Password Security

By Jason | Published April 26, 2011

Hi Everyone, I hope you’ve all had a great long weekend for those of you that have had it!

I just thought I’d write a quick post regarding general password security. We all know it’s important, but not everyone can be bothered with ensuring that their various accounts across the Internet (and not just here at Ennoverse) have long and complicated passwords which are unique to each site. This is off-putting for those of us that just want to login hassle free, it would be easier if we didn’t need long passwords but the world and especially the Internet is too dangerous for such simplicity.

In a lot of cases a username and a password is the only barrier to entry for an account. Making sure that this barrier is very difficult to penetrate can be a pain. Security experts commonly recommend that passwords now be at least 14 characters long and contain multiple upper and lower case characters as well as numbers and symbols. But how on earth do you go about remember these?

The ‘Phraseword’

4 Digit Code Padlock - Simple passwords are easy to guess.

Simple passwords are easy to guess.

One solution is to create a phrase (longer than 14 characters) that you remember and replace certain characters with upper case characters, digits or symbols. Look up ‘leet speak’ for some inspiration. For example the phrase: ‘The sea is very wet’ could become tH35eA1SV3RywEt!

But you then run in to another problem that security experts advise against. You may be tempted to use that same password on every site where you have a username and password. The problem here is that if that website is some how compromised and a hacker stole the user database, they then have your password and a means to access every other account that you used that password on.

So what can you do to have a complex password that you can remember and not duplicate it across web sites?

LastPass

Well there are a few answers out there. One I personally use is LastPass. This is a great system that allows you to use one password (preferably a complex one as described above) and acts as a secure directory of all of your usernames and passwords. It includes a password generation tool to automatically create random long complex passwords for each site that you register with, which means they can be all different passwords.

The great thing about LastPass is that it is free and very secure. The passwords are encrypted and stored locally as well as on the LastPass servers. They have plug-ins for most web browsers allowing for auto-login and auto-fill features. If you want even more security they also allow multi-factor authentication. This is where you as well as asking for a username and password (something you know), they will ask you for something you have, such as a key-fob or a number grid. As only you have these items the authentication is much stronger and safer since just knowing the password won’t help.

SuperGenPass

Another thing I have used before is a bookmarklet called SuperGenPass. This tool sits in your bookmarks toolbar and allows you to generate a long complex password that is different for each site that you visit. Cleverly it uses a combination of a master password and the website’s domain name to generate a different and unique password that only you can re-generate by entering the correct master password. It is by-far the simplest system. This doesn’t rely on storing your passwords anywhere although you can opt to store the master password (but I wouldn’t recommend this) and you can download it at any time or access the web-based version which is handy on a mobile browser or locked-down computer systems.

KeyPass

The last one I will write about is a program called KeyPass. This is a little different from the above two solutions as it is a fully-fledged program that runs on the desktop, separate from any web browsers. This works by storing passwords in an encrypted database file to your hard disk or any online or shared storage medium (if you wanted to share certain passwords perhaps..) Access is granted via a password, so make sure it’s a secure one! This is definitely aimed at people who have a large amount of sites and even offline systems that they access in a way that can be organised. While you can quite easily share a password database with people by giving them the encrypted database file, you’d end up sharing all of the passwords within it.

As this is not the intended use all I can say is that it makes quite a handy password utility. It has a nice feature that when you copy a password to paste in to a form field, the program starts a timer (12 seconds for example) which at its expiry will clear the clipboard contents to prevent accidental pasting of sensitive information. There are a lot of other cool things it can do too such as command-line execution but I won’t go in to too much depth there.

This is a Windows application but the developers say it can be run on various Linux flavours and Mac OSX when using Mono.

Final Thoughts

So as we see there are a lot of solutions out there for being secure with your passwords and having systems to remember them for you while not repeating passwords across site. Brute force attacks are common and processors are getting more powerful to crunch through passwords. If you have a dictionary based password you should think about using something more secure, maybe one of the above solutions.

For our customers’ web hosting accounts we do prevent brute force attempts quite successfully but you really can reduce password cracking success rates by securing your passwords on every site that you use.

If you know of other handy password management tools, we’d be interested to hear. Please post them in the comments! Thanks for reading.

Posted in Newsletter, Security

Tagged , ,

Leave a comment | Permalink | Share

PHP Upgrade to 5.3 Announcement

By Jason | Published April 22, 2011

Many of our customers utilize PHP and as you know we have been using versions of the 5.2.x release tree. Today we are announcing our plans to upgrade our cPanel shared web hosting customers to the PHP 5.3.x release tree. This is to ensure that we stay current with new developments and more importantly with security updates.

We are giving plenty of notice for this change as our customers will have to check their existing web applications for any incompatible PHP code. Below are some specific answers to questions. We also recommend that you read the Migrating from PHP 5.2.x to PHP 5.3.x guide from the PHP website.

When will this happen?

The update is scheduled to take place on JULY 17th 2011 at at 3am BST / 10pm EST. There may be brief interruptions of web service during this time that we estimate to last about an hour.

Who does this affect?

This update will only affect anyone who uses PHP based applications on our shared web services. This includes those who have installed various packages from Fantastico. The interruptions during the above maintenance window will affect all of our shared hosting customers.

What problems might I encounter due to this update?

PHP 5.3 has several backward-incompatible changes present. We encourage you (or your web developer) to read the information on PHP’s web site: Backward Incompatible Changes. As a result of these you may get PHP error and warning messages throughout websites that use these incompatible features.

Additionally there are a number of new deprecated features in this version of PHP, see Deprecated features in PHP 5.3.x. These functions and features will still work in this release, but now will generate the newly added E_DEPRECATED warning message on the affected pages.

What can I do to prevent these problems?

In the case of the backward incompatible changes mentioned above, the only thing you can do is to replace the affected code with PHP that is up to date for 5.3.  You should also replace the deprecated code with the recommended alternatives (listed on PHP’s web site) where practical.

If you need a quick fix (we don’t recommend this!) you can disable the E_DEPRECATED warning by adding this somewhere in your PHP files:

error_reporting(E_ALL & ^ E_DEPRECATED);

This should disable only the E_DEPRECATED warnings leaving you time to identify and fix the problems. It is in your interest to use the suggested replacements however as these features may be completely removed in future versions of PHP.

I am using a third-party web application, such as a WordPress blog, what should I do?

In this case you should first check to see if you have the most current version of the application installed. In cases such as WordPress they include a automatic update feature, but to be sure you should check the current version of the developers web site.

Once you have found the most current version you should check the release notes to see if they mention compatibility issues with PHP 5.3. If they state it is not compatible or something doesn’t work as expected after the update, you will need to contact the developer and push for them to release an updated version that works with a modern PHP installation.

Can you delay this release? I need more time!

No. We are giving a long notice period for this update but we must switch to an updated PHP version sooner rather than later for security reasons. We have to ensure that all of our servers run the most current updates possible to protect our users from potential security threats. Customer security is our top priority.

I hope this post has been informative. If you have any questions or need help with getting ready for this update, please contact support through your client area login.

Posted in Network/Service Status Updates, News & Announcements, Newsletter

Tagged , , ,

Leave a comment | Permalink | Share

Exciting changes to our products

By Jason | Published February 16, 2011

This week we are announcing some changes to our shared web hosting packages. As of today we will be increase the amounts of disk space and bandwidth for our web hosting packages, and we’ll include most current account holders in the upgrade. This is great news in these hard times, getting even more value for money.

Unfortunately there is one exception: customers with the E100 legacy package will not be included in the upgrade. However if you want to upgrade to the current E100 or E200 please contact us.

These changes have already taken place and there is nothing that you need to do. If you are eligible you will see your new allowances in cPanel. For details of what we offer please see the web hosting comparison page.

Exciting news for new accounts as well as we are going to extend our free domain name offer. We will offer a free domain with our E300 and E400 packages as well as continuing to offer this with the E500 and E600. Some domains are excluded from the offer, this is noted in the order process.

And there’s more: We have launched a special bundle that combines our E400 package with a free domain name, SSL certificate and dedicated IP address. This is a really great offer, check out the details here. Get it while you can as we have allocated a limited set of IP addresses for this deal.

Posted in News & Announcements, Newsletter

Leave a comment | Permalink | Share

Ennoverse Blog

A place for news and discussion about the company, our products and services as well as the wider IT sector.

  • Subscribe

    • RSS Feed
    • Twitter
    • Facebook
    • LinkedIn

Featured Services

Universe Package

$7.99

Order →
  • 25 GiB StorageStorage
  • Unlimited BandwidthBandwidth
  • PHP 5PHP
  • cPanel 11 & FantasticocPanel
  • Money Back GuaranteeMoney Back Guarantee
  • Instant Free Setup!Free Setup
  • Verisign SSL - Increase transactions by increasing trust.
  • GeoTrust SSL - Fast, Cost Effective, Easy.