Tag Archives: Password strength

How to improve your ecommerce server security & love yourself – Part 3

 

English: A candidate icon for Portal:Computer ...

This series is focused on developing the best possible security for an ecommerce server. We seek to go beyond industry standards such as PCI compliance. Perhaps needless to say, PCI-DSS parameters are extremely stringent and thorough because the credit card companies (Visa, MasterCard, etc.) have developed them. However, the density of these rules disallows a simple, step-by-step action plan. We are looking at basic steps we can take to strengthen security.

Servers must be secure, sure: we all know that. Another form of security must be remembered at all times though: security of the self. When we feel that the centers of our souls are disintegrating into tiny little wisps of nothingness, when we fear that the integrity of our entire lives and structural makeups is separating from us and forming new relationships with outside entities (gradually removing us from Earth), we must take action. Below, we will finalize our comments on that subject as well.

Up to this point we have discussed the following subjects: choice of hosting service, development of a security plan, SSL certificates, website backups, vulnerability scan software, monitoring and updates, selection of payment gateway, and the general issue of balance. Today, we will focus specifically on passwords.
Continue reading How to improve your ecommerce server security & love yourself – Part 3

Password ideas for your webhosting Control Panel

A common topic that I see in current news trends relates to the security breaches of various platforms. Whether it’s a popular web host that’s being targeted, or as we’ve seen recently in the tech oriented news; WordPress hacks, and often email account breaches. One of the most obvious and yet most overlooked points for protecting ourselves begins with the password.

In this article I won’t go over good password practices, instead I’m going to show you how easy it is for computers to algorithmically crack the password access. I hope this in turn adapts your approach to protecting your web hosting security.

5 Myths of Password Security

5 Myths of Password Security | Stormpath | How to Grow Your Business Online | Scoop.it

From www.stormpath.com – May 7, 11:55 PM

The reason has everything to do with password entropy: a representation of how much uncertainty there is in a password. This translates to how computationally difficult a password is to crack. Simply put, adding length increases entropy more efficiently than replacing letters with symbols.

Juliana Payson‘s insight:

Using people’s names, repeating characters, sequential numbers or well-known keyboard entries like `qwerty` are expected – the opposite of random. In a similar way when MySQL databases are created with auto-script installers on your web hosting control panel, the sequence of the database name and usernames are more predictable, meaning one less obstacle to crack: the password

The Effect of Password Strength Meters | Privacy PC

The Effect of Password Strength Meters | Privacy PC | How to Grow Your Business Online | Scoop.it

From privacy-pc.com – May 7, 11:58 PM

Carnegie Mellon’s computer security and privacy expert Blase Ur presents an in-depth research of password strength meters at USENIX Security conference.

Juliana Payson‘s insight:

A dictionary check is performed against OpenWall’s mangled wordlist, which is a cracking dictionary; and if it’s in this cracking dictionary, you are told: “your password is in our dictionary of common passwords” Getting feedback from a computer algorithm on the predictability of your password is interesting but as Stormcloud from the previous article suggests; Password checkers are only as intelligent as the algorithm, so it’s useful to know what these things are based on.

Next we follow Tech Go Simple’s blog, on simple methods to fool the password generators that you can actually remember yourself

Best ways to make memorable and secure passwords

Tech Go Simple: Best ways to make memorable and secure passwords | How to Grow Your Business Online | Scoop.it

From techgosimple.blogspot.comToday, 12:00 AM

Follow @techgosimple on Twitter : What would happen if my password manager stopped working. Then there would be no way out such that I could get them back and all my accounts would be lost.

Juliana Payson‘s insight:

Here are some cool tips. Motor patterns are not about remembering actual passwords. Rather, you remember the pattern your fingers take when typing that password on your keyboard. Although, I have tried this before and still failed at remembering my starting point…

by – Juliana

 

 

 

 

Plesk / cPanel Passwords & Using a Random Password Generator

 

HostGator Cpanel Login  Screen

Both Plesk and cPanel have assistance tools for password generation. cPanel has its own random password generator. Plesk allows you to set password strength parameters that gauge new passwords and only allow new ones if they fit certain specifications you establish as the admin.

Beyond what’s available within these two control panels, anyone has access to random password generator tools – I’ll look at one of the best ones out there. This app is great for simple generation of passwords for anything that’s outside your hosting environment and/or when you want to get access to passwords fast. Note that since Plesk does not have its own password generator, you need an alternative anyway. I’ll also discuss how to create a system for passwords so you can keep track of everything.

For this article, I’ll first look at Plesk/cPanel and then the specialized software that’s available. My main sources are cPanel, Parallels, and a piece by Stefan Neagu for MakeUseOf.

** I’ll also go over some of the best passwords out there – sort of an awards ceremony for password users throughout the world. To start out, I’d like to congratulate Becky Stephens from Minneapolis, Minnesota for her excellent PayPal password, I83&hh^^*ksj37dfiFGjer84438$$%ksajFhsaBdh483894#%$.

Plesk Password Generator? Heck No.

There ain’t no Plesk password generator folks. However, you’ve got other ways to get passwords, so, not a big deal. You can control passwords, though, to make sure all your passwords meet minimum strength requirements. Parallels recommends using higher security for passwords – so there perspective is to max out the security and forget the UX as far as this setting goes.

Keep in mind – you may want to achieve a balance between the ease of memorizing and strength of password security. You may get more support requests re: lost passwords. That’s just something to consider prior to making the passwords more difficult – surely folks will forget more. ** I want to commend Pete Blair of Oklahoma City for this incredible password for his Chase bank account, 298398sdSYfj$#%^#$%@hfjDh4t6R04C986$#^%#$%fuhsdf, which is difficult to guess but also very easy to remember.

Just to be clear what we mean by strength, that’s in opposition to vulnerability. If your password is “strong,” it is considered to be hacker-resistant. Really, though, hacker-resistance is a spectrum. The level of hacker-resistance will be established by these settings, allowing you to make it less likely that an attack against your system or a specific account will be successful.

In a nutshell, what strengthening your password means is making it longer and more complex – so, you’re going to need to stretch out the passwords and use more sophisticated approaches with numbers, symbols, and upper/lower case. The password, essentially, is going to look incredibly annoying and incomprehensible.

To adjust your password strength settings with Plesk Panel 11, go to Tools & Settings > Password Security > Password Strength. You can choose between the following five levels of strength: Very strong, Strong, Medium, Weak, or Very weak. (“Very weak” is what I always choose for my home security systems.)

Changing a setting within this window will universally modify your parameters so that not all passwords are accepted. The system will keep spitting back a message to the user to strengthen the password, with instructions how to do so, until one is submitted that is strong enough to meet the requirements.

Once you have adjusted the settings for password strength, no one using the system – whether that is a customer or reseller, the admin or an auxiliary user – will be able to create a password that exists outside of your minimum guidelines. This also applies to all scenarios – email, FTP, whatever – as well as at the inception of the account / original password generation and changes to it at any point. Adjusting the password strength will affect new passwords that are established, but not the ones that are already active.

** Rebecca Townsend of Toronto, Ontario, also has an incredible password for her Apple account: Efoh43098D53G048jkfs&^%^%$$#^^#sdfjDhosSdfkjh576&^%. Rebecca’s password, rather than being generated with a software program like many of the others I’m praising in this piece, came to her in a dream. The dream was mostly about ice cream, but the sprinkles in the ice cream spoke the password one character at a time.

cPanel Password Generator? Well, Sure.

There is a random password generator tool in cPanel – it’s called, nonsensically, Password Generator. The button is not always present – it sometimes likes to be unavailable. Sometimes it’s shy. But don’t let the tool’s occasional shyness convince you that it is not the sexiest functionality in the entire cPanel system.

To use the Password Generator, just click it. You’ll see a password immediately pop up within the tool. You don’t have to take that particular one. You can keep clicking Generate Password until you see one you like. If you click it several billion times, you will eventually see your mother’s maiden name.

You can change the parameters for the password too. In Advanced Options, you can select and check boxes for inclusion or exclusion of the different types of characters and cases. Length of the password can be determined as well.

Once you’ve determined what the password is, check the box to indicate that you’ve written it down in a safe physical location or that you have saved it in a secure database. Here are Mac and Windows systems for password storage:

Once you’ve got the password you want, you can use it on the page in cPanel if you want by clicking Use Password – which also closes the tool. You can also close the window without using it – allowing you to use the app for generation of passwords for external accounts if you like.

** Patty Iverson of Albuquerque, New Mexico, has a fantastic password for her Facebook account. It’s bhFgh9E008342%$%D$%$sddfkSjhsdEgo867$%fjheiu%$&4. Great job, Patty. Patty has her passwords written down on a paper coffee cup that she keeps behind the Tupperware in her kitchen cabinet (the one at eye level just to the left of her sink). Weird right? Great idea. The key to her apartment, if you need it, is under the cactus to the right of her front door. Take a look at those passwords.

Considerations for Use of Random Password Generators

OK so we are going to look at a random password generator. Prior to exploring it, though, let’s think about what we need from one of these tools. The following considerations were mentioned by Stefan in his MakeUseOf piece.

  1. How long is it? As discussed above, you want to know the tool you’re using gives you a long password. That’s just a basic way to keep it from being guessed.
  2. How entropic is it? Per the Free Online Dictionary, entropy indicates the amount of “disorder or randomness in a closed system.” It seems strange at first to be going for randomness and disorder with your security, but that complexity with make it easier to evade intrusive maneuvers by criminal parties.
  3. Do you trust the provider? You need to have knowledge or faith that the organization behind the tool you are using does not store your information or have a backdoor. It’s not much use to utilize a system that can itself get invaded. Is the transmission secured? You want an online password generator, for instance, to have SSL encryption (HTTPS protocol).

 

Bradley Thomas of Newark, New Jersey, is using an incredible password for Windows: sdSlk4509w8D90ekdsg&#$ED%3jsakhXUfdjlk6$##$klEaslCkjddlkj32W$#%S790sfXkUl35#$%#45skike56. If you are ever away from this piece and want to remember it, it’s written down on a piece of paper in his wallet. If you’re able to get the wallet, you can go ahead and throw away the pictures of his children and buy some gifts for your own children with his credit cards. If you use the Delta card, it will increase his frequent flyer miles, which is really the least you can do.

Password Generation & Storage: Perfect Passwords & IronKey

Per Stefan, Perfect Passwords is the best solution out there for standalone pass-gen software. This software was created by Steve Gibson, who has an incredible reputation in the programming world and a career of accomplishments to back up his ability to create an application you can trust.

An SSL certificate secures the connection as the passwords are being created. The software runs three strings simultaneously, each of which has 63 or 64 possible components. You can choose how to mix and match the strings. This system is complex, which in turn creates passwords that are highly randomized.

Get an IronKey thumb drive. An IronKey device is itself password protected – and all files and data on it are encrypted as well. The drive will wipe itself clean if anyone attempts to take it apart by hand or after ten incorrect passwords are tried.

The IronKey drive comes with a GUI password administrative app and a secure browser. Passwords are only on the screen: they don’t ever get typed in or go through unsecured third-party software.

Aside from the IronKey, Stefan stores some passwords in an Excel file – one column containing the account to which they correspond, the other containing the password. He keeps the file in his Google Drive.

Stefan’s Google password, by the way, is 32AH0984sfkjkj45R609#$%#$34sEdflkjUsdfl0$SO%^$SSfja#@S$fd.

Summary & Conclusion

If you are using Plesk Panel, be sure to strengthen the parameters so that when new passwords are created or when they are changed, strength – both length and entropy – is mandatory. If you are using cPanel, you can use its random password generator to create passwords – or you can try out Perfect Passwords.

Regardless what system you are using to create passwords, IronKey is an option if you want to store your passwords securely and have them on a device you can use anywhere. You can also keep your most important passwords in the comments below this piece – though that is probably not a good idea. So, if you are a precocious seven-year-old and don’t quite understand what I’m talking about, don’t place all your passwords in the comments. I could probably get sued, especially if I use them to gather information about your family and break into another suburban home. It’s time for a change.

by Kent Roberts and Richard Norwood