Less Wrong is a community blog devoted to refining the art of human rationality. Please visit our About page for more information.

Comment author: CBHacking 12 February 2015 09:47:16AM 6 points [-]

It also raises worrying considerations about how passwords are stored in the database. Passwords should never be stored in plain text, nor with reversible encryption. Instead, each account should store a password verifier value (and a salt, unique to the user).

A password verifier is the result of running a password, its salt, and possibly another input that isn't kept in the DB all through a function that produces some deterministic value that is nigh-impossible to brute force. A property of password verifiers is that they produce output of a constant length, regardless of the input length. This makes it easy to allow arbitrary-length passwords because any actual limit you impose is artificial and exists for some reason other than your database schema.

For those familiar with hash functions: a raw hash, even a long or fancy one like the new SHA3 family, is a bad password verifier function. However, it does exhibit the desired properties with regard to length. In fact, you can build a decent PVF out of cryptographic hash functions; see PBKDF2.

Comment author: faul_sname 14 February 2015 02:20:34AM 2 points [-]

The worrying questions have somewhat less worrying answers. Here is the cause of the length limit of 20 (in r2/r2/templates/login/html):

 <input id="passwd_${op}"
name="passwd_${op}" type="password" maxlength="20"/>

Removing the maxlength="20" restriction on password fields allows longer passwords without a problem (I'm actually unsure why that's there in the first place -- it doesn't actually prevent a malicious actor from sending a 1 GB password, as it's a client-side check).

Comment author: polymathwannabe 05 January 2015 09:18:54PM *  -1 points [-]

How is a computer more random than flipping pages?

Comment author: faul_sname 06 January 2015 04:32:31AM *  2 points [-]

The word "set" in my dictionary has a definition spanning an entire page. Most other pages have between 20 and 50 words on them. This implies that the word "set" will be chosen about 1 in 1000 times, giving only 10 bits of entropy, whereas choosing completely at random, each word would have about a 1 in 50,000 chance of being chosen, giving about 15 bits of entropy.

In practice, picking 5 random pages of a 1000 page dictionary, then picking your favorite word on each page would still give 50 bits of entropy, which beats the correcthorsebatterystaple standard, and probably a more memorable passphrase.

Comment author: PECOS-9 30 December 2014 12:56:56AM 8 points [-]

Tutoring? Put up flyers and sign up for wyzant (they take 40% at first, going down to 20% after you log many hours with them, which really sucks, but they're the only popular online marketplace for tutors).

Comment author: faul_sname 30 December 2014 05:37:52AM 3 points [-]

Them and InstaEdu, which is entirely online (they take a similar cut as well, and the work comes in bursts mostly around midterms and finals).

Comment author: ChristianKl 10 December 2014 11:46:09PM 1 point [-]

The phylogenetic tree model is used because it makes useful predictions about the world, not because it represents the way the world actually is.

Yes. I'm not denying that such models do have use. But on the other hand people outside of biology do often consider them to represent the world as it actually is.

Comment author: faul_sname 11 December 2014 01:24:32AM 0 points [-]

I think we're in agreement here.

Comment author: ChristianKl 09 December 2014 03:04:00PM 0 points [-]

but in practical terms it is useful to have a tree-like map, because it allows you to assess the phylogenetic distance between two groups.

That works as long as a virus doesn't transfer genes from one species to the next and thus invalidates the tree structure.

Comment author: faul_sname 10 December 2014 08:24:40PM 1 point [-]

It depends on your goal. What a lot of non-biologists don't realize is that the ladder keeps going after species down through subspecies and beyond. In terms of bacteria, which do undergo horizontal gene transfer, we generally refer to them by their strain in addition to their species. The strain tells you where you got the culture, and, in lab settings, what it's used for. CAMP Staphylococcus aureus is used for the CAMP test, for example -- because you know where the strain comes from, you can be reasonably confident that it will behave like other bacteria of that strain. If you have a different strain of Staphylococcus aureus, you expect that it would probably also work for this test, but by the time you get as far away as Staphylococcus epidermidis, it's quite unlikely that you could use it successfully for the CAMP test.

In theory, you could do a DNA extraction and see if your organism has the right genes to do what you want. In practice, it's usually cheaper and easier to use a strain that you know has the right characteristics -- even among bacteria with 20 minute generation times, genetic drift is still pretty slow, and what little selective pressure there is is pushing for the strain to keep its useful properties (i.e. we throw away bad cultures).

The phylogenetic tree model is used because it makes useful predictions about the world, not because it represents the way the world actually is.

Comment author: IlyaShpitser 08 December 2014 12:12:51PM *  3 points [-]

"Species" is not a clean concept in a world with viruses, clines, and ring species.

More precisely, "species" is a map marker made by someone who likes discrete, mostly tree-like maps (legacy of Aristotle?)

Comment author: faul_sname 08 December 2014 08:29:15PM 2 points [-]

"Species" is one rung on the phylogenetic ladder. Whether a given edge case should be classified as a species or as a subspecies can be debated, but in practical terms it is useful to have a tree-like map, because it allows you to assess the phylogenetic distance between two groups.

Also, compared to the range from class to genus, "species" is relatively clear-cut.

Comment author: Nornagest 08 December 2014 05:31:29PM 1 point [-]

How'd you manage to strikethrough part of your post? I thought the markup for that had been disabled.

Comment author: faul_sname 08 December 2014 06:56:22PM 3 points [-]
"hello, world".replace(/(.)/g, '\u0336$1') == "h̶e̶l̶l̶o̶,̶ ̶w̶o̶r̶l̶d̶"
Comment author: Nornagest 04 December 2014 07:25:15PM *  3 points [-]

Jehovah's Witnesses != Mormons, even though both are known for door-to-door solicitation. Reliable statistics are thin on the ground, but the Mormons seem to be doing a little better than average in terms of personal socioeconomic status. (BYU is not, however, an unbiased source.)

Comment author: faul_sname 04 December 2014 11:37:47PM 1 point [-]

You are correct. I'm not sure where I got the idea that LDS was Jehovah's Witnesses.

Comment author: Lumifer 04 December 2014 03:36:33PM 0 points [-]

For whom? For the Mormon Church or for the specific individuals? :-/

Comment author: faul_sname 04 December 2014 07:10:50PM *  -1 points [-]

I̶t̶ ̶a̶p̶p̶e̶a̶r̶s̶ ̶m̶o̶s̶t̶l̶y̶ ̶t̶h̶e̶ ̶c̶h̶u̶r̶c̶h̶,̶ ̶a̶p̶p̶a̶r̶e̶n̶t̶l̶y̶.̶ ̶W̶o̶w̶.̶

Edit -- missionary.lds.org is latter day saints. One of their quotes was by a Jehovah's Witness, so I thought this was a guide for Jehovah's Witnesses. If the question is "Does it work for the specific individuals in the Mormon Church?" the answer is yes.

Comment author: Lumifer 01 December 2014 08:36:25PM 10 points [-]

And you end up like this.

Comment author: faul_sname 04 December 2014 09:28:37AM 13 points [-]

Seems to have worked for them.

View more: Next