Archive for 'Security'
How to Take Care of Your Passwords and Security Questions
Posted on April 16, 2008, under Security, Tools and Services.
It’s real easy telling which sites store your password, and which sites store a one way hash. At any web site, click on the "forgot password" link. If the web site gives you the option to reset your password, then chances are they are only storing a one way hash. If the web site emails you your password, then they are storing your password, and sometimes what is worse they might be storing it in plain text.
I always advise to use a a different password for each site, even if it’s a slight variation of one. All major browsers offer the option to remember your passwords for you, which helps if you have numerous logins like most people do. You can also use an application like KeePass, to generate and store your passwords for you. Multiple passwords is manageable, and makes it harder for someone other than you.
Your email password should be the strongest and absolutely unique, because your email is far too important to be compromised. Put data theft and identity theft aside, which are very important. But your email is where reset password links are sent, where passwords are sent, where verification links are sent. If you lose control of your email, you are finished. If you work within a company, everyone else’s security is only as strong as the weakest user. With online services becoming more and more popular, shared documents can be compromised very easily if someone still has the default password set for their account.
Your security questions are just as important to protect as your passwords, if not more important. These days social engineering has become very popular. Where someone who knows enough about you can fill out the form to recover or reset a password, just the same as you can. So here are some tips to use with security questions:
- Never use the same question for more than one service.
- Do not use one word answers. For example for the question "Your dogs name?" Don’t use "Fido" as an answer. Use "Fido my Jack Russell Terrier".
- Change your questions and answers often.
- Add a unique word, something to do with the web site or service to your answer.
No Comments
Thoughts about PHP after the Facebook Source Code Leak
Posted on August 15, 2007, under Development, How To, Networking, Security, Tools and Services, Web Hosting.
So by now, you already know that Facebook source code was leaked due to a mis configured server. And if you didn’t already know Facebook is written in PHP, a language that is compiled when it’s executed. So there are some questions that come to at least my mind about this situation.
First, what does this mean for Facebooks’ reputation? It is in a legal dispute over whether or not Mark Zuckerberg, the sites founder, stole source code from fellow university students. Even though the source code of any popular and profitable company is valuable. It is arguably not nearly as valuable as the data that goes along with that source code. This is the case with Facebook, who has millions of users and personal information in databases. But how can someone get access to the databases just by having the source code, you ask? Well with PHP it’s not so difficult. In most cases there is a configuration file that has all of the database information you need.
So how could have Facebook, and others prevent this sort of this sort of thing from happening? Here are a couple ideas:
- Put your configuration file where it can not be executed directly. For example, not in your “httpdocs” folder anywhere. In this situation Facebooks’ servers were mis configured so the PHP code was not rendering but instead showing itself. This means if the configuration file was under the “httpdocs” folder somewhere, presto! Access to the database. (Obviously firewalls and things like that might stand in the way).
- Obfuscate your PHP code. Yes this might slow down the processing of your PHP code by milliseconds, but it really would have helped in any situation like this where the possibly of PHP being show is present. Some obfuscation tools will also optimize the code, so it might make up for any processing time gained by obfuscating.
- Sandbox environments, and pulling production boxes out of rotation. Not sure what Facebook’s server setup is, but sandbox environments might have caught this server misconfiguration before it made it to production. Additionally if you have any sort of mirrored servers (a company like Facebook is bound to have something along these lines), you probably have your servers behind a load balancer. When you push code to production you need to pull these servers out of rotation (meaning not available for outside access). You can then test these servers individually before putting them back into production with the new code. Tedious? Yes, but worth it for not having a PR nightmare like your source code leaked. Additionally there are lots of tactics you can employ to make this process semi-automated and not as tedious.
These are obviously just some of many tips you can deploy to keep this from happening to you. Most large companies like Facebook will have similar processing in place, but the key is to always follow protocol… no shortcuts not matter what time crunch you are under. One slip and your source code is all over the Internet… might even be worse.
No Comments
How to Make a Password Strength Meter Like Google v2.0
Posted on July 16, 2007, under Code Snippets, Development, How To, Security, Web Design.
Previously, in Part 1 of How to Make a Password Strength Meter Like Google I went over the basics on how to get a password strength meter up and running on your site. I got a lot of feedback on this article, mostly commenting on needing a better algorithm to determine if a password is secure or not. The algorithm I implemented in part 1 was mostly just for show. I did not further build out the algorithm because I wanted to leave it up the end user to determine what they considered a secure password or not. Furthermore, I did not want to make a scenario where a flaw in my code would be present in any sites out there that implement this.
After further research in the area of secure passwords, I am further building out the original code base to better determine a secure password from an insecure password. Here are the parameters used for measuring a secure password in version 2.0:
Password Length:
5 Points: Less than 4 characters
10 Points: 5 to 7 characters
25 Points: 8 or more
Letters:
0 Points: No letters
10 Points: Letters are all lower case
20 Points: Letters are upper case and lower case
Numbers:
0 Points: No numbers
10 Points: 1 number
20 Points: 3 or more numbers
Characters:
0 Points: No characters
10 Points: 1 character
25 Points: More than 1 character
Bonus:
2 Points: Letters and numbers
3 Points: Letters, numbers, and characters
5 Points: Mixed case letters, numbers, and characters
Password strength is measure by the percent of the above:
>= 90: Very Secure
>= 80: Secure
>= 70: Very Strong
>= 60: Strong
>= 50: Average
>= 25: Weak
>= 0: Very Weak
Implementation of the code should be the same as version 1.0. The next version will have the ability to blacklist common dictionary words. Hope this works out better than version 1.0.
Code: Version 2.0
20 Comments
How to Make a Password Strength Meter Like Google
Posted on June 27, 2007, under Code Snippets, Development, How To, Security, Tools and Services, Web Design.
Password strength meters are becoming more and more popular amongst web services. Google uses one when creating a Google account. One can argue how useful these meters really are, but non-the-less they are fairly cool for users. So how does one go about making one of these meters? Well it’s fairly straight forward.
The basic break down is we add an event handler on your password field that will check the password for every key input the user types. This allows for an updated meter as the user types the password. When you get into the algorithm that actually checks how secure a password is, there are many routes you can go. When researching for this project, I chose to base my code off of the kind folks over at Intelligent Web. There theory is to calculate how many different combinations there are for the password you enter, then determine how many days it would take to crack your password. The algorithm returns a percentage that we then in turn convert to a nice GUI for the end user to see. So let’s take a look at the code:
The JavaScript is fairly straight forward. There are settings at the top for different checks to enable or disable. Here is the JavaScript:
[ftf]
// Password strength meter v1.0
// Matthew R. Miller - 2007
// www.codeandcoffee.com
// Based off of code from http://www.intelligent-web.co.uk
// Settings
// — Toggle to true or false, if you want to change what is checked in the password
var bCheckNumbers = true;
var bCheckUpperCase = true;
var bCheckLowerCase = true;
var bCheckPunctuation = true;
var nPasswordLifetime = 365;
// Check password
function checkPassword(strPassword)
{
// Reset combination count
nCombinations = 0;
// Check numbers
if (bCheckNumbers)
{
strCheck = “0123456789″;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check upper case
if (bCheckUpperCase)
{
strCheck = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check lower case
if (bCheckLowerCase)
{
strCheck = “abcdefghijklmnopqrstuvwxyz”;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Check punctuation
if (bCheckPunctuation)
{
strCheck = “;:-_=+\|//?^&!.@$£#*()%~<>{}[]“;
if (doesContain(strPassword, strCheck) > 0)
{
nCombinations += strCheck.length;
}
}
// Calculate
// — 500 tries per second => minutes
var nDays = ((Math.pow(nCombinations, strPassword.length) / 500) / 2) / 86400;
// Number of days out of password lifetime setting
var nPerc = nDays / nPasswordLifetime;
return nPerc;
}
// Runs password through check and then updates GUI
function runPassword(strPassword, strFieldID)
{
// Check password
nPerc = checkPassword(strPassword);
// Get controls
var ctlBar = document.getElementById(strFieldID + “_bar”);
var ctlText = document.getElementById(strFieldID + “_text”);
if (!ctlBar || !ctlText)
return;
// Set new width
var nRound = Math.round(nPerc * 100);
if (nRound < (strPassword.length * 5))
{
nRound += strPassword.length * 5;
}
if (nRound > 100)
nRound = 100;
ctlBar.style.width = nRound + “%”;
// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
ctlBar.style.backgroundColor = strColor;
ctlText.innerHTML = “” + strText + ““;
}
// Checks a string for a list of characters
function doesContain(strPassword, strCheck)
{
nCount = 0;
for (i = 0; i < strPassword.length; i++)
{
if (strCheck.indexOf(strPassword.charAt(i)) > -1)
{
nCount++;
}
}
return nCount;
}
[/ftf]
On the HTML side, I have setup a simple form to display the interaction the user will receive.
[ftf]
[/ftf]
The magic lies inside the event handler I spoke about above. The “onkeyup” event passes the current password, and the ID for this input item. The ID is used to reference the below div tags that show the strength meter and text. The ID allows for you to have more than one password meter per form, per page.
[ftf]
[/ftf]The algorithm can be enhanced if you wish to get more complicated with the strength checking. One can also adjust the colors and text for the various strength levels displayed to the user.[ftf]
// Color and text
if (nRound > 95)
{
strText = “Very Secure”;
strColor = “#3bce08″;
}
else if (nRound > 75)
{
strText = “Secure”;
strColor = “orange”;
}
else if (nRound > 50)
{
strText = “Mediocre”;
strColor = “#ffd801″;
}
else
{
strColor = “red”;
strText = “Insecure”;
}
[/ftf]
Further features could be displaying when a user has not entered a valid password, for example not a long enough length.
Here is a demo of the above code, and download links so you can implement this into your sign up pages. Enjoy!
Right Click to Download:
73 Comments
Firefox Plugin of the Day: Remember Mismatched Domains
Posted on June 6, 2007, under Browsers, How To, Security.
I am all for security especially in web browsers, this is why I use Firefox in the first place. However, Firefox has a couple security warnings that you are unable to turn off and kind of get annoying after a while. The “mismatched domains” is one of those warnings. The Remember Mismatched Domains extension will be your best friend if you run into this warning message as much as others. Instead of blocking the warning dialog all together, instead this extension gives you a check box to remember this domain. Still secure, but less annoying.
No Comments
