Tag: security

How to choose secure passwords

Why use secure passwords?

 

  • If your server is exposed to the internet (this will be the case if you have remote access) – you can assume that there will be hundreds of hacking attempts on your server every day. These attacks usually are not coming from humans but by software. The software uses massive dictionaries of human names and potential passwords by trying out millions of combinations until something works. Once the software has access to your account it notifies the human hackers, who’s job it is to hack into your server to access information stored thereon.
  • Don’t assume that you are unimportant, that because your information is not valuable to anyone other than yourself that you will not be a target. Ransomeware systems could encrypt the entire system and demand money in exchange for a decryption service. Hackers also could utilise your system to send spam, an activity that would blacklist your server preventing your real emails from reaching their intended recipients.

    Unexpcted consequences of being hacked

  • How would you like it for all your contacts to be emailed (ostensibly from yourself) with adverts for Viagra or infected file attachments that destroy or damage data on their computers? They may open the attachments because they trusted you.
  • There’s money in this game, big money. A valid email address can be sold to spammers, fetching up to a pound each. If you have any emails in your systems, they are valuable.
  • Data protection liabilities. We all keep names and addresses of our clients and sometimes, under the Data Protection Act we are legally obliged to take care of this information.
  • Infections and Spam: As well as virus infections, slow computers, disrupted networks, you could end up inadvertently hosting objectionable material like as hardcore pornography, viruses or worse.
  • Being cut off by your ISP: Have you heard of “botnets” and “zombies”? A breach of your server like this can end up with your ISP shutting you down for participating in DDOS attacks.

    How do I change my password?

  • In mac/Linux do it through the user manager, or terminal and type: “passwd”  and ENTER. Answer blind (no typing shows) with old pass then new password (enter twice) and your done.
  • In Windows you can press CTRL-ALT-DEL, and click the button “Change Password”

Password good practise.

A perfect password is impossible, with quantum computing any password can be cracked eventually. However we are human, and we can only do our best.

Bear in mind that using an identical password for different services is highly inadvisable, if one of your services are compromised, the others will be too.

Good passwords can be a pain to remember, design and employ a system for your self and keep it to yourself. A good system will allow you to remember the password easily, and in the event that you end up having to reveal the password to anyone (for instance a friend needing access in emergency, or a technician you have asked to recover you computer) your other passwords will not be compromised.

Something simple that works well for many is using PREFIX, a BASENAME WITH SPECIAL CHARACTERS and a SUFFIX.  For example, I need to make a password for my gmail account, I might use:

2017%BaNaNa*1328PATIEgoogligoogli

  1. The PREFIX (2017) is the year I established this account.
  2. The BASENAME is common to all my passwords, I NEVER write it anywhere except at a password prompt. It’s made up of a few things that are easy to remember for me and quick to type, choose numbers and letters that have nothing to do with you personally or legally (as this might allow someone who knows a little about you already to guess). For this reason – NEVER use relative’s birthdays as part of your basename, they are very easy for attackers to discover.
  3. The SUFFIX is something unique to my gmail password only, I always think of this when I see google.
  • Some examples of reasonable (and memorable) passwords:
    7sing*to*me7
    99harryup1-oSCaR
    1Song^^And^^Dance
  • This is what a rubbish password looks like:
    password
    password1
    tuesday
    123
    harry
    10/12/81

Using a VPN on Mac OS 10.12.5 (Sierra)

1. Download and install https://tunnelblick.net/cInstall.html
(Select the option to display the icon in top menu)
2. Download certificates from the server
3. Right-click on the .ovpn file and choose Open With Tunnelblick.app
4. Enter the user password you are logged-in with. If this is a surprise, read http://www.macworld.co.uk/how-to/mac/what-do-if-forgotten-mac-password-3594395/
5. Click on Tunnelblick icon top-right
6. A Connect window will be displayed, click Connect
7. At the top Apple menu, click Go > Connect to Server
8. In the Server Address field, type the name of server
9. Enter username and password for your account on the server
10. The directories will be accessible from the displayed window

master ssh keys

Use ssh to run scripts on remote servers without entering a password.

Create your ssh key

ssh-keygen -b 4096 -t rsa -f ~/.ssh/keyname.rsa

will produce a keypair. The .rsa file will be the private and the .rsa.pub is the one that goes into authorized_keys on the remote server. If you don’t enter a password the key can be used with no user interaction. Do this when you need script operations on a remote server.

Load a key

ssh-add keyname

Upload your ssh key to a server

ssh-copy-id -i keyname.rsa.pub username@remotehost

Carry your key with your ssh session

if you need to carry your key somewhere, for instance if you will be chaining through to a host WITHIN the network of your remotehost and there is no direct ssh port forwarded to that host.

ssh -v username@remote -A

using -v (verbose) can help diagnose connectivity issues

Display the ssh keys you have loaded

ssh-add -l

if you forgot to carry a key or you need to add a local key you will get the error:

ssh-add -l
Could not open a connection to your authentication agent.

in this case use

ssh-agent bash
ssh-add keyname

Using alternative ports

Sometimes your remote host is running ssh on another port since 22 on that IP is already used. To reduce brute force attacks on the standard ssh port you can also use alternative ports by setting up the listening port in sshd_config on the server.

Use the -p flag to specify:

ssh -p 41843 user@remotehost

You can use an -i flag to specify a key to use (always needed in bash scripting for using ssh password-less)

ssh -p 41843 -i ~/.ssh/keyfile.rsa user@remotehost

If you manage many servers you may want to use ~/.ssh/config to alias the connections.

vim ~/.ssh/config
Host remotehost
IdentityFile ~/.ssh/keyname.rsa
Port 41843
ServerAliveInterval 240

In the case above you can simply use ssh user@remotehost to get in using keyfile.rsa on port 41843