Microsoft says mandatory password changing is “ancient and obsolete”

Microsoft is finally catching on to a maxim that security experts have almost universally accepted for years: periodic password changes are likely to do more harm than good.

In a post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.”

The change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of words. Combined with super-fast graphics cards, the hackers can make huge numbers of guesses in off-line attacks, which occur when they steal the cryptographically scrambled hashes that represent the plaintext user passwords.

Even when users attempt to obfuscate their easy-to-remember passwords—say by adding letters or symbols to the words, or by substituting 0’s for the o’s or 1’s for l’s—hackers can use programming rules that modify the dictionary entries. As a result, those measures provide little protection against modern cracking techniques.


Transferring A Domain To The New Cloudflare Registrar

I just received an email from Cloudflare indicating that my wave is now open to transfer my domains.  I am quite happy with the service of my current domain registrar ( however I wanted to see how the price compared.  

I thought that was really competitive on price but after seeing $9.95 on Cloudflare vs $17.59 on I decided to test out the new Cloudflare service.

The process is really simple but I have laid it out below for anyone interested in giving it a try.

*Note that once you start the transfer process you will be billed for a year extention on the expiry of the domain.

Step 1

To start the transfer process you have to have the domain already in your Cloudflare account.  Simply, select the domain you want to transfer and confirm the domain(s).
Cloudflare Select Domain To Transfer


Nith River Kayak – Trip Report

This past Friday I went out on the Nith River. This is a smaller secluded river that meets up with the Grand River in Paris, Ontario. Paddling this river is only possible at certain times of the year, most notable the spring as the water level needs to be high enough to make passage possible. Most of the river is a relaxing 4 ft/mile elevation drop but near Paris it increases to 20 ft/mile drops with a few rapid sections.


There isn’t really a great public launch site for this river that I know of. There is a good entry point (coords: 43.223920, -80.476170) but it is marked as private. I entered here anyway since I had already made my plans and travel arrangements but I wouldn’t go again knowing it’s private.

Entry is Private Property

Entry is Private Property


Reverse Engineering the iHome iSP5 SmartPlug Communications

I got a couple of the iHome iSP5 Smart Plugs and wanted to integrate them into OpenHAB. This is just some rough digging I have done so far in the communications between the phone app and their server. Part 2, if I get to it will look at the communications between the server and the plug. This will be much harder as I will need to find a way to become a MITM for the SSL communications.

Maybe this will help someone create an openHAB binding as I have never really worked with OpenHAB.

The following is all done using CURL.

Get Your Authorization ID

To start off you need to send a request to their server with your login information to get the authorization ID to communicate with the device server.

curl -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -X POST -d 'password=yourPassword&'

The response to this will contain 2 important fields:

  • evrythng_user_id
  • evrythng_api_key

The evrythng_user_id isnt really useful but its nice to know. The evrythng_api_key is really where the magic happens.

Get Your Device ID(s)

Using the evrythng_api_key you can then send a packet to query all the things you have in your account. Replace evrythng_api_key with your actual value in the Authorization field.

curl -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -H "Authorization: evrythng_api_key"

This then returns a large JSON response with all your devices.

Most of these fields can then be queried later but a few are really the most important:

  • id (Unique device ID)
  • currentpowerstate1 (1=On, 0=Off)
  • outletinuse1 (1=yes, 0=no)
  • ~connected (true=Connected, false=Disconnected)

These fields are pretty self-explanatory. currentpowerstate1 is if the switch is on/off, outletinuse1 is if there is something actually plugged into it and, ~connected is if the device is connected to the internet/accessible.

Get Device Properties

To query the device for a specific property use a GET as follows and remember to replace id in the URL with the id you found in the last command:

curl -H "Content-Type: application/json" -H "Accept: application/json" -H "Authorization: evrythng_api_key"

Replace the last part of the URL with the property you want to query.

This query actually returns a few values so you may want to limit it to 1 instead of 100 to get the last result. I did also notice that the sortOrder didn’t appear to do anything but that may need to be experimented with a bit more.

Another example to get powerstate1

curl -H "Content-Type: application/json" -H "Accept: application/json" -H "Authorization: evrythng_api_key"

Setting A Property

To actually set a property value it’s basically the same except sending a PUT instead of a GET.

The following will turn the switch off:
curl -H "Authorization: evrythng_api_key" -H "Content-Type: application/json" -H "Accept: application/json" -H "Content-Length: 15" -X PUT -d '[{"value":"0"}]'

Ya, so that’s really all there is to it. I’m sure a binding would be pretty simple for someone.

Edit: So the communications between the server and the device are SSL encrypted so I dont have a way to see what its doing. I ran TCPdump on my router and I can see packets but nothing I can work with. Not sure if anyone has any ideas.

Seagate Backup Plus 4tb External Drive Disassembly

I picked up a few of Seagate Backup Plus 4tb drives at Walmart for an incredible price the other day.  My plan is to replace the 2tb drives in my fileserver so I needed to remove the case.  I first did some testing to make sure it wasn’t DOA before I started to take it apart.

It turned out to be very easy — the cover is held on with just a few clips that are easy to undo.  I managed to get it out with no damage at all.  The case is still fully usable if I choose in the future.

What is the drive inside?  Its Seagates standard ST4000DM000 consumer desktop drive.  

Check out the images below for instructions on how to remove the drive.


  • Capacity: 4TB
    • 4TB (ST4000DM000)
    • 8 heads, 4 disks
  • Interface: SATA 6Gb/s
  • Spindle: 5,900 RPM
  • Cache: 64MB
  • Throughput Max: 180/MBs
  • Average Data Rate: 146MB/s
  • Average Latency: 5.16ms
  • Power
    • Typical Idle Operating 5W
    • Average Operating 7.5W
  • Warranty: 2 years

Full Spec Sheet