How to secure a websites user database?

Posted on by Savagedlight

How often haven’t you read about entire user databases being retrieved from vulnerable websites? And how often do people use the same password multiple places? Let me answer both those questions: too often.

Let us assume that Ada is running a website for her guild. She has decided to code the thing from scratch, and are about to implement the user management system. She decided she’d only need to store username, password, and user type in the accounts table.

She knows that storing passwords in plain text is unacceptable, and think they need to be hashed. Therefore she decides to store the MD5 hashes of the passwords. When someone try to log in, the code checks if the MD5 hash of the specified password is equal to that stored in the database. She’s thinking that if someone somehow attained a copy of the users table, they wouldn’t get to find the real passwords in a sensible amount of time because the passwords are hashed and they’d have to mount a brute force attack to obtain it.

She’s wrong. A direct hashing of a password is vulnerable to rainbow table attacks. While a few conditions apply, this method makes the process of retrieving the password from the user database instant. Even though she didn’t store the passwords in plain text, they’d still be easily exposed. Knowing this, she decide to salt the passwords. This means the password will be modified in some way before being turned into a hash; usually by adding some string to the end of the input password. She knows of two ways to do this.

Continue reading

Towerwars.info didn’t update correctly this weekend

Posted on by Savagedlight

It was brought to my attention that towerwars.info didn’t update correctly this weekend. When I looked at the site, I noticed there were nothing new since 5th May. That’s a day and a half of quiet; And knowing the Anarchy Online community, that only happens when they’re physically prevented from raging war. Something was wrong.

Continue reading

Review: Logitech K750

Posted on by Savagedlight

I got a hold of a new keyboard: Logitech K750. This is a wireless keyboard with a battery and two somewhat obvious yet discrete solar panels for charging. I like this keyboard. I really do. It’s tiny, neat, doesn’t get in the way and usually gets the job done. It being wireless makes it easy to get it out of the way when doing paperwork or cleaning the desk. And with my use thus far, it claims to have enough juice for 3 months. Although the keys are elegant, they’re too anonymous. The physical marks on the F, J and numpad 5 are too vague and placed too low on the key to really be noticeable. It’s faster to take a look at where my hands are, than to find these marks. Further, the low profile of the keys makes it impossible to navigate the keyboard at large. As an example, it’s hard if not impossible to feel a difference between the Q and 1 or 2 keys, or the 3 key and F2/F3.

The space bar is slightly too wide, taking up are which feels like it should be taken up by the Alt and Alt Gr keys (Norwegian layout). The FN key is too large, making it equally as prominent as the right Ctrl key (which is also slightly too large), making it virtually impossible to autocorrect hand alignment on the keyboard without looking. When punching numbers using the numpad, all the keys feel the same. Since the keys are so low profile, it’s hard to notice when I’m angling my hand too much, ending up pressing * instead of 9 or num lock instead of 7.

Furthermore, the whole keyboard is too low profile. It’s sleek and looks neat, but after having typed this review, my wrists feel tired/strained from typing; Both because of how close to the table the keys are (even with the back-side feet pulled out to tilt the keyboard), and because of how the keys don’t bounce back at all. I know, this isn’t a mechanical keyboard, but other keyboards such as the G19, G15, or most of the Microsoft keyboards do feel like they bounce back a little bit when you push the keys. I suppose the main problem with the keys on the Logitech K750 is that they are kinda like a switch, either down or up; Nothing in between. Which makes it pretty tiresome to type on.

I’d still definitely use this for a media center PC or PS3 though (if it’s compatible); It’s quite neat for having in the living room, and it sure beats navigating the on-screen keyboards with a console controller.

Movie: The Neverending Story

Posted on by Savagedlight

Amazingly enough, I’ve never seen this movie before. So  it’s about time I saw it!

This movie is more of the classic fairy tale caliber, where the story is more important than the special effects. The special effects are not lacking; They’re actually quite fullfilling. You don’t realize they’re special effects because they fit in so nicely with everything; and that leaves a better impression in the end.

I’m not going to go into details on the contents of the movie, but I must say that the times the acting and arc wasn’t the best, the music definitely made up for it.

I’d recommend this movie to anyone who like (or used to like) fairy tales. If you by some crazy fluke of the space time continuum didn’t see this movie yet, you definitely should. You’re in for quite the trait.

PS: Don’t watch the trailer. Trailers always give away the good bits; And half the fun is not knowing what’s going to happen!

Password Tips

Posted on by Savagedlight

After having read many articles with password tips, I’ve come to the conclusion that painfully few are aware of the painfully obvious.

So here goes!
First order of business: Forget about the password, start thinking of the pass phrase. Like it or not, a short sentence can easily be more secure than a complex password. Example 1: Randomly generated password: “Tda,%Bn&x+in”. This has an entropy of 12 upper/lower-case characters, numbers and special signs. It’s also pretty much impossible to remember.
Example 2: “I huggled an owl while sitting in a tree!” has an entropy of 41 lower/upper-case characters and special signs.

Continue reading