Stop Sniffing Me

So I am constantly learning. 40% of the internet is using the WordPress platform. I am no different. I started building my own websites with pure HTML/CSS/JS and loved it. It was a lot of work. WordPress started in 5/27/03 and my first website spun up in December 2004. I didn’t know about WordPress (WP) until year later. I kept my own website but then started dabbling with it and other CMS platforms.

Because it is so widely used, it is grabs the attention of the hackers of the world. Just like Windows and Chrome. If you have the market majority then you are the platform that people go after.

Over the years my sites have been routinely compromised or attempted at such. I have had to recover much data from backups.

Recently I learned about a username sniffing technique that is used on WordPress to discover usernames so that a brute force attack can be used to gain access to the site backend. I created a lovely redirect to his page from those pesky username sniffs just for fun.

CAPTION: I wonder if Jedi mind tricks work on hackers?

If you type in https://jasrasr.com/?author=1 then you get redirected to https://jasrasr.com/stop-sniffing-me

You could enter any number after the ‘=’ sign. https://jasrasr.com/?author=123 would also redirect to the same: https://jasrasr.com/stop-sniffing-me

That page then is clickable to this page to explain why I did what I did and now I am laughing at the whole thing. I could’ve installed a plugin to block the username sniffs but I like this approach better.

I just tested and created a new test user which makes technically author=2 valid. If this exist then you can see the archives and blog post/pages that were authored by that username. More importantly you can see the username in the URL and on the page.

In this example from icwnow.net you can see the username ‘kbjjsywyvf’ and the ‘test’ post that was created. A hacker can take this info and attempt commonly used passwords to gain access to the site.

This page will be updated. I am not done, but it is bed time…

Security vs Complexity – How to set a secure password.

It’s not as hard as you may think.

-She

Security vs Complexity

There is a major difference between an easy to remember password and one that is secureā€¦or is there? Can’t you have both? Shouldn’t you have both?

There is a thought that adding spaces to your password to make a pass phrase is more secure because it enables you to have longer passwords that can be easier to remember. The true test of security is length and amount of randomness. Since we truly can’t be actually random, we need to include all types of characters allowed for a password. I am going to use password to encompass pass phrases as well because whether a password has spaces or not it doesn’t change what it is. A space in a password is still just a symbol character, so it’s just a password with spaces. I would argue you should have another symbol(s) besides spaces.

I wrote a previous post about passwords and security here, titled Secure Password is Not Secure. In this posting I highly suggested you use a password manager like LastPass and a Password Generator (LastPass offers this for free). The password generator is easy to get to if you are in Chrome or any browser with the LastPass extension installed by hitting ALT + G on your keyboard. You can also check your keyboard shortcut settings in the extension manager. chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/tabDialog.html?dialog=preferences&cmd=open. This link might not work, and you may have to right click your LastPass extension and click on Options.

Right click the LastPass extension, left click Options.
Left menu for Hotkeys, See Generate Secure Password at the top and see the default keyboard shortcut.

So if you don’t like LastPass or think they are evil then BitWarden is another company that offers all the same features.

Whatever you do, DO NOT use the same password on two different websites. I can’t stress this enough. Once you have a compromised password on one site, it is VERY likely the hacker will use automated tools very quickly to attempt that same password on many other sites.

You may not have anything to hide or want to keep super secure, but I bet you don’t want to be locked out of your email, Facebook, Instagram, etc. accounts?

So how do I create a secure and complex password?

A very simple way to come up with a more secure and more complex would be a “pass phrase” as discussed above. You can make it as random as you like.

EXAMPLE 1: The 3 brown dogs ran FAST!
EXAMPLE 2: 1Jason is a really big NERD!

The above examples both have 163 bits of entropy which is the amount of randomness including all the characters. (5 uppercase, 14-16 lowercase, 1 number, 6 symbols)

https://www.omnicalculator.com/other/password-entropy

If you go to howsecureismypassword.net then you see this, 2 decillion years to crack this password.

https://www.security.org/how-secure-is-my-password/ (FKA howsecureismypassword.net)

If you want to know how many possibilities for a password then you take the total number character types to the power of total number of digits.
total password possibilities = possible characters ^ number of digits
Example: A bank card PIN has 10k possibilities because 0,1,2,3,4,5,6,7,8,9 is 10 possible character types ^ 4 digits (generally) so 10^4=10,000

This password The 3 brown dogs ran FAST! has:

1,515,502,518,418,473,418,851,336,545,154,803,393,228,349,015,457,449

possibilities if you use all possible characters on my keyboard.

~!@#$%^&*()_+`1234567890-=qwertyuiop[]\asdfghjkl;'zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:"ZXCVBNM<>?

If a computer can attempt 10,000 passwords every second then, per my calculation it would take 2.40116884430133E+39 or 2,401,168,844,301,330,000,000,000,000,000,000,000,000 or 2.4 duodecillion years. I am even dividing the probability in half because generally it takes half as many guesses than possibilities, when referring to statistics. I don’t know how the website above is calculating it’s 2 decillion years. I would have to know how many characters they are including and how many iterations per second. I am figuring 10k/second…

My Math

The iPhone and iOS now offer a great feature to suggest random passwords and even allows you to store them.

TOP 10,000 PASSWORDS!

Go to this website and make sure you don’t use any of these passwords. This list represents the topmost common used 10k passwords gathered from a list of 10 million passwords.

https://en.wikipedia.org/wiki/Wikipedia:10,000_most_common_passwords

This is an image of the top 100 from the Wikipedia link above. This screenshot is from 9/21/22 and the actual website is subject to change and show different top 100. I have also blurred out and curse words or words deemed to derogatory to displace on my website.

Great, but what do YOU do?

This blog is not sponsored by any of the websites mentioned above. I have personally paid for LastPass since 2010 and have thousands of passwords in my vault. For 99% of those passwords, I don’t even know them. I only know my master password. I don’t have to remember any of them. With the Chrome/Firefox/Edge browser extensions and the app on my iPhone I have very easy access to all my passwords. I also store other important information in my vault like credit card numbers, banking info, tax info, Wi-Fi information.

At stated above, I do not know any of my main passwords for any of my accounts. I generally use a password that looks like this: JwC@RHsefyG$H*&xw96#zRg3fXjY$Y (automatically generated from LastPass which is free $0.00)

LastPass
Bitwarden


Have a safe and secure day and make better password decisions.

If you like this or agree, then leave a comment and let me know. If you don’t like this or think I am wrong, then leave a comment and let me know.

~ Thank you Jeremy for proofreading this. ~

DIY Dining Room Table

Update 1/15/22 – new video posted to the playlist which I needed to sand and re-stain to make it darker. Check it out!

I just uploaded a new video which is my preview of the editing process. All the video for all the days was 3.5 hours and I am hoping to edit down to about 10-15 minutes with commentary.

If you click this to go to YouTube then you will see he other videos for this table in the playlist.

Please SUBSCRIBE

go and subscribe!

UPDATE: Down to 40 minutes of total video time, from originally 210 minutes (3.5 hours)

Adobe Premiere Pro 2022 – 40 minutes total video time…and still counting down…