jfb-security-passwords [Jcink.com Wiki]

Passwords

The password is the first line of defense keeping your forum from being accessed by other, malicious or mischievous, people. Because of this, it is important to understand how breaking a password occurs (the name of the process is called cracking… not to be confused with hacking*) and how to prevent it from happening to you.

*Hacking and Cracking are two different terms that the media/people often use interchangeably. Though they each have their own definition. The short version is this:

  • Cracking - breaking through security programs. (EX- Guessing passwords.)
  • Hacking - bypassing security programs entirely. (EX- using system exploits a.k.a. flaws in security to gain control.)

Methods to acquire passwords

Password cracking is a major issue given that a user's password is the only thing standing from others accessing that account. But there are several common methods that people use to attempt to gain access, these are:

1- Through the use of brute forcing tools publicly available online. These applications can guess thousands of passwords in a very short time frame, either by trying a pre-set list of words (called a Dictionary) or by trying every single combination until it finds the right one (though this is very time consuming and easy to detect for an admin who is paying attention/checking their failed account logins.)

2- Manually guessing passwords. The would be cracker attempts to guess the victim's password. This is fairly slow and a bit harder to detect (if the cracker isn't constantly guessing them…)

3- Password stealers. These are scripts that a would be cracker plants on their own site and then links to the victim's site. Hoping that their victim will fall into their trap. The exact nature varies by script/method, but they all boil down to one thing… Be careful clicking links to sites you aren't familiar with. Avoid cloaked/shortened links.

4- Social Engineering. This is when a would be cracker tries to intimidate, befriend or otherwise convince their victim to hand over the password. It can be by pretending to help a new user solve some sort of problem on their site or maybe create a brand new theme/skin. Easily defeated by never giving out your password for any reason at all. (This holds true for any life situation, be it your JFH forum or your online bank account.)

By picking a good password and using common sense, you will be immune to activities like this.

Picking a good password

Your password should be something you can remember, but not too short or easily guessed. Like if you make your password 'dog' or 'fish'. A simple dictionary attack program can easily find those types of passwords fairly quickly. A decent starting length for a password is 8 characters. Never use anything less than 8 characters though because it is too short and too easy for brute force programs to break through.

You should also never use your name, or anything that has been publicly associated with you. For example, you may like pokemon a lot and you say it all the time, maybe that's even the boards theme, so don't make your password anything to do with pokemon. Desperate crackers will try passwords based on your known interests.

The other thing you should know is that pure-number passwords or random letter ones are just as bad. 2349581 ← for example is a terrible password. It can be easily guessed using brute force programs that goes through number combinations. (It would only take them 2,349,581 times to get it right - if someone were to try every single number in order until they got it right. Though this sounds like a large number, it is deceptive because a computer can attempt passwords much quicker than a human… Roughly a rate of multiple hundred a minute. )

The ideal password then is at least 8 characters long like the word “username”. With a mixture of: uppercase letter, lowercase letters, numbers and a punctuation mark. A password with all of these features will take a brute force program decades to break through (using a single computer with currently existing computing power.)

Good Password Examples

Here are several examples of good passwords:

thedogloll33tm@nbob

It has well over 8 characters and consists of numbers, letters and a special character too. Plus it is not in ANY way a dictionary word. This password is good, but it can be improved even more.

ThEdOgLoLl33tM@NbOb

The password has a good mix of characters. Including an uppercase, lowercase, number and a symbol now it makes it even harder for a would-be cracker to guess or brute force their way through this password. Though having it be this much of a mix might make it very hard to remember/enter correctly (which is a bad thing since it defeats the purpose of having a password if it's so strong that you can't even remember or use it). An alternative is to use password phrases. This is where you take a phrase and make it into a password. For example:

yourethemannowdog

would be a password phrase. These are somewhat easier to remember and can't be easily guessed or hit with brute force to guess due to sheer length. But it's still not the greatest, to improve it further you could enhance it by throwing in some numbers.

y0ur3th3mann0wd0g This is the same password phrase as above, except it has numbers mixed in too. Using leetspeak (replacing letters with numbers) can help out a bit here.

And if you wanted to improve it further still, using the same principles above: Y0ur3th3mann0wd0g!

It's the same password, except still fairly easy to remember (since it starts with a capital like most English sentences, has some numbers and ends with an exclamation point. )

Email Passwords

There one last thing to mention - a good password on your forum is worthless if there is a bad password on your email account. Be sure to keep your email account's password strong too, because if a cracker knows your email they may try to target that instead. Thankfully the same principles listed above to protect your forum account will transfer over to protect your email account.

Passwords on other servers/boards

To use the same or similar password on other boards and login systems online is extremely bad. If a malicious administrator logs your passwords, or steals your password hashes they can gain access. Always have you, AND your staff keep passwords on your board(s) TO your boards for maximum security.

Changing your password

Because no password is ever truly safe forever, it is also a good idea to change your password every once in a while. (Some sites recommend or even require changing passwords every 90 days.) We recommend that you change your password at least once a year.

It is also a good idea to change your password if you think you're under attack. Because even if they were getting closer to guessing the password (which the system does not tell them) it means they would have to keep guessing. And they would get tired long before they uncovered your password (provided you use a strong one like mentioned above.)

It is also a good idea to change your password if you suspect someone else has been in your account/using your computer. (Or if you've been using your account in public spaces and forgot to log out.)

As a member

As a member you can change your password from within the “My Controls” panel (at the very bottom titled: “Change password”).

  • If the admin has elected to use the “Lost Password Recovery” Email option then you will be sent an email (at the address used to register the forum account) with a very specifically generated link to change your account's password.
  • If the admin has opted not to use “Lost Password Recovery” Email, then you will be asked for your current password (to verify you own the account) and the password you'd like to use instead (typed twice to make sure the password is spelled correctly/as you desire).

As an admin

As admin you can change your password either using the member method or from within the ACP itself. (You can also use this method to manually reset a user's password too.)

  1. Click to “Users and Groups” (to expand it, if not already done).
  2. Click “Find/Edit/Suspend User”.
  3. Use the box at the top to search for your username. (Or the member's whose password you're going to reset.)
  4. On the page showing search results, click “Edit Details” beside your username
  5. Scroll down to the section that says “New Password” and enter the password there. (WARNING - You only have 1 box, so make sure the password you enter is exactly what you want. )
  6. Then click the “Edit this member” button at the bottom of the page.

Giving your password away

This is easy. Don't do it. EVER. Even if someone claims to be staff, never give away your password.

Final Words

These same password rules can be applied almost anywhere, and while it isn't a 100% assurance you won't be cracked, it sure does make it a lot harder.

 
jfb-security-passwords.txt · Last modified: 2012/05/22 20:01 by viruszero