1. Welcome to DNTrade. If you want to find out about the latest domain name industry news or talk, share, learn, buy, sell, trade or develop domain names - then you've come to the right place. It's a diverse and active community, with domain investors, web developers and online marketers - and it's free! Click here to join now.
    Dismiss Notice

your own domain passwords

Discussion in 'General Domain Discussion' started by findtim, Feb 9, 2017.

  1. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,808
    Likes Received:
    1,932
    auDA Member:
    Yes
    this is not about the domain Key.

    password security has been something i've been working on for over a year now, trying to get a system where i KNOW the passwords just by knowing the domain name.
    cpanel password, ftp, wp-admin, emails.
    as well as being able to satisfy most places i go like optus, my whm, a forum, a site membership etcc
    for me there has been something missing, something simple
    what i had was once discovered, anyone it was then easy to alter it to have every password i have.
    so heres my answer:
    start with using a character like #,%,$ whatever, this satisfies complexity for many password criteria
    then a single lower case, could be a,b,c or x,y,z representing the area you are logging into to eg: m for email

    next something in capitals representing the domain, could be first 2-4 letters, last letters, or the vertical eg: MEC for a mechanic even though the domain is dubbomotors.
    next a memorable (for you) set of numbers you don't use anywhere else eg: 2478 the postcode of where you grew up?
    add another character like (,*,^

    up till now its pretty easy to crack but i doubt people would expect a "check digit" , work out how to gather one but never the same one for all of course.
    eg: if your password is now %mMEC2478*13 , 13 being that m is the 13th letter in the alphabet
    https://mrsngai.edublogs.org/files/2016/03/code-1mwham1.jpg

    after the 13 you could add a # , # is the character above the 3
    this is just a base idea to alter but modified to you it will be easy to never have to write down another password and it will give you a password with 12+ characters which will satisfy most criteria
    i think it would be impossible to crack if you had no knowledge of the FIVE + different criteria being used.
    tim
     
    robert likes this.
  2. Scott.L

    Scott.L Membership: Trader

    Joined:
    Nov 16, 2010
    Messages:
    1,094
    Likes Received:
    702
    auDA Member:
    Yes
    Oh great Tim, now every knows.
     
    Data Glasses likes this.
  3. Data Glasses

    Data Glasses Membership: VIP

    Joined:
    Jun 26, 2008
    Messages:
    6,671
    Likes Received:
    1,075
    Oh i've been using Find-Tim up until now
     
    Scott7 likes this.
  4. Andrew Wright

    Andrew Wright Membership: VIP

    Joined:
    Feb 24, 2012
    Messages:
    406
    Likes Received:
    382
    auDA Member:
    Yes
    roboform...
     
  5. Scott7

    Scott7 Membership: Trader

    Joined:
    Jan 21, 2013
    Messages:
    983
    Likes Received:
    771
    and Find-Tim-net-au for extra security. It's the one time you want a less memorable extension.
     
    Data Glasses likes this.
  6. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    492
    Likes Received:
    191
    Yep I would use a strong pass word generator, and a good password manager. And change the passwords periodically. Have you ever heard of rainbow tables @findtim if you haven't they are a list of hashed passwords that have been decrypted.

    Why is this important to know. We firstly when you make a backup of your site, lets say its WordPress. The db tables are dumped into a file and added to the zip file. Depending on the backup program it may sit in an un secure part of your website, that the public may be able to download. If this is the case. They can simply dig through the database to find your user name, and then the hashed password which they can run through a rainbow checker. Once they find this, they can simply log in. So its very important to know about this, because it will help you protect your sites better. By having something that seems like a user generated system. Say the hacker discovers your favourite backup plugin, uses a insecure location like the root or some uploads folder not protected by your htaccess file. From here they figure if you have this on one site, they might try to discover other sites of yours. From here downloading each of the backups, they discover by de-hashing your passwords something similar with each site, a pattern.... This will be the undoing of your system. Generating a password takes the human error component away. I would recommend Last Pass or Roboform enterprise, so that you can do audits on your passwords, when they were last changed, how weak they are, and if there are duplicates.
     
    Scott7 likes this.
  7. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,808
    Likes Received:
    1,932
    auDA Member:
    Yes
    i tried lastpass but i remember it annoying me, should look at it again.
    good info about the backups kept hosted, i generally downlaod them.
    decrypting yes and the "pattern" as i said was a problem, thus the check digit, and the vertical, i struggle to think anyone would spend time working out that dubbomotors is represented by MEC or dubbodoctor is MED for medical, davesphotography is WED for weddings ?

    but good reply
    tim
     
    Christopher likes this.
  8. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    492
    Likes Received:
    191
    I would also add ip blocking so that you can prevent people that you don't know from accessing the admin area if possible. And get some two factor authentication on your site. I wrote a small post of 2FA for a meetup. I'm loving Duo in my sites. https://chrislanauze.com/security/two-factor-authentication-meetup-november-2016-606/
     
  9. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,692
    Likes Received:
    441
    LastPass for the win.
    I use the premium version (have for about 5 years) and have it set up with 2 factor auth and it's a dream.
    I actually use it at times like a bookmark directory, especially on mobile where I don't have a great bookmarking system.
     
    Christopher likes this.
  10. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    492
    Likes Received:
    191
    Yep I would say that too, I use my password manager as a secure bookmarking feature, and for saving notes you want to keep entirely private. I use the business version of Roboform, And also use LastPass for some of my Contracting Work. Comparing the two, cross platform, LastPass has more winners than losers, although the two have differences. I tried some others that offered advanced SSO (single sign on) but when they didn't have the platform you are working on (in my case open-source software) I had to submit it to the dev team, they then took 2 weeks to implement it, and by then my trial had expired, so wasn't happy continuing. You can do SSO from Roboform Online, but not from their app, its more a push and fill request. LastPass have SSO. So does Wordpress.com through Jetpack, if you want a free version for WordPress.
     
  11. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,692
    Likes Received:
    441
    InfiniteWP is a good SSO option for WP.
     
  12. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,692
    Likes Received:
    441
    I have SpeedDial > Lastpass with Google 2 Factor Auth > InfiniteWP with Duo 2 factor Auth,

    Fair bit of security but i'm in everywhere pretty easily. And I don't have a clue what any password is. They are all stupid hard like Jhgbfe&^5^784h_03
     
  13. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    492
    Likes Received:
    191
    This article might help all understand stronger passwords. I would also recommend using a password generator for usernames. ;) http://crambler.com/password-security-why-secure-passwords-need-length-over-complexity/
     
  14. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,692
    Likes Received:
    441
    LastPass has a built in generator. I usually add to that too.
     
    Christopher likes this.