RumSoft Blog

RumSoft Technology

Best Practice for Passwords

March 31st, 2010 Posted in Security
Mar, 31 2010
Comments Off

Best practices for passwords

1. Use a strong password.
What is a strong password?

A strong password is a minimum of 10 characters and is much stronger if you use 20 or more. The best passwords use completely meaningless random lower case, upper case, numeric and punctuation characters and never contain a real, meaningful word in any language.

2. Make your password memorable.
This seems to be in conflict with point 1! How can a password be memorable if it is completely random characters? One trick is to think of a phrase or sentence that is unique to you and then take the first letter of each word.

For example “My first child is called Jane she was born in January it was a short labour”. Taking the first letter of each word gives us “mfcicjswbijiwasl”. We should try and mix upper and lower case so let’s have every other letter upper case: “mFcIcJsWbIjIwAsL”.

We need some numbers in there so lets put the day of the month either side of the letters. She was born on the 15th of the month so our password now becomes: “1mFcIcJsWbIjIwAsL5″. All that is left is some special characters. These are ones such as !”£$%^&*()_{}:?><., you could always swap certain letters for a special character so instead of having any letter “s” in the word we could swap this with “$”.

Another trick is to surround the password with certain characters such as “{” and “}”. If we do this, our password now becomes:
“{1mFcIcJ$WbIjIwA$L5}” – a 20 character password including upper case, lower case, numerical and special characters in it. This is a very string password, cannot be determined from a dictionary (a popular way of attempting to break passwords) is difficult to remember unless you know the phrase (which only you do) and all from: “My first child is called Jane she was born in January we had awful weather”!

3. Do not use the same password.
Using the same password on multiple sites, for banking, your website and your email is potentially asking for trouble. If you password is compromised hackers will attempt to try you password on other systems just to see if you use the same one. They know many people do so it is worth a shot to them.

4. Do not store passwords.
Although tempting, never store passwords in a software system. Well know hacks have involved gaining access to the passwords stored in FTP programs users use to upload their websites. Some web browsers are not known for storing passwords very securely and if your machine is compromised or worse lost or stolen the next user could have all your details waiting to go with no guessing or hacking required!

5. Keep your user id safe.
This is very similar to your password. Many sites require you to create a user id for using their services. Keep changing your user id from site to site then it is something else needed to get into you account.

6. Never share your password.
Never ever share your password. Are the person’s intentions honest? Even if you trust the person has THEIR machine been compromised allowing hackers to obtain the password to your system? If you can keep to a password that is derived from a phrase known to you there should be no need to write the password down. Doing so weakens the strength of the password. The number of times I have seen a password written down on a post it note and fixed to the computer monitor!

7. Never respond with your password in an email or any request for it i.e. over the telephone.
Email “phishing” scams use fraudulent messages to entice you to reveal your user name and password. They can also be used in order to steal your identity and more. Reputable companies will never ask you to reveal your password over the phone and will normally have a secure procedure for resetting your password.

8. Do not enter your passwords on computers you cannot trust.
Computers open to the general public have to be considered unsafe. Do you know there is no key logging device attached to the system? Is there virus and internet security up to scratch? Computer terminals in internet cafes, computer labs, conference centres, airport lounges and hotels may be convenient but could compromise your security.

,
Read More

Has your website been hacked?

March 27th, 2010 Posted in Security, Websites
Mar, 27 2010
Comments Off

Website Hack?

Many web hosting companies have had to battle with compromised websites. More and more customers are seeing their site hacked and many of these are suffering from the iframe hack. This is a worldwide phenomenon with many ISPs and web hosting companies reporting these attacks.

The iframe redirects the unwary users to malware sites where more nasties await.

This has affected some big names on the web not just small sites.

What happens?

The hacker injects some malicious code into your site in the form of a hidden IFRAME, which then attempts to infect vistors to your website with various trojans and viruses.  Many people have no idea that their site has been infected until Google detects the problem and displays a warning message to people searching, the “this site may harm your computer”. This is a disaster for your site as anyone seeing this message is unlikely to click and visit!

How can I check my site and how can I stop this happening?

The malware is installed on a website owners machine normally due to bad security. The malware then obtains your websites FTP password stored in the FTP client software you use to upload content. Once this is obtained the hackers upload the iframe directly to your site without your knowledge.

One service to test your site for an infection is www.unmaskparasites.com This is not a perfect check of your site but may give you an indication of problems.

The best measure is to ensure it doesn’t happen in the first place.

  • Never store your website FTP passwords in the FTP client always type them in each time (yes its a hassle but do you really want to put your customers / visitors off?)
  • Regularly change your FTP passwords
  • Make sure your password are at least 20 characters long and use a mixture of upper and lower case letters, numbers and at least 3 special characters
  • Backup your site and any data (you have done that right?)
  • Do a test restore of your backup regularly (when you have to you don’t want to find out there is a problem!)
  • Install a firewall and virus program on the machine uploading to your site and keep them updated. Here is a list of possibilities (in no particular order)
  1. Kaspersky Internet Security
  2. F-Secure Internet Security
  3. Symantec Norton Internet Security
  4. BitDefender Internet Security
  5. McAfee Internet Security Suite
  6. Trend Micro Internet Security Pro
  7. Panda Internet Security
  8. Avira Premium Security Suite
  9. Webroot Internet Security Essentials
  • What ever you do use a recognised name (like the ones above) and not an “online service” which may be malware itself
  • Also consider Malwarebytes Antimalware for scanning your computer

If you believe your site has been hacked feel free to contact us.

, ,
Read More

  • Blogroll