Use UUIDGEN For Passwords

An impenetrable system is only as good as its weakest password. Computers systems are often attacked using brute force. Most users tend to use really simple and easy to guess passwords. The use of complex passwords on the other hand, makes it almost impossible for them to remember. That’s why passwords typically fall in the 6-8 character range.

For systems and applications, that don’t need human intervention, when communicating to databases and other systems, a much more complex password can be assigned. These passwords typically do not need to be typed-in on forms, so they can be long, difficult and outrageous. There’s a Linux utility called UUIDGEN which randomly creates and generates unique universal identifiers.

A typical output would be:

150152b0-cd0e-11e1-9b23-0800200c9a66

These keys are perfect for systems and applications. For example, WordPress requires a username and password to talk to the MySQL database. The database credentials are typically stored in wp-config.php file. A key generated by UUIDGEN can be used in this scenario. This is just one example where long and difficult passwords can be deployed. They can be used for other purposes as well.

So, if you have access to a Linux system, to generate a unique key, all you have to do is type the command, “uuidgen” in the Terminal.

Keeping Track of Your Online Accounts

I imagine most people own at least a dozen of accounts online, from email accounts, chat accounts, to online banking, online shopping websites such as Amazon, eBay, Paypal, to Forums, Users groups, Social Media websites, etc. Some users have over 100 accounts. So, how do you keep track of all your usernames, passwords, info, etc? I found an easy way of organizing all my online accounts. I would like to share it here.

Use one email account

I use one email account for all my online activities. Most websites require that you register a valid email address. Using one single email address for all your online activity will make things easier. If you ever have to hunt for a forgotten username or password, you know where to go. To start your recovery, see my next point.

Keep all emails after registration

Most websites that require registration require a valid email address. Websites will usually send out a message or a notice that you have registered an account. Some websites require that you activate the account via an email link. It’s important that you keep these registration messages and not delete them. They sometimes contain usernames and passwords.

Create an “Accounts” folder

The next thing to do is to file all your registration email messages under one folder called “Accounts.” If you have forgetten your username or password in the future, you can always go back to this folder and search for the registration message you received when you first signed up for an account. Sometimes, the registration messages will reveal important information such as username, password or a hint question to get you logged in into an account.

Use one username

To simplify your online experience, you might want to consider using the same username when signing up for accounts. If your name is common, you might want to create something unique. Fortunately, both my firstname and lastname are not very common, so I use the same username for most of my accounts. I say most, because a couple times the account name was already taken. Having the same username may sound like a bad practice for security folks, but it does simplify things. Hence the importance of my next point.

Don’t use the same password for all accounts

Don’t use the same password for all your online accounts. This is bad security practice. If you have over 50 accounts, the practice of one password for each account could go out of hand. So, I recommend that use one password for your email accounts. Use a different password for finance/banking. Use another password for chat accounts, social sites, blogs, etc. You may end up with 5-6 passwords altogether, but it’s not going to be as daunting as having to remember all 50 passwords.

This is how I keep track of all my online accounts. What do you think?

Recover Your WordPress Password

I own several WordPress blogs. I tend to use the same username and password for all my WordPress installs. For security reason, I should really use different passwords as well as usernames. Have you ever forgotten your WordPress password? It happened to me the other day, while trying to access my WordPress development install that I haven’t accessed in a very long time.

There are several ways to recover your WordPress password. One way of recovering your password is to use PHPMyAdmin, a database administration tool. I will walk you through how to recover your password using PHPMyAdmin. Assuming you have access to your PHPMyAdmin, (most host providers do)  you will need to access your WordPress database and the ‘wp-users’ table in particular. From there you can edit a user, probably the one with the admin rights.

You will notice that the password field is encrypted. You will not be able to read or guess the password, unless you know how to hash MD5 in your head. I doubt that you do. Maybe, you do. What this means is, that you will need to re-enter a new password for a user. The problem is how. How do you enter a hashed password? It’s easy. When you edit a user you will need to use the MD5 function for the password field.

WordPress uses the MD5 hash, not SHA1. It’s important that you select MD5.

Example

The password field is called ‘user_pass’, and the function selected in this example, is MD5. You can now enter a clear text password in the form like the one above. Once the password is submitted, the password will be automatically encrypted.

You can now login to WordPress via the Admin Dashboard.

Picking a Sane Password Policy

Paul Rubens writes in enterprisenetworkingplanet.com.

If you choose a password made up of 60 random characters, it would take a hacker billions of years to crack it by brute-force. Pretty good security, all in all. But since a password like that would be impossible to remember, it’s not really practical for most end user applications. So how long should your corporate password policy specify that a password should be?

Read the article.

Password Protect Using Htaccess

The easiest way to protect a web directory is to use a .htaccess file. A .htaccess file is a directory level configuration file used by several web servers including the highly popular Apache. The .htaccess file is placed in a web directory and the commands in the file controls the behavior of that directory.

A .htaccess file is used mainly for 3 purposes: authentication, the re-writing of URLs and cache control. Today, I’ll show you how to password protect a web directory using the .htaccess file.

Step 1
First, create a .htpasswd file. For security purposes, place the .htpasswd file outside of your web directory. You can place it anywhere in your file system, but your home directory is probably the best place for it. To create a .htaccess file, issue this command in your Terminal:

# sudo htpasswd -bc /home/ulysses/.htpasswd username password

The htpasswd command will create a file called .htpasswd in your home directory. The period at the beginning of the file denotes that it is a hidden file. You can view it by issuing a “ls -a” command from your Terminal. Don’t forget to supply your own username and password.

Step 2
Next, make a .htaccess file in the web directory that you want protected. In this example, we will password protect a web directory located in /var/www/widget.

# cd /var/www/widget
# vi .htaccess

Type in the following code in the .htaccess file.

AuthUserFile /home/ulysses/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>

Save the file and open your browser and check if the web directory is password protected. You should see something similar to this from your browser.