Accounts Security Part IV
A Password Security Related Article by Calvin Limuel a.k.a. r3ck0rd
Howdy ho! Has it been a loss since my previous post about Accounts Security? Did you enjoy my previous posts about your accounts’ security? Have you done those tips? You haven’t? OK I haven’t done those too (some, but not the same mistake hehe 
). Well then, finally the fourth part, eh? And I hope you enjoy this post. Containing, maybe not so fresh, because may be discussed outside somewhere, or taken from a portion of an article in my blog, but helping tips for you to workout. Happy securing!
1. Non-ASCII Password
Password brute-force(r) usually scan only ASCII characters. Well, if allowed, you can use passwords with Cyrillic or Greek or any other text from other languages. This will be more secure (I suppose) and more memorable.
2. Multi-byte Password
Even better! On the previous post in Th0R’s blog, he showed an account secured by nature, their own language in Chinese characters. Well I can read Chinese, but I know some of you don’t. Well then I suppose, even harder to crack, because Kanji/Hanzi/Hangul and Hanja characters are numerous (Chinese Hanzi: more than 80k, Kanji, more than 6000)! I don’t know for exact how much characters supported by today’s encodings. What I know that the national encoding CNS (Chinese Standard Interchange Code) contains more than 13,000 Chinese Characters. Don’t know for UTF encodings.
3. Copy and Paste
Wait! This doesn’t mean I recommend you to store your password file in a plain text that you can copy paste the passwords! This trick is recommended if you suspect your computer too much, then prepare your notepad, and type all the characters on your keyboard, maybe with those non-ascii or multibyte characters. Then if you want to input passwords, just copy and paste them one by one. And, use your mouse.
4. 
Maximize robot.txt and .htaccess
It’s for keeping crawlers out of your restricted directories. You can password your directory too with this. There are tutorials about this in the internet a lot. Do google them 
(once again, google is a verb).
5. Sandboxes to protect you
Yes, it’s to protect you from crackers. And why do I insert this general security tips in a password security article? It’s between two answers, it’s related of course, and usually crackers hack your computer to steal important things or credentials for their profit. The second, I’m running out of idea? *take a laugh* OK. If you don’t know what sandboxes are, you can go to http://en.wikipedia.org/wiki/Sandbox_(computer_security).
Some may recommend you to use virtual machines like the famous VMWare. Yes for me it’s useful too if I want to test other OS or a hacking demo. But if it’s just for securing, just search a good sandbox program like Sandboxie (as recommended by y3dips), you can google that. But you can use other software of course, if you think it’s better.
6. Updating and Patches are important!
I recommend if a software has an automatic update feature, like Windows, or a browser like Firefox or Opera, turn it on, especially for security patches. If there is none, you can be a little diligent by checking the news from the vendor or security sites that provides advisories, like Secunia, milw0rm, SecurityFocus, and such. So you can aware with the new vulnerabilities found for your software.
7. Use salt!
Not that salty salt, but this salt. To avoid rainbow table attack and other reason. This is the example of usage:
// syntax: md5($pass, $salt); $pass="ligx"; $salt=3147; md5($pass, $salt);
8. WordPress Secret Keys!
You should know, as this holds the cookie hashing salt. This is the script you should input in your wp-config.php:
define('SECRET_KEY', 'whateverbebasfree');
// this ones below available in WP 2.6
define('AUTH_KEY', 'totally');
define('SECURE_AUTH_KEY', 'uptoyou');
define('LOGGED_IN_KEY', 'idontknow');
9. Delete credentials recorded in Google Cache
You may have a little mistake in the past that makes someone or even you, have a page in Googlebot’s cache containing your passwords. You can do this by removing the URL “howto”s here.
10. Friendster Security and Privacy
Friendster is known for many user abuse. And that must be one of the reason Th0R wrote “Friendster Hacking”. You already know this and this article, and about the filter of Friendster is off. So, attackers, can snoop in malicious code again. Yes it’s the way Friendster Team may want to know how much is the threata and where do they come from. So you can secure yourself by disabling auto-approve comment from your settings page. Still in your settings page, if you want to, disable all the automatics. All manual. And for the “add to be your friend”, choose require last name or e-mail address. Only friends can leave comment. Then if you still feel unsafe by just NoScript alone, choose safe mode option on.
For the privacy, yes Friendster is a social networking site, which you can provide your own data about yourself. You may not want other people who don’t know you to see those things. So all you have to do is to restrict profile views only to your friends. If you want to tolerate more, for 2nd degrees.
That’s all for this edition. The 5th part is coming up and I’ll continue to write soon. I know this edition may look disappointing to you but I hope you’re happy to see all tips in one article. Enjoy your day!
Thu.10.9.2008
r3ck0rd
©2008 Calvin Limuel a.k.a. r3ck0rd. All rights reserved.
Original Link: http://reckord.info/password-security/105.account-security-part-4.html or http://reckord.info/?p=105
