Thursday, May 4, 2017

Terra Mystica - 6-7 Player Variant

Number of Rounds

With 6 players, reduce the number of rounds from 6 to 5.
(With 7 players, you may want to reduce it even to 4 rounds.)

Reason: Having 6 or 7 players will make the game take too long for most people's comfort.
Note: If you do choose to play 6 rounds, you may want to also remove the variation rules for Structures.


Remove some structures in the setup. The structures you remove go in the box and cannot be built in the game, but leave empty spaces on the Player Boards, so they will generate income each round.
  • With 6 players every player remove 3 Dwellings, 1 Trading Post, and 1 Temple.
  • With 7 players every player remove 4 Dwellings, 2 Trading Posts, and 1 Temple.
  • Since you remove a Temple during Setup, take a Favor Tile when you place your first structure. So the first player select the first Favor Tile, proceeding in turn order. Chaos Magicians do take 2 Favor Tiles, but since they always place structures last, they will choose their Favor Tiles last as well.
  • In the Income Phase of each round, players receive extra income due to the buildings removed and from Favor Tile(s) selected.
  • Structures removed do not give Victory Points for building, nor count as "ownership" of these structures.

Reason: More players will leave less open spaces on the map for building structures, so less structures are needed for each player.. Additionally, reducing the number of rounds from 6 to 5 reduces the overall resources acquired during the game; so increasing resources gained by removing these structures from your board offsets this.
Note: An optional rule even in the base game, with 5 players every player may remove 1 Dwelling and 1 Trading Post.

Cultist Board

If the Cultist Board has all four positions of an element occupied, you may still move your cultist to that element on the Cult Board by paying to remove one of those currently occupying a space.
  • Pay a number of coins equal to the value of the space (2 or 3) to the opponent whose Priest you are removing.
  • You may only remove a Priest from an element track when your Action is to move one of your Priests to the same track, and when that track already has all four positions occupied.
  • You may not remove a Priest from an element that you currently have a Priest on.
  • The opponent's priest is removed from the game (move it to the game box, not back to the player's Priest pool).
  • Once you have paid to remove the opponent's Priest, place your Priest and advance your marker on the Cult Track as normal. The opponent's marker does not move down when their Priest is removed.
  • As normal, you may still move 1 Priest to your pool to advance 1 space on the Cult Track.
Reason: To allow all players to be able to send a Priest to a Cult track.

Power Actions

Every Power Action can be used any number of times. The cost is 1 extra Power for each time the Power Action has already been used that round. Keep track of this by adding extra X tokens next to the action.

Reason: To allow more players to be able to use Power Actions.


There is no limit to the number of Towns that can be founded. If you found a Town and there are no Town Tiles left, you receive 5 Victory Points instead, as well as any other Faction bonus (Swarmlings receive 2 Workers, Witches 5 extra Victory Points). You do not receive a Town Tile, nor a Key.

Reason: The town limit is not reached in a normal game. Without these adjustments, it is very likely to reach the limit early on with 6 or 7 players, which does not make sense in the setting. It might also unbalance some factions to not be able to set up towns, especially the Chaos Magicians who are handicapped in the first round.
Comment: Normally there is a limit to 10 Towns, or 14 if you have the 4 extra Essen Town Tiles.

You may found a Town with only 3 connected structures if one of them is a Fortress, exactly like if one is a Sanctuary, but only if you have already built your Sanctuary. If you build a Sanctuary and already have a Fortress with 3 connected structures of sufficient value for a Town, you immediately found the Town under that Fortress.

Reason: Both the reduced number of Structures and the increased number of opponents makes it more difficult to gain 4 connected structures.

Scoring Tiles

With 6 players, in the Setup remove 3 Scoring Tiles of 3 different Cults.
With 7 players, in the Setup remove 4 Scoring Tiles of 4 different Cults.
ed: I need to read the rules again to see if this is worded correctly, because I'm not sure what this means as written.

Bonus Tiles

With 6 players use all the Bonus Tiles.
With 7 players use all the Bonus Tiles, and at the end of each Round place 2 Coins (instead of 1 Coin) on every Bonus Tile that was not chosen. (Or, if you have it, add the Spielbox Promo Bonus Tile instead).
Favor Tiles

With 6 players, the four 3-advance-Tiles can be taken twice. The first player that takes one of these tiles also gains 3 extra Power.
With 7 players, the four 3-advance-Tiles can be taken three times. The first player that takes one of these tiles gains 5 extra Power, the second gains 3 extra Power.
You cannot take a 3-advance-Tiles you currently own a second time (so if another player takes it from you, you can take it back).
To keep memory of the number of times that these Tiles were taken, put 1 Coin (or 1 Worker) on it each time it is taken.

Power Tokens

With 6 players, each player starts with 2 less Power tokens in Bowl I (5 tokens leftover).
With 7 players, each player starts with 3 less Power tokens in Bowl I (2 tokens leftover).
ed: I need to read the rules again to see if this is worded correctly, because I'm not sure what this means as written.

Improvise Other Limited Game Pieces

Some less important components may run out; just use improvised tokens/pieces, or adapt to not need them.
  • If more than 5 players exceed 100 Victory Points, write "100 Victory Points" on cards, or just write down players with over 100 VP on a piece of paper.
  • There are only 5 Rule Summary tiles, so either share 1 or 2 between two adjacent players, or copy them onto index cards.
  • Treat worker cubes and coins as if they are unlimited. If they run out, use some other tokens to represent them (Monopoly money, toothpicks, whatever).
  • If Terrain Tiles runs out, use something else to represent them.
    • Alternately, remove Terrain Tiles that are under an established Structure. The current terrain only serves to restrict what structures may be built, and to determine what the cost is to terraform a tile to another type of terrain. Therefore, once a structure is placed, the only purpose of leaving a terraforming Terrain Tile under it is to reassure the other players that the cost of terraforming has already been paid.
  • There are already enough Faction Boards, Structure pieces, and Action Markers for up to 7 players.

Originally from a post at, by Davide Malvestuto aka Principe Konrad on Jan 13th, 2013.
Translated by him into English on a post at
Modified for this blog post at

Monday, March 27, 2017

Universal Password Blacklist

One password-rule to rule them all: Universal Password Blacklist

When someone uses a password, it proves that it is not very "unique"; just being used once either proves it was already low-entropy, or makes it lower-entropy (because the user could have it written down, the system that accepted it might store it in the clear, etc). So no one, anywhere, ever, should be allowed to create an account with that password again.
How to you prevent a password from every being used again? Simple, create a public, universal blacklist for passwords. This one stroke, by itself, forces users to invent ever-more-entropy-laden passwords as time passes.
Of course, you need to do it securely. Which is the rest of this blog post.

Part 1:
My first thought (from a few years ago) is that when passwords are replaced (invalidated) in anyone's system, those passwords should be published, totally publicly.

When you change your password, you always have to enter your old password, and the new password. Also, when you delete an account, you usually have to enter your old password to do it. Either way, this transaction includes a "delete this password" component.
Some systems would automatically store this as a local blacklist of some kind, maybe just in the hashed form; but as far as I know, no one has tried to share these blacklists with other companies, and certainly no one publishes them to the world, which is basically what I am proposing.

If you're on board with black-listing these passwords from your system forever, why not publish them? They're no good anymore, so you could even store these now-obsolete password in the clear! (there are actually potential down-sides to storing in the clear, but since I remove this below, I won't go into them)

So send the now-blacklisted password to a giant repository in-the-sky (cloud). Get a bunch of companies to adopt this common system, and you are on your way to creating a Universal Password Blacklist. You could have a bunch of separate services implement this independently, and source extra black-listed values from each other, in any way that each one finds acceptable.

You end up with a distributed database, kindof block-chain style, but where it may be perfectly acceptable that some databases never end up agreeing with each other.

Part 2:
The "blacklist" part would necessitate checking if a new password is pre-existing. And this would always require a server-side check -- because no client-side system is going to download a terabyte of passwords just to create a new account, that'd be ka-razy. So you need a secure way to check if your new password exists in this Universal Password Blacklist. Luckily, we know how to do that.
1) Adopt a "cryptographic hash" that everyone is happy with
2) Run you tentative new password through this hash
3) Call new-service, to check if this hashed-value exists in their database of passwords
If it exists, it's a no-go, you need to input a better password. If it doesn't exist, go ahead and create the account.

Bonus: No Part 1 Necessary!
Alert security-wonks may have realized that this "read" can also function as a "write", So in Part 2, the "read" to check if that hashed value exists, can be implemented as a "write", like a SQL "insert". If the value already exists, you get a "duplicate key error", and you return to the caller that they should not allow the password that translated into this hashed value. If it did not exist, you successfully write it to the Universal Password Blacklist, and return to the client that this password has never been used before.

Side Note:
This hash should be used only for this system. That is, if someone else used exactly the same process for their internal password-storage, then everyone could "brute-force" attack the hashed values, and reverse it to find original passwords. Ideally this is still very difficult, but there is no reason to not add your own salt-and-pepper-hash to your system, that is distinct from the one adopted for the Universal Password Blacklist, and then this problem is non-existent.

Extra Risk & Mitigation
Risk:  The only real reason I can think of to not accept random inputs from all-comers is if you're worried about DOS-style flooding. Imagine someone hates security, so they just flood you with random "passwords", and you have to just soak up all this data and store it permanently, which is a burden that gives no benefit.

Migitation: I think you could force a client to solve a "hard" problem (burn a number of CPU cycles) per use. This should give a sufficient disincentive to fill your system with noise.

I've run this by a few security-conscious friends of mine, and have found nothing to dissuade me that this is a great idea. I would love it if someone could find a problem with it. Or if someone, somewhere, would implement it. Either one would be great. I claim no patent, or any other ridiculous IP-right, on this idea, so please take it and use it!

Wednesday, January 11, 2017

In Defense of Passphrases

Ever since the XKCD comic on Password Strength became popular, I've heard more and more disparaging remarks about how passphrases are worse than more "random" passwords. I don't understand all the hating on passphrases; the basic idea of them, as I see it, is that words are easier for humans to memorize, and create associations between, than random gibberish characters.

Now it's a given that both "gibberish" passwords and long passphrases can both be done poorly -- "correct horse battery staple" is now a terrible password, because it was featured in the comic. But so is "2143658701badcfe" (even if you somehow think that string was random, the fact that it now appears in this blog post makes it a bad choice). But I think these naysayers do not understand the value that passphrases adds -- it is easier (for most people) to remember words than random characters, of the same entropy (if you aren't familiar with "entropy", think "randomness"). But let's try to prove it with some simple examples.

First, how much entropy is enough? That's a complex question, but for our purposes let's just say 80 bits; this is based on this Q&A entry. Whether 80 bits is enough or not doesn't really matter -- if you want 160 bits, just double the lengths of all the values below.

What does 80 bits of entropy look like in English? The English language allegedly has around 1,000,000 words. Now we can't use them all; for one thing, very rare words are hard to remember. So let's pick from the most common 10,000 words. I'm using the 10,000 words at the top of this github page. I made that list by taking another list, and spending just a few minutes cleaning it. But I don't think anyone would object to 10,000 being a reasonable number of words for someone to know, however you come up with the list.

Now each word has a 1 in 10,000 chance of being selected. This doesn't go quite evenly into 80 bits, but 6 words works out to be 82% of the 80 bits. (7 words would be 820000% of 80 bits, so let's stick with 6 words)

I grabbed 6 random numbers from 1 to 10,000, and got:
  • 6225, 1738, 4836, 6378, 7361, 8406.
Looking up those words on my list 10,000 word list gives:
  • objections, shoulders, breathe, comrade, angrily, vs
That's what 80 bits of entropy looks like in English. So how does that compare to more "conventional" randomly generated passwords?
  • Hex: 63485AE5638C1EDCC61E
    • 20 hex digits is exactly 80 bits of entropy.
  • Decimal: 236663118018716201382515
    • 24 digits is ~80% of the entropy of 80 bits; close enough
  • Base64: kiydPJHQh4jL7
    • A lot of systems try to use all the number, upper and lower case letters, and sometimes other characters thrown in. This is pretty awful for humans, both because it takes longer to type in, and it's often hard to tell a 1 from I from l, 0 from O, etc. But including here for comparison. The math works out that 13 characters in base64 is 2^78; that is only 25% of 2^80, it's close enough.
  • Passphrase: objections shoulders breathe comrade angrily vs
So now, you be the judge. You have to memorize one of these 5 choices; if you succeed, you will live a long and safe life, if you fail, your identity will be stolen and you will be miserable. Which one do you choose?

Or maybe you're trying to be "practical"; which one is easier to type in? Well I just timed myself typing in each one, on my normal keyboard, and my times were: 10 seconds, 8 seconds, 5 seconds, 7 seconds. So the terrible base64 was the fastest, presumably only due to the very low character count; but typing the long passphrase was second in speed. But I certainly wouldn't choose the base64 option, especially if you consider what it's like to type that into a phone/tablet; all the numbers and capital letters require multiple taps, it's terrible. Whereas the whole words could be swiped-in, since they are all recognizable, common words. I'm too lazy to try timing myself on a phone right now, but I would speculate that I can swipe-typing 6 words much faster than I can enter any of the other three random sets of characters above.

Now a real scientific test would be to formalize this a bit more, and run real memory tests on humans. But I think I have proved my point.

Just for fun/reference, here's the javascript code I used to help with the above:

var base64 = function(n){return '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/'[n];}
var rnd = function(max){return Math.floor(Math.random() * max)};
var rndDigits = function(base, digits){var s = '';
 for (var i = 0; i < digits; i++)
  s += base64(rnd(base));
 return s;}
console.log('Binary: ' + rndDigits(2, 80));
console.log('Decimal: ' + rndDigits(10, 24));
console.log('Hex: ' + rndDigits(16, 20));
console.log('Base64: ' + rndDigits(64, 13));
console.log(rnd(10000) + ', ' + rnd(10000) + ', ' + rnd(10000) + ', ' + rnd(10000) + ', ' + rnd(10000) + ', ' + rnd(10000));
// for marking times, I just pressed enter before and after each combination
document.addEventListener('keydown', function (e) { if (13 == e.keyCode) { console.log(new Date()); } }, false);