Creating a secure password

People always wonder about creating a secure password. Everyone knows that you should avoid the common passwords like “password1″ or “123456″ but most people don’t really know why. This post will examine how hackers can “crack” a password and what they do with them as well as giving you tips on how to create a secure one. Some people believe that the only way to create a secure password is to make it random numbers and letters that are hard to remember I will show that in fact, its possible to make a secure password using only normal lowercase dictionary words.

 

How hackers do it

Many of my clients have security concerns and so it’s only logical that a good web-developer be well versed in offensive security. As they say, the best defense is a good offence.

So how would a hacker start? The first thing they would do is gain access to a database, that is the place where all the passwords are stored. There are many ways to do this and I won’t be covering them in this post, however if you would like to know more send me an email or leave a comment and I’ll do my best to answer. After they get access to the database they don’t right away have a list of passwords. Instead they have a list of usernames and passwords that have been “hashed”.

So what’s a hash? A hash is a technique in which a piece of text (called a string) is put through a process in which it transforms into another string. Parts on the information of the original are lost and the result is a unique string (not necessarily unique but the chances of a repeat are well under on thousandth of a percent) which can not be converted back to the original. For example if you type in the word “Zenzora” a hash function might delete every other letter, then replace all Z’s with q’s and shift every remaining letter up one resulting in the string “QOPB”. Even knowing the process there is no way to turn “QOPB” back into “zenzora” because there is no way of knowing that letters were deleted. This way when you log onto a site and type “zenzora” the server runs it through a hash and gets “QOPB” then checks it with the database to see if it matches. Common use hash functions are actually much more complex than the one I described but you get the idea.

So if these “hashes” are impossible to reverse, how to hackers crack them. The solution relies on something called “rainbow tables” which are massive lists which can take up many gigs of space (just to give you an idea a rainbow table for just numbers at letters for passwords under  8 characters would have about 150 quadrillion entries). These tables contain a list of unhashed and hashed phrases. If a hacker wanted to crack every password in a database, by the time he finished you would both be long dead.

How do hackers solve this problem? Well the short answer is that they use smaller rainbow tables. One’s that only include dictionary words (there’s only about 200,000) and their variations, as well as common passwords. Sure they don’t get as many passwords, but at least they don’t have to wait till the sun explodes.

So now lets take a look on creating a secure password that hackers won’t be able to crack. A common misconception is that you need random numbers and letters and weird punctuation to do it. There are many ways to judge password strength (for instance your birthday might be impossible to crack, but easy to guess if someone knows you) for now lets just focus on how many guesses it would take to crack it. Lets make some comparisons.

Fish – 3 bits

This is remarkably easy to crack, a hacker using a dictionary table could crack this is microseconds.

Fi$h – 24 bits

Still pretty easy, but much better

Ov#DYm – 39 bits

Better but hard to remember

Go fish – 45 bits

Whats going on here? It’s just two words, why is it so much better than the last one. That’s because while one word is one in 200,000. Two words are 200,000 squared (about 40 billion). Lets see what happens when you try 3 or more words.

life is good – 59 bits

life is g00d – 62 bits (not much better)

Or how about one for netflix

lets watch a movie – 91 bits

 

So know you know how to create a secure password. It doesn’t have to be something you can’t remember, just a few words put together will work fine. So now you’re safe right? Well maybe. Even with a secure password its possible that it might be compromised. For example a hacker might be able to get your info some code that catches it before you log on. Or maybe the database doesn’t even use a hash. Potentially they might have a key-logger on your computer. Or even tricked you into giving it out through a technique called social engineering. Sometimes the an employee from the site you sign up for may be discreetly stealing info.

So now what? You’ve created a secure password and its been stolen anyway. The first thing that I recommend is changing your password every few months as well as installing good anti-virus to prevent against key-loggers. Be wary of who you give your password to and try to favor sites with https in the url (the s stands for secure) also make sure the site you are at is really the site you intended to be at (look in the url bar).

Most importantly don’t use the same passwords for different sites. If a hacker has the username victim, and the email address victim@yahoo.com the next step is to check yahoo to see if the passwords happen to be the same. If they are then you’re out of luck, the hacker can now check other sites (like you bank account) and even if you used different passwords, can simply click the forgot password button and reset it. Bank accounts, email accounts, and anything like that need to have distinct passwords.

I tool that I use to keep track of all my passwords is called keePass (http://keepass.info/) it’s free, open source and fairly popular, as a result, the downloads have been checked to see if they match the code provided (and they do). So you can rest easy knowing its safe. All you need to do is set one secure password and it encrypts everything into a database (encryption is different than hashing) and you can copy and paste into web forms. The clipboard even clears after ten seconds. This way you don’t even have to worry about keyloggers. It comes with a password generator to make sure you have secure passwords as well.

In conclusion:

3 word passwords are extreamely secure so don’t hesitate to use them

Don’t reuse passwords

and finally programs like keePass are a great way to manage your passwords without worry

 

Hopefully this was helpful. Thanks for reading!

Resources

Ok I found this site made by the government that helps people to create a website. It’s not flashy or anything but it has tips and templates and tools for helping to create a “usable website”.

http://www.usability.gov

 

Finding a Webhost

When choosing a web host there are a few questions you want to ask yourself

1) Am I making my own site or is someone else going to do it for me?

If you’re making your own site, and you’ve never done it before then you’re going to want to choose a hosting company that gives you the tools to create your own site with little to no coding on your end. The first thing to look for is a server based WYSIWYG editor. That means What You See Is What You Get. Most hosting companies provide this in some way or another. (I even coded one of these myself back in High-School). All in all I wouldn’t recommend Go-Daddy, as many of my clients were unsatisfied and I definitely would NOT recommend YellowPages.com the reason is that yellow pages provides you with little customization on your end, forces you to advertise other companies, and drops your listing before you renew. For someone with little to no experience weebly is good tool to have installed on your server.

 

If you know what you’re doing and are using tools such as Dreamweaver or Contribute. Then you already know about ftp protocols and all that and the above doesn’t apply to you.

 

2) Will I be conducting online transactions?

If yes, think about what you need for that. If you are storing credit card information directly on your server you need to make sure you have a valid SSL Certificate and it doesn’t hurt to get a verisign box for your customers peace of mind either. There are many tools for creating an online store, from wordpress to Tomato-cart. I’ll write later about how to choose a good shopping cart.

3) Will my site be static or dynamic?

If your entire site is a few pages on your business and is comprised mainly of images and information then you don’t need to worry about this, though you might want to read on anyway. Basically there are a few features that should be included in your hosting at no additional cost. That is:

  • PHP, PERL, and ASP Support (make sure you check that other server side languages are included if you use them
  • The ability to edit your .htaccess file
  • The option to set folder permisions
  • Databases (mysql is open source and should be included), some companies charge per database above a certain limit.
  • PhpMyAdmin or an equivalent visual database manager
You also want to take into account processing speed, how much ram you’ll have access to. If you’re running a lot of queries for a lot of people obviously you’re going to need more power. If you’re showing a picture of your cat and a few lines about him then you don’t need to worry.

4) How many people are viewing what?

This is the question of space and bandwidth. If you’re a small business with an informational site you don’t need that much. 5 gb of space and 100 gb of bandwidth should be plenty. This does not mean that if you use up 5 gb of space than your site can only be viewed 20 times. Bandwidth is only what is send from the server to the user (that means if a user views 4 pictures at 3 mb each than its only 12mg of bandwidth). If you have higher volume or are using a lot of bandwidth (perhaps you are hosting streaming videos or a live camera feed) than you want to take this into consideration, a lot of sites will give you virtually unlimited bandwidth . However, be careful when you hear unlimited because more often than not there is a limit, though its usually pretty high.

Other Things to look for:

Control Panel:

The control panel is how you change settings on your server. Two popular ones are Vdeck and Cpanel, either one of these is fine (just make sure they are using an up to date version).

Simple Scripts or equivalent

Though not completely necessary, tools like simple scripts install popular software to your server automatically and save a lot of time and headache. Even if you don’t have it already installed, it is free and you can find it here.

Uptime

99% guaranteed minimum, and make sure you have recourse if they fail to meet this number.

Tech Support

This is very important. This is also why I go with a smaller company. When things go wrong as they inevitably will it pays to have a company that will take your call fast and fix your problem. If the company wants to charge you for basic tech support drop them, I’m not saying they need to make your site for you, but there is a good amount they should include with with account, especially if there is a problem that needs to be fixed. Make sure they have a phone number and are open 24/7. Also it might be good to give them a call before hand and see how they handle giving you information, if you’re having problems with them right off the bat, it probably doesn’t pay. Backups are also important, make sure their servers back up regularly (that being said you still want your own backups as well). With any company there is always the possibility of them going out of business so make sure that if it does happen that they would be able to send you your data.

Cost

I saved this for last. The costs for web hosting vary from company to company. Just remember that you get what you pay for. If you’re only paying $3 per month you got to wonder what they cut to make the price so low. On the other end, just cause you pay more does not necessarily mean you are getting a better product. For instance, with GoDaddy you are paying not only for the service, but for the cost of their superbowl commercials. Something that may seem inexpensive may turn out to cost more in the long run (after you add the features you need). Some companies may charge you a low fee for the first year, but hike the prices the second (this was the case with doteasy who would charge you $3 for a domain name but then hike the price to $25 the second year). At least 1 domain name should be included. For additional domain names around $10 is fair, I personally pay $13 for additional ones but that’s cause I like to go though the same company I get my hosting from and they let me host as many as I want.

Zenzora’s got a blog

Welcome to Zenzora’s new Blog. I’ve created blogs for clients but never for myself. The reason being I didn’t know what to write about. As much as we love what we do, I never thought it interesting when other companies post all about themselves on their blog. So… what will this blog cover then? I’ve made a list:

  • Interesting links to cool stuff I’ve found
  • Tricks on how to create and manage your site
  • Posts for specific problems that I don’t think anyone else has written about yet
  • Ramblings on the state of the internet
  • Tips about SEO, social media, and other buzz words that are a lot simpler than the other guys would have you believe
  • Ok, maybe a few things about Zenzora

Stay tuned for cool stuff!