Skip to main content

I will use this password only once

Source Flickr: Lou_Lou Chan
Sad to see that people still use a single password for all their online accounts. Every day we read about accounts being compromised, major web sites being hacked and personal details stolen.

There's not a 100% secure way of securing web sites, there will always be flaws in the system that are beyond your control (like the latest Target credit card heist). But as a user, there are a lot of things you can do to ensure that whenever a site gets compromised, you don't have to worry your other accounts are in danger.

Single email address per account

First of all, if you have a Google account there's a nice trick you can do that your have only one email address assigned with an online service. A regular Google mail account looks something like <username>@gmail.com. But when you register with an online service, you can enter <username>+<servicename>@gmail.com. So, whenever this service gets compromised, you can watch suspicious emails entering on <username>+<servicename>@gmail.com and filter them out.

If you use another mail service (or have a mail service of your own) you might want to use a wildcard to accept emails, so whenever you signup for an account you can just use <servicename>@yourmail.tld.

Use one password per account

Secondly, I can only urge you to use a password tool like 1Password, LastPass or KeePass. Because you only need to remember a single password, the password for the tool itself and from that point on, you can have a different password for each account you create.

I use 1Password myself and I'm pretty happy about it. I now have for each account a different password, and I use it even for generating (and remembering) database passwords, keeping track of my loyalty programs and even store hash keys I use to connect to other servers using SSH or SSL.

1Password interface: clean, very convenient and secure
The nice thing of 1Password is it integrates with your OS and directly with your browsers. So whenever you open a website that requires authentication, you just click the plugin in your browser, enter your password and have it fill out the form. Just that easy.

But also using it for your databases, credit cards, loyalty programs and whatever thing you need to remember securely. And you save it securely with your "master" password on your computer. Just make sure this single password is the most difficult one to remember. Using a quote from a book or a movie is always a great way to secure things with a passphrase, especially when you combine 2 quotes in different languages. This ensures no one has direct access to those passwords when your computer gets stolen. I'm saying "direct access" and not "no access" as people can still try to break in once they have direct access to your computer.

Limitations on the web

Even when I'm using a password tool to generate automatic passwords, I sometimes stumble against web sites that have strict regulations on how passwords should be made. You might want to think twice using a service like that because for passwords you should be able to use any character at your disposal and as long as you want it to be.

For instance Microsoft has a limitation of 16 characters for passwords on their services.
16 Character limit on passwords by Microsoft
Other websites have even limitations on what characters you can use, which might indicate they're not even hashing passwords on their services. Another reason you want to have a password stored there that's not used anywhere else.

Your web applications

When you build a web application with authentication, be sure to allow people use whatever password they want, even if they want to paste in the whole Macbeth book.

On the backend you might want to use PHP's password_hash that's now being provided by PHP 5.5. If you haven't upgraded yet to PHP 5.5 yet, check out Anthony Ferrara's talk on password hashing, he even has made a video of it.

Conclusion

Keep your passwords safe, secure and use them only once! On the backend you need to ensure that you keep those passwords secure and difficult to break. And allow all input!

Comments

Popular posts from this blog

PHP 7 and Apache on macOS Sierra

I posted several talks about compiling PHP from source, but everyone was trying to convince me that a package manager like Homebrew was a more convenient way to install. The purpose of Homebrew is simple: a package manager for macOS that will allow you to set up and install common packages easily and allows you to update frequently using simple commands. I used a clean installation of macOS Sierra to ensure all steps could be recorded and tested. In most cases you already have done work on your Mac, so chances are you can skip a few steps in this tutorial. APACHE AND PHP WITH HOMEBREW I’ve made this according to the installation instructions given on GetGrav. The installation procedures These installation procedures will set up your macOS Sierra with PHP 7.1 and Apache 2.4. Install Xcode command line tools (if not done yet)xcode-select --install Install Homebrew/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" Set up for in…

Sessions in PHP 7.1 and Redis

In case you have missed it, PHP 7.1.0 has been released recently. Now you can’t wait to upgrade your servers to the latest and greatest PHP version ever. But hold that thought a second… With PHP 7 lots of things have changed underneath the hood. But these changed features can also put unexpected challenges on your path. Our challenge One of these challenges that we faced was getting PHP 7.1 to play nice storing sessions in our Redis storage. In order to store sessions in Redis, we needed to install the Redis PHP extension that not only provides PHP functions for Redis, but also installs the PHP session handler for Redis. Because we upgraded our servers to PHP 7.1, we were looking to use the latest provided version for this Redis extension: redis-3.1.0. Once installed, we bumped against a nasty problem. Warning: session_start(): Failed to read session data: redis (path: tcp://127.0.0.1:6379) Searching the internet for this error, we didn’t got many hits that could point us into a dire…

VAT Validation now for PHP 7.1+

When I started my European Commission (EC) VAT Information Exchange System (VIES) project back in 2011, PHP 5.3 was the current version that has given us so much. Earlier that year version 5.2 was announced End-of-Life and everyone was excited about the new features in PHP coming with the 5.3.x releases.

But fast-forwarding to today, PHP 7.1 is the latest stable release and PHP 5.6 only gets security fixes until the end of this year. In the mean time several open-source projects like PHPUnitXDebugZend FrameworkLaravelJoomlaTYPO3Magento and Symfony announced they stop development for PHP 5 versions and now only move forward with PHP 7.1 and higher.

After seeing Sebastian Bergmann’s talk PHP 7: Reality Check I was empowered by his reasoning that it’s not worth putting support in outdated PHP versions and focus on the current and future versions that will make a difference in functionality, performance and security.

For this reason I would like to announce that the European …