Stateless Password Manager Usability

Every once in a while, the concept of a simple password manager that needs no storage and no state comes back around. The details differ but the basic premise is always the same. Instead of saving your passwords and encrypting them with a key derived from a master password, these password managers generate passwords on the fly by hashing a master password with the website name. To get your password back, you simply need to remember your master password and the exact name you used for any specific website.

It’s an intriguing technical idea but it sacrifices security and usability. I won’t touch on the security issues here as there are far more qualified people than me that have already addressed this topic. Instead I will focus on the significant usability concerns that would send any user looking for an alternative within days if not hours.

  1. There is no indication if you have used this password manager for a particular website. This may be considered a privacy feature, but can make migrating passwords from different managers more difficult.
  2. Saving multiple passwords for a single website is cumbersome. Since your only input is the website name, you have to include the username in the website name if you want to save multiple passwords for a single website. But what happens if you didn’t plan ahead and saved your first password without the user name? You now have to change the password.
  3. Some websites have weird password requirements. If the default password generation scheme doesn’t fit exactly, you’re out of luck. This can be solved by adding the password rules to the website name, but then you have to remember the rules and type them every time you need your password.
  4. You can’t change a password without changing the website name. Periodical password changes are still required by a lot of websites and even strong passwords can leak by human error. This leaves the user having to remember more than website name but the password iteration. Is it github1, github2 or github53 now?
  5. It is impossible to change your master password without changing all the passwords for all websites you’ve used with the password manager. The master password is directly used to create all those passwords and when it changes, all passwords must change too. To make matters worse, you don’t have a list of websites you’ve used with this password manager. This essentially means you have to remember and try multiple master passwords until you get the right one.
  6. Any security update or bug fix that alters the password generation algorithm will require all passwords to be changed. Standard password managers can simply rebuild their database but since there is no database here and the master password directly affects everything, all passwords must be changed.

All these issues combined mean you have to change your passwords way more often than usual, have to plan ahead a lot, and be very consistent or risk losing your passwords. It requires far more attention than I would be willing to pay just to get a cool stateless solution. At the end of the day, this solution is just not user-friendly.

Hypervisor Hunt

After getting burnt by Hyper-V, I decided to go for the tried and true and installed VMware Player on Windows 10. I had to install Ubuntu again on the new virtual machine, but it was a breeze thanks to VMware’s automated installation process. Everything that was missing in Hyper-V was there. I was able to use my laptop’s real resolution, networking over Wi-Fi was done automatically, audio magically started working, and even performance was noticeably better.

After a few weeks of heavy usage, I started noticing some problems with VMware. Every once in a while the guest OS would freeze for about a second. I didn’t pay too much attention to it at first, but it slowly started to wear on me. I eventually realized it always happens when I use tab completion in the shell and the real cause was playing sounds. It’s still progress over Hyper-V’s inability to play any audio, but it was not exactly a pleasant experience.

The other, far more severe issue, was general lack of performance. It just didn’t feel like I was running Ubuntu on hardware, or even close to it. I experienced constant lags while typing, alt+tab took about a second to show up, compiling code was weirdly slow, video playback was unusable, and everything was just generally sluggish and unresponsive. Overall it was usable, but far from ideal.

Today I finally broke down and decided to give yet another hypervisor a shot. Next up came VirtualBox. I didn’t have high expectations, but VMware was starting to slow me down so I had to try something. Installation was even easier since VirtualBox can just use VMware images. Then came the pleasant surprise. Straight out of the box performance was noticeably better. Windows moved without lagging, alt+tab reaction was instantaneous, and sound playback just worked. Once I installed the guest additions and enabled video acceleration, video playback started functioning too. I still can’t play 4K videos, but at least my laptop doesn’t crawl to a halt on every video ad.

As a cherry on the top, VirtualBox was also able to properly set the resolution on the guest OS at boot time. In VMware, I had to leave and enter full screen once after login for the real resolution to stick. Switching inputs between guest and host in VirtualBox is also easier. It requires just one key (right ctrl) as opposed to two with VMware (left ctrl+alt).

I realize these results depend on many things like hardware, drivers, host/guest versions, etc. I bet I could also solve some of these issues if I put some research into it. But for running Ubuntu 17.04 desktop on my Windows 10 Dell XPS 13 with the least hassle, VirtualBox is the clear winner. Let me know if you had different experience or know how to make it run even smoother.

Things They Don’t Tell You About Hyper-V

I really wanted to like Hyper-V. It’s fully integrated into Windows and runs bare metal, so I was expecting stellar performance and a smooth experience. I was going to run a Linux box for some projects, get to work with Docker for Windows, and do it all with good power management, smooth transitions and without sacrificing performance.

And then reality hit.

  1. Hyper-V doesn’t support resolutions higher than 1920×1080 with Linux guests. And even that is only adjustable by editing grub configuration which requires a reboot. The viewer allows zooming, but not in full screen mode. With a laptop resolution of 3200×1800, that leaves me with a half empty screen or a small window on the desktop.
  2. Networking support is mostly manual, especially when Wi-Fi is involved. You have to drop into PowerShell to manually configure vSwitch with NAT. Need DHCP? Nope, can’t have it. Go install a third party application.
  3. Audio is not supported for Linux guests. Just like with the resolution issue, you’re forced to use remote X server or xrdp. Both are a pain to setup and didn’t provide acceptable performance for me.
  4. To top it all off, you can’t use any other virtualization solution when Hyper-V is enabled. Do you want both Docker for Windows and a normal Linux desktop VM experience? Too bad… VMware allows you to virtualize VT-x/EPT so you can run a hypervisor inside your guest. Hyper-V doesn’t.

It seems like Hyper-V is just not there yet. It might work well for Windows guests or Linux server guests, but for Linux desktop guest it’s just not enough.

It’s not a symptom, it’s a feature

Medical science has developed amazing tools to examine the human body over the years. Petri dishes, incubators, and various types of cultures identify infections. Ultrasound, X-rays, CT, MRI, FMRI and PET use different kind of technologies to give doctors a better view and understanding of our inner working. In extreme cases, ever advancing surgery techniques provide hands on approach.

Most of us will only get to use these when seriously ill or seriously rich and paranoid. Despite all those mind-boggling technological innovations, when Joe sick-pack goes to the doctor he gets examined with a stethoscope, wooden stick, thermometer, analog sphygmomanometer and a whole lot of MD fingers. Verbal inquiring is another characteristic instrument doctors wield at medical proficient Joe sixth-pack, who is prone to lies of shame. It seems development of widespread diagnostic equipment available at doctors’ disposal has reached a stall a few decades ago. Funds keep flowing into research for ever more powerful drugs and fancier high-end diagnostic machines, promoting production of solve-all power tools or solutions for high profile diseases affecting only a fraction of the population. When all you have is a broad-spectrum antibiotic and ancient diagnostic equipment, everything looks like a superbug. Ironically, overuse of broad-spectrum antibiotic is a catalyst of superbug evolution. Other risks of antibiotics include side effects and an allergic reaction, yet antibiotic medicine is still one of the most powerful tools available at doctors’ disposal.

Absence of efficient analysis methods leads not only to over reliance on solve-all power tools, but also avoidance of the real issue at hand by both doctors and patients. Falling back to symptom treatment rather than going head to head with the real issue is the simpler choice, especially when facing rudimentary findings that can only be supplemented with extensive and cost-inefficient tests. Such a misinformed treatment could subject the patient to unnecessary side effects and hide the underlying illness by removing its symptoms, allowing it to stride on and mature, reducing chances of early discovery and treatment that can be sometimes save a life. It can also subject the patient to unnecessary dangerous operations where a simpler solution might exist.

It’s easy to blame doctors and the pharmaceutical industry for pushing drugs on unsuspecting patients, but both are just doing their jobs while trying to keep up with overwhelming crowds of sick, aching and impatient masses. Patients get no more than a few minutes each and are handled with archaic diagnostic equipment, forcing workarounds or guess work and hand-offs to busy specialists. It would seem our healers are doing the best they can under the circumstances, developing and distributing powerful drugs that work for most cases while favoring side effects over precise treatment in the name of cost efficiency and large scale medicine.

An analogy can be drawn to the computing world and specifically to debugging. Bug squashing consists of the same steps as illness treatment – discover symptoms, analyze, hypothesize, apply fix, rinse and repeat until symptoms disappear. Quality relevant analytic tools and deep understanding of the code make analysis easier and improve chances of spotting and fixing the bug faster; removing the need for quirky workarounds. Powerful and accessible tools like symbols, windbg, sysinternals, virtual machines, logs facilities, scriptable environments and automated test scenarios shed light over system internals and allow extensive yet concise overview of the issue, quick theory debunking, solutions for common issues, and easy verification of solutions. Imagine how powerful a vital signs logging facility would be at detecting anomalies, how much simpler analysis would be with body part isolation by virtualization, how less stressful it would be if every piece of the human body was marked with an appropriate name regardless of its current location, how enlightening it would be to view processes in a streamlined graph, and how relaxing it would be for the patient to know all is well on the spot instead of waiting for the test results.

Sci-fi inspired whole body scanner with shiny lasers able to detect the issue in a few seconds, fix it with a different color of laser and then make coffee will probably not be invented for a few more centuries, but there’s no need to get carried away. When debugging a system, human or digital, every little diagnostic tool should help. Cheap discrete heart monitor for rhythm irregularities detection, microbiological culture device with the ability to identify common infections with no need for a microscope, common antibodies detector, or a portable x-ray device would all reduce the burden and encourage better solutions overall.

Hopefully, the recent rise in biotechnological studies over the last few years will show its effect soon and shift focus from drugs to widespread diagnostics and narrow treatments.

2012 bug

I recently watched a trailer for the new 2012 movie. It seems like a pretty decent apocalyptic movie written and directed by the same guy behind two other similar movies – Independence Day and The Day After Tomorrow. Famous actors, staggering visual effects and the genre-mandatory destruction of the White House by a ship are all included. It was enough to get me hooked, fully hoping for another immersing experience and the nightmares that will surely follow.

While the movie will probably be a blockbuster and deserves its credit, the concept behind it – an apocalypse occurring on December 21, 2012 predicted by the Mayan; is a misunderstanding at the very least. The Mayan, as any other respectable civilizations, had a calendar of their own to keep track of time. In particular interest is the long count – a cycle of approximately 5129 years. According to it, a day is called k’in. 20 k’ins are one winal. 18 winals are one tun. 20 tuns are one k’atun. 20 k’atuns are one b’ak’atun. Each b’ak’atun is 144,000 days, or approximately 394 years. A long count cycle consists of 13 b’ak’atuns, or 5129 years. Day zero, believed to be the creation day, is August 11, 3114 BC. Mayan math is base-20 and so date can be represented by five digits. In ye olde times that would be five groups of a bunch of stripes and dots listed from top to bottom. To make things more manageable for us modern people, a series of 5 modern numbers separated by dots is used. Today, for example, is That is 12 b’ak’atuns, 19 k’atuns, 16 tuns, 10 winals and 16 k’ins or 5125 years since day zero.

Through various reasoning, certain academic scholars have concluded that at the end of each such cycle comes a grand and possibly cataclysmic event. Mayan scriptures make no direct reference to such an event and my personal belief is that interpretation of 13-b’ak’atun-ia party invitations have gone seriously awry; but an even simpler explanation exists.

Much like modern day engineers, Mayans had to carefully balance versatility and resources and perform a cost-benefit analysis. Understandably, they decided including the long count index in every date would be a waste of resources. Instead of carving six digits, accommodating for multiple long count cycles, they opted for ambiguity by implying the long count cycle. Imagine the vast amount of stone that would have gone to waste should every contract, ticket, advertisement, news paper and document of Mayan times had included another digit, just so it could be valid 5000 years into the future long after they and everything they knew was dead. That brilliant decision probably allowed the construction of another pyramid or two.

In fact, the Mayans are to be admired. When our modern day engineers faced the same challenge, they opted for a century time frame in favor of resources thus unleashing the infamous Y2K bug onto an unsuspecting world. It was believed date ambiguity would cause banks to fail, computers to crash and burn, zombies to overrun the streets and anniversaries to be forgotten thus eliminating any possibility of further human reproduction. Much of the same and more is being predicted for 2012 with the same reasoning. The apocalypse is looming at an arbitrary date due to green and efficient Mayan engineering. But despite widespread usage of technology and date abbreviation in our days, short of a few minor glitches, nothing occurred on January 1, 2000. Considering the 2012 bug concerns ancient technology no longer in use, the idea seems even more absurd.

Therefore, assuming you are not using Mayan computers, live in a mortgaged Mayan pyramid or somehow related to Indiana Jones; you’re welcome to join me for a Mayan themed end-of-the-world movie marathon on, or December 22, 2012.


Memory is a fascinating mechanism. Electric currents running through biological matter draw input from sensitive organs and store anything from scents and pictures and all the way to logical conclusions. It’s the simplest time-machine implementation and it’s embedded in our brains, allowing us to travel back in to our history.

Commonly, it’s divided to short-term memory and long-term memory. Short-term memory is the working memory. It holds temporary but currently-crucial information retrieved from sensors, long-term memory or the result of a mental process. It is estimated that short-term memory is capable of holding up to seven items at any given time. As with many other areas in life, that number is magical and quite stubborn at keeping its status quo. To that end, common memory improvement techniques focus on methods of getting around that number instead of increasing it. A method I affectionately call “divide and conquer” suggests grouping items and memorizing the groups instead of the items themselves, so that more items can be memorized. It’s actually an expansion of the very basic naming method. Complicated items can be easily memorized when named — the very basic of all languages; allowing the communication of complicated matters with simple words.

One of the most obvious implementations of these methods is known simply as “list”. By numbering and even naming large chunks of data, information could be efficiently conveyed and referenced. Under this principal books are divided into chapters, rules are presented as a list of do and don’ts, everything is divided to magical three items, and complicated ideas are abstracted and listed so that they may serve as a fertile ground for even greater ideas.

The problem with popular and useful methods is their wide abuse. Lately, I’ve witnessed an abundance of articles containing nothing but a list with sparse content and a very thin thread holding the bullets together. To help combat this epidemic, I hereby propose my list of list-don’ts.

  1. While a very good memory technique, a list without any content is worthless. Forging pointless data into a list will not breath life into it. At the very best, it’d help the pointless data being pointlessly forgotten.
  2. Lack of good transition between paragraphs qualifies for more content or some transitional devices and not a list.
  3. Bullets before the punch line won’t necessarily make it funnier. It will, however, make the journey leading to the punch line a boring one.
  4. There are rare cases where a list genuinely qualifies. There is no need to overstate this by noting it in the title.
  5. When already writing a list, keep it short and to the point. Three, seven, ten and thirteen are nice magical numbers. That’s not a good enough reason to pad lists.

Intelligence quotient

Humanity is doomed. We are just too brilliant to keep on living. Everyone can feel it, but like the sheep we are, we fail to notice the looming cliff ledge, slowly pacing towards our inescapable demise. We have outgrown our intellectual capacity. Any bit of information added since 2781 BC brings destiny a step closer. We are facing imminent extinction by the hands of our own wisdom.

Being the average sheep herd we are, we have our share of black sheep. Some of them have taken it upon themselves to enlighten the herd and warn us of the danger looming ahead. News networks all over the globe are alerting the homo sapiens species of the grave dangers unfolding in front of their unsuspecting herd. Every self-respecting website publishes at least one article spelling out the well known fact that technology is extremely dangerous. Not even one newspaper failed to bring forth today’s hot headline – “Modern day technology is the bane of our existence”. Radio broadcasts elaborate – “It thins out the herd”. Ewes, rams and lambs alike all know by now that using technology limits the herd’s collective intellect, slowly turning it to a crowd of brainless zombies, unable to care for themselves.

Black sheep have successfully taught us to hinder inventions such as GPS, the Internet and computer games. Sadly, they were too late to do the same for thesaurus, books, pen and paper, wheel and fire. Those unholy inventions and discoveries have already taken their toll on the herd. Young lambs no longer look for words in the dictionary, but find them in two keyboard strokes; ewes no longer tell stories around the fireplace, but write them in books available for all; rams no longer draw on cavern walls with charcoals, but paint with too much detail and too many colors on cloth; herds no longer break their legs and perish on their way to neighbor herds, but drive in air-conditioned cars with leather seats; sheep no longer get ill of uncooked meat, but devour delicious seasoned steaks. The herd has agonized for thousands of years without even realizing it.

Clearly, scientific inventions and discoveries that ease every day lives are the devil’s brainchild. Those who know they know nothing and keep on trying to disclose as many of the meadow’s great secrets as they can are nothing but mere devil worshipers. Sheep that fear not looking beyond the grass that lies before them do nothing but harm. Foul creatures that dare share their fruit of labor so that the entire herd may advance and excel are inconsiderate, egocentric and self-serving sinners. Those who define the very meaning of being stupid by negation are the horsemen of the apocalypse.

I call to you today my fellow sheep — let us put an end to this morbid state of affairs. Let us break this vicious circle of knowledge passing, stop this vile orgy of technology and return to our lonely roots. Let us burn Google on the stake, melt our GPS-capable iPhone, demolish our libraries, drown every type of vehicle, incinerate all the books, halt all scientific progress and go look for red round small things in the big place with the green and brown big stuff where the other lamb just goed.

The green wire

Apparently, I’m a brainless lump of amino acids mixed with some calcium and water wrapped in keratin. As it turns out, if I had the choice, I’d spontaneously set myself ablaze at the very first opportunity I stumble upon. If I see a ledge, I will delightfully leap ahead and form a charming crater. If I hear a car, I will undoubtfully try to stop it by hand so I can greet the driver. If a gun happens to find its way into my arms, I wouldn’t even pause to ponder and surely pull the trigger. If I become disoriented and wind up in a bar, I will purchase pure ethanol, pour it over my barren head and implore the barman for a zippo. Yes, I’m just that ignorant.

Electricity is another fine example of scary and absurd technologies fools like myself should evade. By far one of humanity’s most hazardous discoveries, this vile and corruptive force has been known to claim the lives of innumerous poor souls. It is a widely known fact that over a hundred of this world’s brightest minds buy a one-way ticket to the buzz train every single day. Thousands of households are desolated every passing minute due to electricity related complications. 8 out of 10 doctors advocate electricity-free households. Edison rolls in his grave and children weep over their lost innocence.

I was therefore not surprised to learn I was denied access to 220v-110v wall socket adapters. Usage of such mischievous tools could result in serious harm to body and property. Failure to properly connect an adapter to a wall socket could incite a fire. Failure to properly mount the cable into the adapter could result in immediate annihilation of the human race.

Hope of a better future overflows me when I learn eggheads responsible of saving me from myself have deemed this doomsday device inappropriate for mass consumption. Despite my futile attempts to dislodge the northern hemisphere by connecting my camera charger using an adapter, I’m still here to tell the tale. All I had to do is halt my quest for an adapter before the third mall and resort to soldering some spare metallic parts, unearthed from the darkest corners of the house.

Triple double U

Since around 1995, I’ve been using the web in one way or another. At those days, I would had been amazed to even notice the slightest proof of recognition on a face in response to the word modem. Today, on the other hand, I can’t walk on the street without hearing or seeing something related to the internet. Despite its ever growing popularity, it still carries with it a distinct odor of technology.

Just the other day, I embarked upon a quest for retrieving information on an everyday object with which I could extend my knowledge. What would later seem obvious caught me by surprise when, lucky as I may have felt, searching Google for apple resulted in what can only be described as an horrific synthesis of metallic, glossy and white alloys of plastic and aluminum; and not the sought sweet and divine composite of texture, taste and aroma I had expected. Quickly I realized my mistake and, not feeling lucky anymore, I commenced on a far less ambitious journey in the depths of the search results to find my craved fruit.

For all of those innocent souls out there looking for the tasty fruit like myself, allow me to dedicate this post and donate my page rank to 1up the original apple. Link by link, the web shall one day become humane.

Genuinely later

On every second Tuesday of the month, Microsoft indulges us with a slew of updates ranging from trivial to critical and sometimes even truly superior. Sadly, not even the most ardor imbued zealot of Windows rejuvenation can bring the updates to life without a reboot. To ensure everyone do reboot, Microsoft has added the lovely “Restart Now” dialog we have all come to cherish.

Distressing as it may be, while loved and cherished, the dialog is often the center of attention in the Windows loath-fest. Getting rid of it, however, isn’t that difficult. All it takes is killing one service.

net stop wuauserv

But what if yours truly is not near the computer on patch Tuesday and the dialog starts its cheerful countdown to complete and total annihilation of the current session? While skimming through some Group Policies, I’ve noticed there’s one for disabling this annoying reboot countdown. Simply create a DWORD named NoAutoRebootWithLoggedOnUsers under HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU, set it to 1 and say bah-bye to Microsoft’s equivalent of the dreaded ad pop-up.

Microsoft’s Tim Rains has more details on the subject.