"Evil will always triumph because good is dumb."

There’s too many passwords to manage and most people resort to is using the Spaceballs luggage combination.  You need one for your web site control panel, one for your free Email provider, one for your bank, another for your E-mail address, another for your bank ATM PIN, etc..  While making the password the same makes your life easier, it also makes it easier for the hacker.  Once they gain access to one account, they can then pick off other accounts you may have.  In addition, many individuals use simple passwords; a common dictionary word, their dogs name, their spouse’s name, or their first born child’s name.  There has to be a better way and there is.  Here are some tips in keeping your accounts secure.

Password Strength

By monitoring our hosting customers, we’ve seen many FTP, SSH and E-mail accounts broken into via brute force alone.  While we do have measures to block these types of attacks and monitor for any unusual activity, we recommend using strong passwords.  Strong passwords are completely random (at least 8 preferably 12 characters in length and includes numbers and different case) and then use a different password for each account.

Password Managers

OK you’ve followed our recommendation and use a different password per site.  How do you manage them all? Put Post-It notes on your computer monitor?  That’s a surefire method to announce your passwords to the world.  Your best method is using a password manager.  Password managers are an excellent way to store, create and manage your online and offline accounts.  Even better, many offer synchronization to a smart phone so you can take your passwords anywhere with you.  Depending upon your operating system and needs, you have many options.  Here are a few of the more popular applications and we’ve used all of them at one point in time:

• 1Password (OS X, iPhone, iPod Touch, and Palm support)
• MiniSafe (Windows with Blackberry support)
• SplashID (Windows and OS X, with support to many smart phones)

Out of the above mentioned, personally I like 1Password the best.  It works great on OS X and now has a web browser app that works on MS Windows and even Linux!  So you are able to get your passwords from any platform.

Secure Communication

By default web surfing, E-mail, and FTP are sending your password unencrypted.  This also means any content (E-mails, HTML, personal data, etc.) is also insecure.  If communication from desktop to server is not encrypted, it’s possible someone along the way can intercept it.  To encrypt this communication you are best in enabling SSL.  With the multitude of applications available, I cannot go into details but will summarize what’s needed:

• E-mail client – Enable SSL for IMAP or POP3 and SMTP  communication
• FTP – Use FTP/SSL or SFTP  instead
• Web browser – Make sure the web site certificate is valid and communication is secure via SSL (otherwise known as https:// in your browser URL)

If unsure and using Empowering Media for these services, check with us.  We’ll be more than happy to discuss how to encrypt your communications.

Two Factor Authentication

You are now using random passwords, and you want more security, so what’s the next step?  Two factor authentication is the answer.  It’s military grade security.   In simple terms, it means you need two forms of identification before granting access.   It’s something you know (your password) with something on your person (typically a fingerprint, retina scan, or key fob).  How can this be done via web sites? The answer is OpenID. It’s a relatively new method for web site authentication, and allows for a unified method to login to multiple web sites.   Unfortunately Empowering Media does not yet support OpenID.

We recommend creating an OpenID account with Verisign’s FREE Personal Identity Portal (PIP).  It has a great OpenID implementation and it supports two factor authentication.  Any sites that do offer OpenID you can use the same OpenID for login.  Verisign offers a key fob option with either software you install on your smartphone or by purchasing a RSA based key fob.

For SSH logins you can create poor man’s two factor authentication. First create an SSH based key to login to your account, details can be found here.  Once created move your private key on a USB flash drive.  Your private SSH key is only available when the drive is plugged into your computer.

For an additional layer of security, we can disable SSH login via password and allow for SSH key only.  SSH Keys are a much more secure method than using passwords.  This option is available with our dedicated VPS and server customers.

Securing Your Computer

If you get infected by a virus you might be in trouble.  Many viruses today capture keystrokes from your computer.  Unfortunately most individuals don’t even know they have been infected.  If you’ve been infected, assume any password typed in on the computer has been compromised.  The goal should be to prevent this from occurring to begin with.  First and foremost  keep your anti-virus, anti-spyware and operating system software updated.  Just by keeping your software updated thwarts most attacks.  Both Microsoft’s Windows and Apple’s OS X have a automated updates.  I recommend setting this option to check daily for updates.

Anti-virus software is a must.  For Windows systems we recommend: ESET’s NOD32 Antivirus, and on the Apple Macintosh platform we recommend Symantec’s Notron Anti-Virus.  While on the Macintosh it is not attacked as much as Windows machines, expect this to increase with Apple’s increase in market share.

Feedback Loop

For the truly paranoid how can you make sure no other unauthorized people use your account?  You do this by creating a feedback loop.

Let’s discuss a personal example.  At Empowering Media, we have a corporate credit card that someone stole (more than likely via some insecure web site I ordered merchandise from).  The person then proceeded to call the credit card company, pretend to be me, to change my business address to their location and then modify the web site password.  How did we find out of this change? Via an E-mail from the credit card’s web site.  Most financial web sites have methods to contact you if any unusual activity or changes occur.  For at least financial web sites, I recommend you setup all available notifications.

In Summary Use

• Random generated passwords at least 8 characters in length (over 12 characters preferred). Common passwords should not be used
• A different password for each account
• Encryption (SSL) when communicating to web sites asking for your password or other sensitive information
• A password manager that offers syncing a smart phone
• If available, two factor authentication
• Use OpenID
• Feedback loops to notify you of unauthorized usage

By doing all suggested best practices, for the most part, will ensure your online and offline accounts are kept secure.

Using 777 permissions on a folder means ANYONE on that server can write to it. Hackers LOVE this type of setup. In addition, with mod_php you must have at least 644 perms on PHP files, which ALSO means your files can be read by anyone. This means your MySQL password, key to your merchant account, etc., can be read by any customer on that shared server! If you ask me, not a secure solution.

We use suPHP instead of the default apache/mod_php for shared hosting.

SuPHP
Pros:

• PHP runs as your user/group
• PHP files can have perms of 640 (hiding things like passwords from other accounts)
• Files/folders written by PHP are written as user/group (no apache or other global user)
• Custom php.ini file per site (can add/remove security options)
• Can run php4 and php5 at the same time (on even the same site!)

Cons:

• Slower
• many PHP .htaccess options do not work (since you can have your own php.ini file this make this point moot)

apache/mod_php
Pros:

• Faster (about 25-30%)

Cons

• PHP safe mode isn’t safe
• files written by PHP are saved as the apache process (usually apache/apache user/group)

For our small business web hosting customers it’s a no brainer to use suPHP instead of mod_php, even if we take a performance hit. PHP is the #1 method hackers gain access to customer accounts. So once an account is hacked on a shared server, they can do much more damage with a mod_php setup. SuPHP accounts are much more sandboxed. We’ve had many hacked accounts via suPHP, and none of them have affected our other customers. In the future are going to replace suPHP and use LiteSpeed’s web server instead. It offers the same performance as mod_php and yet the same security as suPHP.

Our Managed VPS web hosting we give the customer the option to select which PHP setup they want.