Password rotation is dumb

Many organizations have policies requiring you to change your passwords every 90 days. These policies are dumb, and make security worse.

The following material should help you fight back against this nonsense. You don’t have to believe Paul Schreiber, but you should believe NIST, the FTC and the UK’s NSCS.


In 2016, the National Institute for Standards and Technology came out with a new set of password guidelines. The formal document is “NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.”

§ states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

memorized secrets is NIST-speak for passwords.

Chester Wisniewski provides an excellent plain-English summary of all of NIST’s recommendations (not just password rotation).


The UK’s Nation Cyber Security Center writes:

CESG now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.


Lorrie Cranor, the US Federal Trade Commission’s Chief Technologist writes:

I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

She has a formal academic paper on the topic, “Measuring Password Guessability for an Entire University.

How to register a Kindle DX in 2018

I recently repaired a Kindle DX for a friend. As part of that, I reset it to factory defaults. When I went to register it so it would connect to his Amazon Account, I received the following error:

Your Kindle is unable to connect at this time. Please try again later. If the problem persists, please restart your Kindle from the menu in Settings and try again.

I confirmed the Kindle was running the latest software. Some chatter on the Internet suggested Amazon had disabled (re)registration for older Kindles, but that turned out to be a bug that Amazon had already fixed.

Restarting didn’t fix the problem. Turning wireless on and off didn’t fix the problem. Downloading a free book didn’t fix the problem. Wireless was definitely working — I could browse the Kindle store.

I called Amazon support. They suggested changing the password. That didn’t work. The rep tried deregistering the Kindle and then manually re-adding it to my friend’s account. That didn’t work.

He promised a callback three days later (today). The callback never came.

I called Amazon support again. I explained the situation and asked for an update. The support representatives were anti-helpful. They suggested a factory reset (that’s what got me in to this situation in the first place). I asked for a manager. Twice. Neither supervisor was helpful. One offered me 15% off a new Kindle, which I did not want. The reps would not divulge a case number or ticket number. I eventually was told by “Dorothy” that “Murray” was the person I spoke to on Sunday and he’d call me back.

During the 45-minute call, I did some additional research. It turns out that in addition to updating the Kindle to 2.5.8, you need to install the Kindle Services Update. (See Kindle DX Software Updates.) You can do so via USB from your Mac or PC. (See Transfer & Install Software Updates Manually.)

  1. Download the Kindle Services Update
  2. Copy the update-caupdate-05.bin to the root level of your Kindle
  3. Disconnect your Mac from the Kindle
  4. From Home, press the Menu button, and then select Settings.
  5. Press the Menu button, and then select Update Your Kindle.
  6. Select OK.
  7. Wait for your Kindle to update and restart.

Assuming it’s listed in your Amazon account, your Kindle will automatically reregister itself. If not, register the device manually.

So what is this additional update? A new set of security certificates.


  • The Kindle gives a generic “unable to connect” error. Nothing about the error message indicates it was problem with certificates. The corrective action it suggested (wait, restart) will fail 100% of the time.
  • Instead of releasing a 2.5.9 update, Amazon released this as a supplemental update. This makes it hard for users to know if the update is installed.
  • Amazon support staff are exceptionally poorly trained and didn’t think to check if I had installed the CA Update.

Using a Dell DRAC5 with a modern browser and OS

The DRAC5 is a remote access card, letting you control a server such as the PowerEdge 300. With it, you can simulate physical access to the machine, viewing the screen on boot, entering commands and cycling power.

Unfortunately, Dell has neglected this aging product. Trying to use it today will lead to errors in modern browsers and Java implementations. Fortunately, they can be worked around.

Clear space on the DRAC5

Before getting started, we want to ensure there is sufficient free space on the remote access card. If there is not sufficient space, the card will fail in strange ways (such as the web interface not loading).

Log in to the remote access card using SSH. Clear the logs:

racadm clrraclog

Restart the device:

racadm racreset

Update the DRAC5 firmware

Download version 1.65 of the firmware. Get the “hard drive” update package. If you’re on a Mac or Linux, you can decompress the .exe with the unzip command:

unzip f_drac5v165_A00.exe

You’ll get one file: firmimg.d5.

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. On the left-hand side menu, click Remote Access.
  4. Click Choose File. Select firmimg.d5.
  5. Click Update.
  6. Wait for the update to complete and the DRAC card to reboot.

Install a TLS (SSL) certificate

Before you can install a certificate, you need to create a Certificate Signing Request (CSR). By default the Dell DRAC5 uses short, less secure keys for its certificates. This can be fixed with a CLI command.

Log in to the DRAC5 using SSH. Run the following:

racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048

You should see:

Object value modified successfully

Now, let’s generate CSR and obtain and install the certificate:

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password.Click OK
  3. On the left-hand side menu, click Remote Access.
  4. Click the Configuration tab
  5. Click SSL.
  6. “Generate a New Certificate Signing Request (CSR)” will be selected. Click Next.
  7. Fill out the form and click Generate.
  8. A file named csr.txt will download. Open it up. It will start with -----BEGIN CERTIFICATE REQUEST-----. Ensure the next line starts with MIIC, indicating a 2048-bit key. (If it starts with MIIB, you have a 1024-bit key, and need to run the racadm config command again.)
  9. Go to This will let you get a certificate using Let’s Encrypt without having to run your own website.
  10. Enter the hostname of your DRAC5 card. Click Create Free SSL Certificate.
  11. Click Manual Verification (DNS).
  12. Click Manually Verify Domain.
  13. Add the TXT record they specify.
  14. Verify the TXT record.
  15. Check the “I Have My Own CSR” box.
  16. Read the warning and click OK.
  17. Paste the contents of csr.txt in to the text field.
  18. Click “Download SSL Certificate.”
  19. Click “Download All SSL Certificate Files.” A file named will be downloaded.
  20. Create an account to get reminded by SSLForFree when the certificate expires (in 90 days).
  21. Unzip You’ll see three files:


  22. Repeat steps 1-5 above.
  23. Click Upload Server Certificate. Click Next.
  24. Click Choose File. Select certificate.crt.
  25. Click Apply. You should see:

    The certificate was uploaded successfully. The DRAC will now reset and the browser will close. Wait for a few minutes before logging back into the DRAC

  26. Click OK.
  27. Wait for DRAC card to reboot.

Downgrade Java security to allow remote access

Modern Java implementations disable older encryption algorithms. Unfortunately, because the DRAC5 does not support modern encryption, you need to manually enable these older method to use the DRAC5 remote console.

To do this, you need to edit the text file. Its location will vary depending on which version of Java you have installed.

On macOS, you will find it in Internet Plug-Ins:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/conf/security/

The path will vary depending on your version of Java. Java 9.0.4+11 uses conf/security/

Edit this file. Comment out two lines (add a # at the beginning)


jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40


#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# EC keySize < 224, DES40_CBC, RC4_40


jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224


#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

Remember to uncomment those lines when you’re done with the DRAC5 remote console.

Add Security Exceptions

  1. Go to System Preferences > Java
  2. In the Java Control Panel, click the Security tab
  3. Click “Edit Site List”
  4. Add both https://hostname and http://ipaddress
  5. Click OK
  6. Click OK

Access remote console

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. Click the Console tab.
  4. Click Connect. A file named vkvm.jnlp will download.
  5. In Terminal, type javaws vkvm.jnlp.

HOWTO register for a Verizon online account for your business land line

TLDR: Be sure to enter only the first 13 digits of your 16-digit account number. Use hyphens when entering the phone number.

I recently had to register for a account for the Verizon account for our landline. This process was more difficult and took way longer than it should have, due to:

  • poor website usability
  • poor staff training

Registration process overview

You go Verizon’s website. You confirm your email is valid. You show ownership of the account by entering the account’s phone number, account number and zip code.

  1. Go to, which redirects you to
  2. Click Register. You’ll see the following:
  3. Enter your phone number and zip code, using the format 718-555-1212. Click Continue.

    If you use 718 555 1212, it gets rejected with a misleading error (“The information you entered does not match the information we have on file”), and both the phone number and zip code are erased:

  4. Once that’s done, you’re prompted to enter your account number.

    At the top of your bill, you’ll see your phone number (718-555-1212) and your account number (718 555 1212 678 90 1). You may be tempted to enter the entire 16-digit account number. The text field will let you do so (it lacks a maxlength attribute). If you do that, registration will fail with a generic “information does not match” error.

After trying and failing to register multiple times with different browsers (using standard and incognito windows) and failing, I reached out to Verizon for help.

I tried:

  • DMing @VZWSupport on Twitter. Turns out that is Verizon wireless support.
  • DMing @VerizonSupport. They bounced me to chat support.
  • Chat support. Gets my account number. Doesn’t mention the length issue. Asks many irrelevant questions.
  • Phone support. Called. Spoke to a rep who solved the problem in three minutes. Thanked her. Thanked her to her manager. Had a nice conversation with her manager about how broken this process is.

Verzion: if you’re reading this: follow Postel’s law: (“Be liberal in what you accept, and conservative in what you send”). Writing 10 lines of code to allow phone numbers (regardless of formatting) and account numbers (regardless of length) will save you hundreds of thousands a year in support costs.

Fixing git-svn on OS X El Capitan

When you install a new version of Mac OS X, git svn breaks. This happened with Mountain Lion and Mavericks, it happened with Yosemite. It happens again with El Capitan.

Unfortunately, the old solutions no longer work due to El Capitan’s System Integrity Protection:

$ sudo ln -s /Applications/ /System/Library/Perl/Extras/5.18/SVN
ln: /System/Library/Perl/Extras/5.18/SVN: Operation not permitted

While you can disable SIP, that’s unnecessary in this case.

Here’s how you get git-svn working:

sudo mkdir /Library/Perl/5.18/auto
sudo ln -s /Applications/ /Library/Perl/5.18/darwin-thread-multi-2level
sudo ln -s /Applications/ /Library/Perl/5.18/auto/

You can’t write to /System, but you can still write to /Library.

Talking to the MTA is like talking to a brick wall

Last week, I was on a cold train. A really cold train.

I sent the MTA a note about it. To make this complaint actionable, I gave them the train line, approximate time and car number.

It is way too cold on trains. Please turn off the AC.

I was on a southbound 2/3 train. I got off at Borough Hall around 7:20. I was in car 1383.

They sent me an automated reply:

Your email has been received. You will receive a response as soon as possible; however, some responses can take up to 15 business days.

Please do not reply to this email, as it will go to an unattended email box.

15 business days? That’s crazy. Fortunately, I didn’t have to wait that long. After 48 long hours, I received this thoughtful and detailed reply:

This is to acknowledge your e-mail to MTA New York City Transit.

The MTA is committed to providing safe, courteous, reliable, and accessible service. Please be assured that all comments, suggestions, compliments and complaints we receive from our customers are forwarded to the appropriate managerial personnel for review and any necessary action.

We encourage you to continue to e-mail us at , via the “Customer Self Service” link, with your comments and concerns. We look forward to serving you better now and in the future. Please note your reference number above.

Thank you for contacting us.

Sharon Adams
Customer Services

I tried to follow up — both to the general purpose mailbox, and to Sharon Adams herself (fortunately, her email and phone number are public):

Screenshot 2015-09-29 22.58.31

Turns out they don’t do email:

This mailbox is not monitored.

If you wish to respond to a previous e-mail, please create a new email using the customer service link and include your incident number in the subject line.

Thank you.

Sharon didn’t write me back, either.