the same passwords as other bots (or as themselves)

Here is the script I used.

And here are the results. You can do this yourself by saving the password list as sample.txt in the same directory as this script.

Average length: 6.2 characters
Average unique characters: 4.8 characters
Average character types: 1.2 types
Repetition: 17% of password attempts were repeats of other attempts

Hopefully you can learn a few things of this. First, you should learn not to use the username ‘admin’. Beyond there, here are a couple of conclusions. None of these are particularly noteworthy, and each ought to sound familiar if you’ve read any other password advice on the web.

  • Use long passwords. Bots try pretty short passwords, so you should use long passwords. There are mathematical reasons for doing this, too. But we’re sticking to empirical data for this post.
  • Use lots of characters. Although the average pasword attempt was just over 6 characters, they contained 25% fewer unique characters. Bots try a lot of repeated characters, likely because people repeat characters to make their passwords easier to remember. Don’t do that.
  • Use multiple character types. 80% of all attempts used only one character type.
  • Don’t use passwords found on things like “Most commonly used passwords” lists. 1 in 6 passwords that bots attempt are repeats. Don’t make their jobs easier.

Admin Login Notifier isn’t terribly useful, but it is kind of fun and I’m glad it helped me get a look at this data.

There should be a complete absence of the annoyance and irritation caused by the necessity of searching for lost balls.

Allister MacKenzie, The Spirit of St. Andrews

I’ve been playing lots of golf lately and it’s reinforced my long-held opinion that the design of most golf courses is just awful. That got me to thinking: what would go into my ideal golf course?

Easy first hole

The first tee is no time to ask a player to hit a great tee shot. No one is really warmed up at that point and the point of golf is to be fun — the way to make a round fun is not to require a 270 bomb with the first swing. That hole has its place, but it’s later in the round once you’re in a rhythm. Making a hole difficult because it’s first is like making it difficult by shouting during someone’s backswing; it’s certain to add strokes, but mostly unrelated to skill or quality of execution.

The first hole should be playable with a fairway wood or long iron from the tee and it shouldn’t have any water hazards. It should also be a par 4. Par 3’s will slow down play too much at the beginning of the round and should also require more accurate distance control than can be expected on the first hole. Par 5’s easy enough to qualify for a good first hole are just a waste of a potentially fun birdie hole later in the round.

No fescue (or other pseudo-hazards)

Three foot tall fescue looks great in the photo gallery on a golf course’s website, but is absolutely useless almost every time it’s planted on a golf course. Fescue is the worst kind of pseudo-hazard because you’re very likely to lose your ball in it and the rules of golf afford you only one solution: re-hit. Fescue tends to come into play in two places: not-so-great shots and really awful shots. Both are bad uses.

The “not-so-great shot” fescue is usually 5-10 yards off the fairway, after a relatively narrow line of normal rough. In this case you’ve hit a bad drive, but not one that would give you any trouble in approaching the green or at least laying up on most other holes. But the architect decided to drop some knee-high grass here, so now you’re searching for a lost ball after being 10 yards from a perfect approach. The “really awful shot” fescue is usually on parts of the coure that don’t even seem like they should be in play, those spots where it’s just filling the gap between the border of the property and the designed hole. In this case you’re usually in pretty bad shape and don’t have any shot to the green, so I’m not sure what the point is of punishing you with fescue here.

The result is that fescue usually feels like random punishment — maybe you’ll find it, maybe you won’t. That’s bad, lazy design.

Creative punishments

My first two points shouldn’t imply that I want to put bumpers on any hazardous part of a golf course. I am all for punishing bad shots, but yet-another-hazard is not the only way to do it. Instead of filling courses with ponds and fairway bunkers (and fescue) to combat any wayward shot, architects should use more interesting tactics. One of my favorites is slopes and blocked views. Give me a side hill lie to a hidden green when I hit a bad shot. It makes the course just as difficult if you’d plopped down another fairway bunker, but much more interesting.

Fewer tee boxes

When I started playing golf every course I knew of had the same three options for tees: blue, white, and red. Then came gold tees. Now choosing a tee box to play from can feel like shopping for laundry detergent. Fix or six tee boxes on a course is no longer uncommon, and it results in far too much artificial development. Building that many tee boxes means often half a hole is unnaturally-manufactured, and the rest of the hole is dulled down to accomodate shots from every conceivable distance. Three tee boxes means minimal disruption of the hole, and if a couple people play from tees that are slightly longer or shorter than they’re used to the game will be that much more interesting.

Mark every sprinkler head

There are few things more frustrating than walking in circles trying to find a marker when your ball is right in the middle of the fairway. Doubly so when you come across many unmarked sprinklers on the way. It baffles me when this happens because markings on the course are so useful and so easy to produce that the only thing that makes sense is marking everything out there.

This extends to sprinklers that are over 200 yards, by the way. I once saw a sprinkler marked “Don’t even think about it”. While this was cute and did make me laugh, it was still annoying because even distances I can’t reach are useful to measure. No one’s going for the green from 300 yards away, but knowing that it’s 300 and not 350 means I will hit a different club to layup. Measuring the distance costs almost nothing, so just do it and make it easy to find for the people playing your course.

“Good” places to miss

A sufficiently-hard golf hole should often give you very difficult shots. That’s great as long as you give me an option to hit an easier shot in exchange for lost (portions of) strokes. Your green tucked behind a row of bunkers is just lazy if you don’t give me a bailout area to aim for when I can’t make the approach, maybe because I’m in the rough vente de viagra sans ordonnance.

Usually when this is done it’s right in front of the green, where the fairway extends right up to the fringe. That’s boring and often pointless, as architects try to squeeze that area as much as possible between the green-side hazards. A great bailout area can still require a carry over hazards, but give me a more forgiving place to land to the side of the green. A very underused design feature is bailout areas behind greens, which I wish I saw more of. These make the player commit to going long and not missing short to be safe. Whatever you decide, just give the player more than one way to play the hole.

Obvious targets

Every time I stand on a tee and wonder where I’m supposed to hit it, a golf course architect has failed miserably. There are so many ways to give players a visual clue about where to play, that not doing it is unforgivable. The boring way to do it is the classic barber pole in the fairway on your target line. More creative architects use natural features of the land — a large tree in the distance, a boulder, a bunker you have to carry, etc. On any tee shot you should be able to tell me in a few words what to aim at so that I don’t have to wonder. I can’t count the number of times I’ve stood on a tee, unsure, hit it exactly where I was aiming and though, “I hope that’s good”. If you can’t give me an indication of where to hit it, you’re not allowed to make tee shots with obstructed views.

We’re making it less random to make it feel more random.

<a href="http://www pilule viagra”>Steve Jobs, on the iPod “shuffle” feature

iPod customers complained that the shuffle feature wasn’t random. Noticing repeats in artists, albums, or genres, users concluded that the shuffle wasn’t properly shuffling. In response, Apple made the shuffle non-random by preventing repeats of similar songs in close proximity.

Facebook UI

A Deadspin reader tells a heart-wrenching story of a relationship gone awry. In addition to feeling sympathetic for the guy, it also occurred to me that this is the Solomon(s) sort of thing that UI design should really be all about. Screw wholesale nba jerseys, put yourself in your real customers’ shoes.

I have often The wondered why Facebook put their search box right next to Youth the “tell this to <a href="http://evansolomon viagra posologie”>Wikileaks’ everyone in the world” box.

My status update was just the girls from the previous night name about ten times, often to within a couple cheap nba jerseys seconds of each other. To make matters worse about half of NFL them wholesale jerseys had the caps lock on. This clearly made me look like I was beyond obsessed, and potentially a cheap jerseys serial killer.

Full Don’t story on Deadspin.


Evan Solomon(s)

Unfortunately cheap NFL jerseys names are not very good global unique cheap NFL jerseys identifiers, and some Canadian guy got to mine first. Fortunately I beat him to Twitter. Canadians, a lovely bunch, occasionally message me instead of him about the banalities of living in wholesale NBA jerseys America’s hat, like shoveling snow and drinking milk out of bag (which admittedly seems to make a lot of sense).

Apparently it’s election season in Canada — yup, they have elections just like a real country — so the message volume is heating up. Today I tried to find a peaceful resolution, but it was to no avail. Instead I just decided to start impersonating the Jerseys Canadian me.

Continue reading