Best Practices for Password Security

In today’s internet-connect age, strong passwords are your first line of defense against unauthorized access to your personal and professional accounts. Following best practices for password security is crucial to protect your sensitive information from cyber threats. Here are some essential guidelines to help you create and manage secure passwords.

1. Use Long and Complex Passwords

  • Aim for passwords that are at least 12 characters long.
  • Include a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid using common words, phrases, or easily guessable information like birthdates.
  • Check this list of the top 100,000 passwords taken from list of 10,000,000 passwords compiled from default, breached, pentesting lists, listed in order of usage count. To use this list, you can search within your browser (control-f or command-f) to search whether your password comes up, without transmitting your information over the Internet.

2. Use Unique Passwords for Each Account

  • Never reuse passwords across multiple accounts.
  • If one account is compromised, others remain secure.

3. Use a Password Manager

  • Password managers generate and store complex, unique passwords for all your accounts.
  • You only need to remember one master password to access your password vault.
  • Here are several that offer free options/versions:

4. Be Wary of Phishing Attempts

  • Never enter your password on a site you accessed through an email link.
  • Always verify the authenticity of websites before entering login credentials.

5. Implement Multi-Factor Authentication (MFA)

  • Enable MFA whenever possible for an extra layer of security.
  • This typically involves something you know (password) and something you have (e.g., a mobile device for receiving codes, USB security key).
  • Many sites are requiring this in addition to passwords.

By following these best practices, you can significantly enhance your password security and protect your digital identity from potential threats. Remember, the strength of your passwords is often the key to safeguarding your personal information in the digital world.

MySQL JASON_VALUE fails with a key starting with a number

SELECT JSON_VALUE('{"dateTime": "2024-07-21 08:11:07 -0600", "60SecInches": 0.00, "DailyInches": 0.01, "TotalInches": 10.61}', "$.60SecInches");

MySQL said: #3143 – Invalid JSON path expression. The error is around character position 13.  That seems to point to the end of this string.

"$.60SecInches"

If I remove the “60” from the key, the above SELECT works. But the following works as well.

SELECT JSON_KEYS('{"dateTime": "2024-07-21 08:11:07 -0600", "60SecInches": 0.00, "DailyInches": 0.01, "TotalInches": 10.61}');

["dateTime", "60SecInches", "DailyInches", "TotalInches"]

According to JSON.org, a string is a sequence of zero or more Unicode characters, wrapped in double quotes, using backslash escapes. Any valid string can be used as a JSON key.

I tried backslashes in various places, but that did not work.

The solution is the key name must be separately enclosed in double-quotes and the whole path must be enclosed with single-quotes as

'$."60SecInches"'

This can be used for other “special characters” as well. For example “*” or “#” or number only keys.  I am not sure why a number is a special character, but it seems to be in this case.

Upgrading Drupal and blocked by MySQL library version

Recently I was upgrading a Drupal installation to version 9.5.11 and when in maintenance mode, received the error:

10.5.20-MariaDB-cll-lve-log
The libmysqlclient driver version 3.1.21 is less than the minimum required version. Upgrade to libmysqlclient version 5.5.3 or up, or alternatively switch mysql drivers to MySQLnd version 5.0.9 or up.

Since this installation was on a shared hosting account, I have limited control over the software version.  I could switch to the MySQLnd driver. The MySQL native driver for PHP (mysqlnd) is a drop-in replacement for the MySQL Client Library (libmysql) for the PHP script language.

To make the change in cPanel, find the “Select PHP Version” in the Software section and click to select.  In the “PHP Extension” tab make the following changes.

PHP Extensions image

After doing this you should be able to continue your Drupal upgrade with no error.

Change ownership of a domain in Google Domains

I used the following steps to transfer a domain name from one Google account to another Google account.  It seems that this procedure has changed recently and existing solutions found on the Internet are out of date.  Surprisingly, Google did not provide the solution either.  I  found the current solution by trial and error.   This is very different from the normal transfer procedures used to transfer a domain name documented by Google and others Domain Name System (DNS) registrars.

  1. Go to Google Domains and login to the Google account that currently owns the domain name (example.org).
  2. Select the domain name that you want to transfer.
  3. Add the receiving Google account as a shared user for full access.
  4. Login to the receiving Google account and verify access to the target domain name.
  5. Edit the contacts to reflect changes for the domain name.
  6. Make sure a funding source is set, if using auto-renew option.
  7. Delete the previous Google account from the Users list.
  8. Optionally, login to the Google account that previously owned the domain name to verify it does not have access to the domain name.

Hopefully Google will index this post so their customers do not have to get frustrated trying to find the solution as I did.

 

MySQL/MariaDB needs upgrading after upgrading

Recently I was reviewing log files for one of my servers and came across the following error message:

mysqldump: Couldn't execute 'SHOW FUNCTION STATUS WHERE Db = 'mysql'': Cannot load from mysql.proc. The table is probably corrupted (1728)
mysqldump: Couldn't execute 'SHOW FUNCTION STATUS WHERE Db = 'mydatabase'': Cannot load from mysql.proc. The table is probably corrupted (1728)

Worried that I was having some kind of corruption in all my databases, I immediately search the web for those error messages.  What I found was after I had upgraded my server’s software I needed to run a MySQL/MariaDB specific upgrade command to upgrade the file organization for the new version.

Why the software cannot recognize the older format and suggest the following I do not know.  But here is what you need to do after upgrading the system’s software:

sudo mysql_upgrade -u root -p

The user specified does not need to be root, but it does need full access to all the databases on your system. The sudo is need to avoid the following error.

Could not create the upgrade info file '/var/lib/mysql/mysql_upgrade_info' in the MariaDB Servers datadir, errno: 13

This error showed up on a Debian 11 (bullseye) system. On my Ubuntu systems I have not seen this error, so the package management upgrade may handle the package specific upgrade.

Why does Firefox need it’s own print dialog?

Recently Firefox started loading it’s own dialog when trying to print a web page, about version 85.  I have never had any real problems with the Ubuntu’s print dialog, so I was surprised when the Firefox version showed up.  I really like the Simplify Page feature which cleaned up a lot of poorly formatted web pages in print.  Were they trying to compete with Chrome’s print functionality?  I hate the way Chrome defaults to printing in the cloud!  Am I being paranoid or is this a new way for Google to get more of my data.

Back to the real issue, how to get the system dialog back in Firefox.  Unfortunately the designers left that out of the Preferences dialogs.  Luckily there is another way.

  1. In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
  2. In the search box in the page, type or paste tab_mo and pause while the list is filtered
  3. Double-click the print.tab_modal.enabled preference to switch the value between true (new experience) and false (classic)
  4. If there is another preference named app.normandy.startupRolloutPrefs.print.tab_modal.enabled and it’s set to true, you can double-click that one to switch it to false as well. If you do not have that one, no need to create it.

 

Imagine a Football Game with No Rules

Today the FCC is voting to remove rules for Internet Neutrality that were adopted February 26, 2015.  Removing these rules would allow the few Internet Service Providers (ISP) to manipulate your Internet traffic as they see fit.  Comcast was found to be throttling BitTorrent traffic in 2011 and did not stop until the current rules were adopted.  I applauded these new rules in this blog in 2015.  Now the FCC wants to remove these rules and allow ISPs to treat us however they want with few alternatives for consumers.

Imagine if the government removed all the NFL rules and football games were played with no rules.  How would you know the score?  There would be no penalties and fans could jump on the the field (what’s a field) and run away with the ball (we don’t need a ball).  Crazy, right!  To let ISP make the rules and not tell anyone (both Comcast and CenturyLink did this with data download limits) will make consumers confused, frustrated and angry with no where to turn for help.

The FCC is suppose to help U.S. citizens, not delivery us to corporations for their profit.  Comcast and CenturyLink did not invent the Internet, the U.S. government did with citizen funding, so we invented it, we want rules to protect the Internet’s democratization and our use of it.  If the current administration cannot work for us, we need to find a way to do it ourselves.

It maybe to late to comment on the action, but give it a try at the FCC web site.

Privacy for All

The Founding Fathers created the Bill of Rights to protect citizens’ rights including the Fourth Amendment (Amendment IV) to the United States Constitution that states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Today the Trump Administration has given your personal information to the cable and telephone industry so they can sell your data and increase their already high profits.  Now they can join the new growth industry in the United States of selling citizens data for profit.  And I bet these business will not share it with you.

The U.S. government has demanding that Apple create a way for the FBI to break the encryption of an iPhone while at the same time persecuting U.S. citizens for invading the government’s secret information.

We all have secrets. Many people profess to being an open book, until their wife or husband finds out they are on Ashley Madison. The U.S. government stated many times the Patriot Act was not being used to spy on American citizens.

Privacy is good for all of us. It is also good for a limited time for our government in order to prevent tipping off criminals and enemies of the state.  But intentionally weakening encryption schemes and eliminating privacy protections will provide limited benefit with widespread and long lasting harm.

Web Security for All

Accessing a web site sends information back and forth as you access pages and click on links.  This data travels through numerous computers on its way to the web site’s server and to your computer.  This varies depending on your Internet provider and the provider of the web site.  Recently, I traced my access to this site and counted 13 computers passing my data, to and fro.  And I only control one of them.  Many more people have access to these 13 computers and their connections.

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication for the World Wide Web.  HTTP Secure (HTTPS) provides authentication of the website and associated web server and provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with the website and ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

HTTPS is especially important over insecure networks (such as public WiFi access points), as anyone on the same local network can packet sniff and discover sensitive information (user name, password, etc.) not protected by HTTPS.

The security of HTTPS is that of the added Transport Layer Security (TLS) protocol, which uses public key encryption to generate a session key which is then used to encrypt the data flow between client and server. To validate public keys, certificate authorities (CA) and public key certificates are necessary to verify the relation between the certificate and its owner, as well as to generate, sign, and administer the validity of certificates. Certificate authorities are trusted by web browser creators to provide valid certificates.  The top three certificate authorities, in 2016, issued over 75% of all certificates in use.

  1. Comodo CA – certificates for $63.95 to $809.10/year.
  2. Symantec Corp. – $399.00/year.
  3. GoDaddy – $69.99 to $249.99/year.

As of April 5, 2016, 41.7% of the Internet’s 141,160 most popular websites have a secure implementation of HTTPS.  That adds up to a lot of revenue for CAs using standard protocols and freely available software. The certificate costs are only a few cents to generate a certificate and a few dollars to administer.  That makes selling TLS certificates one of the biggest cash cows in the world.  All the certificates are exactly the same!  Otherwise they would not work in our browsers.  The only difference in certificates is marketing hype.  Even Comodo CA sells cheaper certificates for $12.00/year through their PositiveSSL brand.

Now there are free certificates available issued by Let’s Encrypt certificate authority sponsored by Cisco, Hewlett Packard Enterprise, mozilla, and facebook among others.  These certificates work the same as the certificates costing much more.  You can verify this using Qualys SSL Labs’ SSL Server Test for this site which uses a Let’s Encrypt certificate.

Password Shenanigans

There seems to be a trend in web security that requires that you type your password, no pasting allowed!

This combined with other password “requirements” are creating problems for people like me that use very secure long passwords.  That means I use a password safe that generates long random strings of letters and numbers like:

kUTaVYPuw6KdCLsqhfJ35qHdZcgCqR

BTW, this password is random and not used by me, anywhere!

So when I sign up for a site that does not allow pasting my really secure password, but requires that I type it manually, I end up with passwords like:

Secure4Stupid!

Making my password much less secure. Also most sites use the “onpaste=return false;” trick.  This only stops the stupid people, as 5-15 minutes with a Greasemonkey script will defeat that “security” feature.  So let’s not think that every idea about password security is a good idea.

Even the following idea is probably not that secure given that password crackers use dictionaries that contain the words: correct, horse, battery, and staple.

xkcd comicAnother annoyance is sites that do not tell me what the maximum length is for a password on their site.  Almost no one tells you this even though they tell you, you must enter at least 8 characters, using letter and numbers….  Since I have had several sites truncate my password, without error or warning, I now have to look at the HTML source code to see if a hint is there.

So here is some password advice for web-site developers and their customers.

  • Do tell us the minimum and maximum lengths, characters allowed (numbers, letters, symbols, etc.).  Make the maximum something like 255, to allow secure passwords and phrases.
  • Do use a hashing algorithm to store passwords for you password protected applications.  This also allows for very long passwords, but fixes the hash value length that you need to store to authenticate your users.  A really useful function is the Unix crypt() library function that is implemented in numerous languages including C, Perl, PHP, Python, and Ruby.
  • Do use standard HTML for accepting passwords for compatibility with more devices.
  • Do not disable pasting which causes users to create weaker passwords.
  • Do not store passwords in plain text on any system.  For clients, use a password safe program to generate and store passwords. For applications and servers, use a strong hashing algorithm to store and compare passwords.
  • Do not use JavaScript for security as it is easily circumvented.
  • Do not reuse passwords for multiple sites.

For more advice on password security: