With all the sites I’ve worked on and the databases I’ve seen, one of the most troubling trends I’ve found is a lack of understanding about password security. I’ve been startled to find that many sites use two way encoding algorithms (meaning the algorithm supports decoding the generated encoded hash into the clear text human readable password) and even directly storing passwords as clear text in the database. I’ve seen a clear misunderstanding of what passes for secure password requirements and I’ve seen passwords that are limited to a fixed number of characters. In light of all the recent cyber attacks that have successfully accessed and retrieved data from even the most seemingly secure databases, I think it’s important to put some fresh information out there about password

I’ll start by stating what should be the obvious: under no circumstances should you ever design a system that stores a user’s password anywhere in clear text. When I say ‘clear text’ what I mean is without encryption making the stored value look as if someone had just typed it. If someone sets their password to “P@ssword1″ before storing that value in any form of permanent or semi-permanent storage the password should be encrypted. There are a number of secure ways to encrypt passwords. This article is not meant to help you choose which algorithmic approach is best as that depends largely on your application environment. What is important is that you choose a one way algorithm. The reason for this is that it requires any brute force attack on the encrypted password to first identify what kind of encryption algorithm you use, then try to repeatedly encrypt their own password guesses and compare them against your value. With a two way encryption all they need to do is identify your algorithm and run the decryption algorithm to access all your users’ passwords. Many of the arguments I hear against these stricter and more robust practices focus on customer support such as “If my user forgets their password how will I remind them what it is?” The answer to that is simple. YOU CANNOT! Under no circumstances should anyone, including the user, not even a system administrator be capable of retrieving the user’s password. If a password is forgotten, reset their password and inform them what the new temporary password is and encourage them to reset their password as soon as they can assuming your system can’t force them to do so upon their next login. I cannot stress this enough: if anyone in your company can recover a user’s password, be it a system admin, or a set of logic in your application’s code, then any hackers who gain access to your database will also be able to recover your user’s passwords as well.

Another misconception I’ve seen proliferating around the industry is that passwords are more secure if they contain special characters. While this is true, it isn’t enough to ensure your users create unique and complex passwords. Over the years society, especially in IT communities, have been led down a password generation path that makes passwords harder and harder for people to guess, and easier and easier for computers to guess. Replacing your ‘L’s with ’1′s and your ‘A’s with ‘@’s will likely keep your little sister from guessing your password, but it only adds a few additional test cases for computers to guess before successfully cracking the code. It’s important to add these additional test cases for computers by allowing special characters in your password requirements, but it’s not enough. Similarly, most encryption algorithms worth their salt will already be case sensitive. This means that the computers will have roughly twice as many test cases to check in order to brute force your passwords, and while the variety in uppercase and lowercase characters in passwords won’t hinder computers in their brute force attacks (which already have to execute the additional test case) , do so will add complexity for human attempts to guess passwords. These steps will help protect your users from malicious cyber attacks (and improve your credibility as a trustworthy provider) but the most effective way of increasing password security is not only often overlooked, it is frequently prohibited by password “strength” metrics. Too often I have come across passwords that only require 8 characters or worse stile 6 characters. If you allow uppercase characters, lowercase characters, numbers, and the standard 10 special characters you have a total of 72 possible characters per character in the password. With a password 8 characters long that means there are exactly 722,204,136,308,736 possible password combinations a computer has to test. Before you go thinking that’s a lot, you should know that there are processors widely available capable of processing 10 billion combinations a second. If you don’t want to do the math I’ll go ahead and tell you that means a computer can guess each password in your database in 20 hours or less. If it uses a randomly generated password each time, it’s likely your passwords will be cracked in an average of 10 hours per password. By simply increasing your minimum password length to 10 characters you increase the computation time to guess all the passwords to 11 years per password. That’s right, 11 years. over a decade per password. By increasing your minimum to 11 characters the time it takes the most advanced computers to guess and compute your passwords increases to excess of 500 years. Three characters. Three additional characters is all it takes to increase the amount of time it takes to calculate a password well beyond the conceivable life of both your users and the hackers. The payoff is astronomical. By adding a few extra characters to your minimum password length, you ensure your user’s passwords well beyond the standard which banks adhere to (8 alphanumeric and special characters characters with at least one uppercase lowercase, and special character). The very worst practice I’ve ever seen is a length limit on passwords. If your user wishes to use a password that is 20, 30, or even 50 characters long your system should make no effort to stop them as it decreases their confidence in your security and to be candid it’s just rude.

I’ve covered a lot here but the two things that should be apparent if you intend to store passwords for your users is this: never use a bi-directional encryption algorithm, and the more characters you require for passwords, the more secure those passwords will become.

StatCounter shows that within the past few days Chrome has become the more popular browser on the web.

StatCounter's Browser Statistics - Click to visit interactive graph

In the past year, Chrome has become more popular than both Firefox and IE. Chrome now ranks just under half a percent higher than Internet Explorer.  Both IE and Chrome tend to compete against each other for weekend statistics.  But usage isn’t everything–I put recent versions of the five major modern browsers through benchmark testing:

Rank	Browser	Benchmark Screenshot	Resources Screenshot
1	Chrome Version 19.0.1084.46 m
2	Opera Version 11.64
3	Safari Version 5.1.4
4	Internet Explorer Version 9.0.8112.16421
5	Firefox Version 12.0

Benchmark Info:

• Performed using Rightware’s Browsermark – Run your own browser benchmark
• 3/4 through the process, the leap in CPU usage is caused by 3D rendering (I assume through the Canvas API in JS)
• Safari and Opera both failed their first time running the benchmark–The task manager screenshots above are wider because I had to widen the window to keep the graph on-screen during the failed attempts.
• Benchmarks we’re tested with only the active browser and task manager running.
• Tested on 3.06 Ghz Core 2 Duo and 2GB DDR3 RAM with Windows 7 Pro

Mozilla moved to version 4 from 3.6 almost a year ago on March 22, 2011. Not even a year has passed and just a few days ago, Mozilla has released its 2 digit browser version. This version is intended to make updates and extension management easier on the end-user. Version 3.6 will lose support in April leaving 10 as the only currently supported version. Some other major highlights in Firefox 10 include:

• CSS 3D Transforms are now supported.
• The new HTML5 <bdi> element, bi-directional isolation, allowing isolation of parts of text with a different directionality has been implemented.
• Updates to Canvas, DOM3 Events, DOM4, JavaScript, Full Screen API, Page Visibility API, SVG, and WebGL.
• You may now specify a fragment of “top” for the href attribute to create a link to the top of the page. This used to work, then went away for a while, and now it’s back, for compatibility with the HTML5 specification.
• The console object has two new methods, console.time() and console.timeEnd(), which can be used to set timers on a page.
• Handling of the position property on elements inside positioned <table> elements has been fixed.
• In the past, when element.setAttribute() parsed integers, it would report an error if the integer included any non-numeric characters (for example “42foo”). Now it correctly truncates this as the number 42, in accordance with the specification.
• Minor interface changes.

*These snippets have been pulled from the Mozilla website*

• Firefox Releases on Wiki
• MDN Overview: Firefox 10
• MDN Overview: Firefox 9
• MDN Overview: Firefox 8
• MDN Overview: Firefox 7
• MDN Overview: Firefox 6
• MDN Overview: Firefox 5
• MDN Overview: Firefox 4

Here is a timeline of support status and release dates of Firefox in the past year. Firefox has had several releases as a result of adopting a rapid release development cycle

A while back, John Scaramuzzo came around the office asking employees to clear out any e-mails we could afford to lose in Outlook.  When disk space is low, it can be difficult and time consuming to filter through thousands of e-mails determining what to keep and what not to keep.

Using a feature of Adobe Acrobat (I have version 9 installed) I was able to backup all those e-mails into a single indexed PDF.  If you keep your Outlook mailbox organized by folder, this will turn out even more nifty after converting to a PDF.  Right click on a mail folder and notice there are 2 options regarding Adobe PDFs.  Converting will create a new PDF and appending will add the emails and the folder structure into a PDF which can be saved to the local machine.  This does NOT remove the emails from Outlook and needed to be deleted manually.

Click to Enlarge

After a certain point, the PDF document will start to respond slowly after a certain size is reached.  The best solution I’ve come up with is to organize the PDFs by year.  Remembering the relative year to a project or development period isn’t too difficult and Adobe contains a search feature to find information quickly.  A ticket number or relative project phrase usually works removing any need for digging around.   Anytime my outlook folders start to look full, I can append all the contents to the current year’s PDF and free up the space in Outlook. Below is a screenshot of what my Sent Items folder looks like in 2011′s PDF.

Click to Enlarge

If your mailbox does not already have a folder structure, it might be a good idea to set some up.  Organization never hurts!

Bitcoins came up in a brief discussion during one of my CS courses this past week. Apparently, these have been around since 2009, but I hadn’t heard anything until now. Essentially, a bitcoin is a digital currency that can be used across the internet. The Bitcoin Client can be run from a linux box and  can “mine” for coins on a network which are then saved into a digital wallet with electronic signatures. Major perks of the new currency include:

• Transfers directly from sender to receiver (no clearing house).
• Fees are much lower.
• Useable in every country.
• Lower fees
• Accounts cannot be frozen.
• Based on open-source software
• No prerequesites or limits

Video

Getting Started

• Get Started Guide
• Privacy & Security
• Mining Guide

So what determines the value of a Bitcoin? According to “WeUseCoins.com”:

“The value of a commodity is determined by supply and demand. The supply side of Bitcoins is limited by design. The demand comes from people wanting Bitcoins to trade with.”

~Source

Exchange Rate

The exchange rate can be monitored online at MTGOX. Here is a diagram of the currency value over the last 24 hours at the time of writing this post:

More Information

• Wikipedia
• May Article in Forbes
• Bitcoin mining botnet also used for DDoS attacks

It’s Holiday Season, Do You Know Where Your Wallet Is?

While it’s worth remembering all year long, it doesn’t hurt to remind ourselves that the holiday season brings our the best and worst in people.

The con artists will be out in full force this year.

Here are some tips that will help you get through the holiday season safer and hopefully with your wallet and credit card intact.

1. When shopping in brick and mortar stores, watch your wallet and purse.  Pick pocketing is still a thriving occupation.

2. When you take your purchases to your car, stow them in the trunk.  If you go back into the store or mall, you’re leaving an invitation for a broken window and missing packages when you return.  I put my things in the trunk, then move the car so anyone who is watching thinks I’m leaving.  OK, I’m paranoid; I also don’t like sitting with my back to a window or door.

3. Watch the people around you when you check out.  It’s easier than ever to use a cell phone to take a picture of your credit card while you’re at the register.

4. If you’re purchasing a gift card, pick one at random from the display.  Con artists will take a card or two, steal the information from it and put the card back onto the display.  Then wait patiently for the card to become activated so they can use it to shop online.  Also, don’t buy cards online unless you know the seller.  Sometimes, worthless cards are sold online.

5. Tis the season for heartache and charity scams.  Be especially careful with your email messages.  Return addresses and organization names are easily forged.  Beware of similar sounding organization names; Make a Wish Foundation is not Leave a Wish Foundation.  You get the idea.  Know your charities.

6. Don’t wire money to Joey in England who can’t get home for Christmas because he lost his wallet.  (Unless you know Joey is your son and you spoke to him on the phone.)

6. Did you get an email from a charity and the request came from a Yahoo, Hotmail or Gmail account?  Any organization worth your donations has its own domain name and email system.  Be suspicious of any charity with a free email address.

7. One last low tech reminder.  Don’t leave you purse or wallet where it’s visible.  Years ago, my mother had her purse stolen from beside her desk when she was away for just one minute.  The thief walked into the office, picked up the purse and was gone before anybody came back to the front.

Have a safe, happy and healthy holiday season.

Phishing is the practice used by internet criminals of using false information to extract personal or financial information from unsuspecting computer users.

Use the following guidelines to avoid getting hooked by the scammers:

- When you receive an email message that asks for personal or financial information, delete it without clicking on any links in the messages. Do not copy/paste a link into your browser; subtle misspellings can send you where you do not want to go. If you want to verify the information, open your browser and type the URL of the company yourself (or find it with your favorite search site). Get the telephone number from the “Contact Us” section and talk to an agent of the company and report the phishing attempt.

- Do not use a telephone number supplied in any email that asks to to update your account or request a refund. Telephone numbers are no longer what they seem. Automatic forwarding systems and VOIP (Voice over Internet Protocol) systems mean you cannot tell where the destination really is. If the phishing message is about your credit card (and it’s really the same financial institution where you have your account), use the telephone number on the card. Use your bank statement to get the telephone number if it’s about your checking or saving account.

- Install anti-virus and anti-spyware software and keep it up to date.

- Review your bank and credit card statements when you receive them. My wife and I check our accounts daily (not that I’m paranoid).

- Beware of attachments you don’t recognize or didn’t expect regardless of whether you recognize the sender. Infected attachments can compromise the security of your computer and harvest and deliver personal information while you’re browsing.

- Never email personal or financial information. Email is not secure.

- Learn how your browser indicates that you are using a secure connection to your bank, credit card company or online store before you enter any personal or financial information.

If you do receive a phishing email, forward it to the company that has been impersonated and also to spam@uce.gov (a part of the Federal Trade Commission).

If you got caught, file a complaint with the FTC at www.ftc.gov/complaint.

Safe surfing.