Friday, October 16, 2020

Complex Unforgettable Passwords

It used to be that you only had to remember a couple passwords. Those days are long gone. You can't use one password for everything anymore and you never should have anyway. What happens when (not if) one of the sites you use gets hacked and your password goes on the dark web? Or if someone tricks you into giving them your password to a specific site? These days just about everything you access requires a password and most people have to keep track of so many they could fill a small address book.

How do you create a really good secure password that you can remember? These days sites require very complicated and long passwords. I remember years ago reading an article about a test of a 2,000 user password file that was put up against a password cracking program. None of the passwords was modified prior to the test, but they did add one. The added password contained numbers, letters and a symbol.

Before the end of the first day the program had figured out all the passwords except the one that had been added. The lesson learned? The addition of a symbol makes the password much harder to break.

The preceding is good to know but how is that applied in today's environment? How can anyone be expected to keep track of 50 plus passwords that need to be complicated? You don't want to have to write them all down in a book and carry it around with you. What if you lose your book? Or someone you don't trust reads it? There are programs that keep them but they can be inconvenient and insecure.

I literally have hundreds of passwords to keep track of. They are for access to web sites I use and access to systems I maintain. I don't access most of these every day; in some cases it could be more than a year. So I needed to come up with a way to be able to recall a password from memory even though I have a lot of passwords to remember.

So below is how you can do it, too. Follow this guide. It's not complicated (promise) and you will be able to create as many passwords as you'll ever need to remember without having to write any of them down.

Here's how it works …

Pick two words with a minimum of 3 letters

Word 1: gym
Word 2: fan

Tip to make it more complex: Use larger words if you'd like.

Pick a day of the year using leading zeros.

March 25
is 03 25

Tip to make it more complex (for you nerds): Convert your numbers to hexadecimal.

Pick a symbol from this list of symbols: Plus ( + ) Hyphen ( - ) Carat ( ^ ) Tilde ( ~ )

For this we will use Minus ( - )

Note: You can use other symbols. I chose these as they are the most widely accepted in passwords.

So for review we will be working with:

gym fan 03 25 -

Pick which letters of the words chosen to capitalize; Outside, Middle or Inside

Outside looks like this: Gym faN
Middle looks like this: gYm fAn
Inside looks like this: gyM Fan

For this we will use Outside

In reality you just need to choose one letter in each word to capitalize. The reason for outside, middle or inside is to create a pattern which will be easier for you to remember.

Note: If your words are longer than 3 letters then Middle becomes closest to the Outside or Inside

Once you get that part done, you are done creating your pattern. Here are a few examples:

Word 1SymbolMonth DaySymbolWord 2
Gym-03 25-faN

The result is: Gym-03 25-faN

MonthWord 1Symbol SymbolWord 2Day
03Gym- -faNfaN

The result is: 03Gym- -faN25

Word 1MonthSymbol SymbolDayWord 2
Gym03- -25faN

The result is: Gym03- -25faN this becomes our password template

You can see I left a space in the middle. This is how you make the password unique for every site you access. You use the site or system name you are accessing to create what goes here. So you only have to remember the pattern you created. What you are accessing provides the final part of your password pattern.

This next (and last) part of the pattern is what makes the password unique. It is based on the first "X" number of characters of the site or service you are accessing. I recommend you use no less than two. In this example we will use the first three. I call these the "unique characters".

So if you were creating a password for Amazon.com

The unique characters are: ama

Then decide which one of the letters you will always capitalize. For this example we will use the middle one.

That changes unique characters to: aMa

Now take those letters and insert them into your pattern. We will use

Word 1SymbolMonthUnique LettersDaySymbolWord 2
Gym-03aMa25-faN

When you insert the unique characters your password for Amazon.com is

Gym-03aMa25-faN

That password looks complicated enough doesn't it? Lets use this for another couple sites:

Facebook.com - Gym-03fAc25-faN
Microsoft.com - Gym-03mIc25-faN
Twitter.com - Gym-03tWi25-faN
YouTube.com - Gym-03yOu25-faN
Yahoo.com - Gym-03yAh25-faN

So as you can see this allows you to create a long and complex password that makes sense to you but is not easily hacked. If a system you have used this password on is compromised it cannot be directly used on another system and the likelihood that someone would recognize the pattern is minimal.

I gave you three different patterns but you can arrange them different ways. Use something that makes sense to you. The only hard and fast rule is, never use a symbol first. Many systems don't support a password like that.

You can also do other things to make it even more complex.

Change the Month/Day, Words or Symbols for the type of site your accessing. Lets use numbers as an example.

Any regular site: March 25 (03 25)
Any financial site: July 4 (07 04)

So ...

Facebook.com - Gym-03fAc25-faN
Statebank.com - Gym-07fSt04-faN

Use two symbols one for the left and a different one for the right

Facebook.com - Gym+03fAc25-faN
Statebank.com - Gym+03fSt25-faN

You can also use the tried and true method of exchanging a letter for a number or symbol.

A => @
E => 3
I => 1
O => 0
S => $

My point is that you can make this your own so it's easy for you to remember. You don't have to follow what I did as a strict guide. Use whatever helps make it easy for you to remember. The concept is what's important. Its much easier to remember a pattern.

Thursday, February 6, 2020

Drupal : How To Get Table Sizes

Recently I was doing a deploy on a newly launched Drupal 8 site. As a rule while a site is in development I create a script to archive the site before deploy.

On a Drupal site the script backs up the site into separate files:
  • Configs
  • Site (core, theme and custom) files
  • Content (user) files
  • Database
  • Repo
A typical set looks like below:
2020-02-06-1326.sitename.stage.db.sql
2020-02-06-1326.sitename.stage.configs.tar.gz
2020-02-06-1326.sitename.stage.files.tar.gz
2020-02-06-1326.sitename.stage.repo.tar.gz
2020-02-06-1326.sitename.stage.site.tar.gz
During the script run I noticed it was taking an unusual amount of time to do the DB dump and a quick check showed the available disk space decreasing at an alarming rate.

I knew that meant a something was growing at an unreasonable rate and need to find out where the issue was.

A quick and easy way to do this is a simple Drush command :


drush sql-query "SELECT table_name AS 'Table', ROUND(((data_length + index_length) / 1024 / 1024), 2) AS 'Size (MB)' FROM information_schema.TABLES WHERE table_schema = 'database name' ORDER BY (data_length + index_length) DESC;"

The above command will list the tables in order of highest to lowest.

In my case it was the watchdog table. It had grow to the size of 11GB in one day. A fellow developer had a piece of code that was generating a warning error at the rate of 10,000 an hour. A quick fix of the code and a flush of the watchdog table cleared the issue up.


Sunday, July 17, 2016

Protecting Your Contact Page

In my last post I explained how to use Javascript to hide your email address on a web page while still displaying it to the public. While some may not mind making their email address public, it may be more information than others would like to disclose. A business needs to route messages from their website to the proper person, but still want to have just one point of contact.

The answer for both is a contact page. It allows site visitors send a message directly from the site.

Since this method does not disclose the recipients email address you would think this would reduce SPAM, and it does, for the most part. But the good people at SPAM Inc. have figured out a way to get their message to you through your contact page. When the SPAM bots scan your page and discover it is a contact page instead of looking for your email address they just fill in the form and then press the submit button. They get what they want, you get what you don't want.

So how do you protect your inbox when using a contact page? Authentication, and there are a variety of ways to do so. Most of them involve the user having to enter some sort of extra information. Which means your potential client has to take an additional step, which can be annoying.

Here's a way to provide a check which verifies that the submit button on your contact page is clicked by a human. It involves using a little CSS that tricks the bots, so the humans will not be bothered.

How does it work?

The average contact page contains input fields for name, email address, subject, and message. Yours may have more, or less, but those are the fields that a SPAM bot is going to be looking for. So when a bot scans your page and finds these fields they fill them in with their message, click submit and move on.

You can use this to your advantage. Lets say this is the HTML for your contact form:

<form id="contact_form" action="#" method="POST" enctype="multipart/form-data">
    <div class="row">
        <label for="name">Your name:</label><br />
        <input id="name" class="input" name="name" type="text" value="" size="30" /><br />
    </div>
    <div class="row">
        <label for="email">Your email:</label><br />
        <input id="email" class="input" name="email" type="text" value="" size="30" /><br />
    </div>
    <div class="row">
        <label for="message">Your message:</label><br />
        <textarea id="message" class="input" name="message" rows="7" cols="30"></textarea><br />
    </div>
    <input id="submit_button" type="submit" value="Send email" />
</form>  


Below is the same form modified, with changes/additions in red:

<form id="contact_form" action="#" method="POST" enctype="multipart/form-data">
  <div class="row">
      <label for="name">Your name:</label><br />
      <input id="name" class="input" name="name" type="text" value="" size="30" /><br />
  </div>
 
  <div class="row">
      <label for="email1">Your email:</label><br />
      <input id="email1" class="input" name="email1" type="text" value="" size="30"  /><br />
  </div>
 

  <div class="row" id="confirm">
      <label for="email">Confirm Your email:</label><br />
      <input id="email" class="input" name="email" type="text" value="" size="30" /><br />
  </div>
  <div class="row">
        <label for="message">Your message:</label><br />
        <textarea id="message" class="input" name="message" rows="7" cols="30"></textarea><br />
  </div>
  <input id="submit_button" type="submit" value="Send email" />
</form>  


Then add the following line in your CSS file:

#confirm {display: none;}

When a human uses the contact form they will see and fill in the field with the id "email1". The bots will go straight for the field with the id "email". It then becomes a simple matter of testing for data being entered in the field with the name "email".

If there is data present in that field, you can assume the form was filled in by a bot and it can be discarded. If it's blank, you can assume it came from a human and process the message.

Something to consider when using this method:
 
You don't have to use the field named email. You can use any field you like.

In this example, it would have been just as easy to use the message field. The only important thing is to hide the display of the field you plan on testing from anyone that views the page. This is important because a bot is not viewing a page it is reading the code of the page. All it knows is that it sees a field and that field should be filled in.

I use the field names "email" and "email1" with the hope that whoever wrote the bot was a decent programmer. If so their bot would recognize the 2 fields and deduce that one field is a confirmation for the other. Which would guarantee both will get filled in. It may not be necessary, but I can tell you that I don't get any SPAM from the contact pages that are directed to my email address.

Use whatever you are comfortable PHP/Javascript/JQuery to test the form. A quick test will allow you to verify whether or not the input came from a human.