How to create strong password for your admin areas and such
 

Obviously, you want your admin areas and other important stuff to be secure. So, you need a strong password. Preferably something long, and at the very least containing numbers as well as letters. The only problem with this is that you'll never be able to remember it... and keeping it on your pc can be rather insecure, as well as extremely annoying if your hd dies or you lose the file it's in.

So, just take something that is easy to remember (for you), and hash it using md5, sha-1 or something similar. You'll get a password that will be hella-hard to break for crackers, but you'll easily be able to get it any time you want. Just remember to keep your encryption app/page somewhere handy :glugglug

that's pretty smart :thumbsup

good idea. i've been meaning to stop using 123abc anyway

sending this page to the password boards....

Go ahead. It won't make it much easier to brute force a 32 character string (like md5), and there are quite a few different encoding algos out there, so to get them all they'd have to create even huger password lists... up to the point where using a list takes almost as much time as brute forcing :glugglug


Another tip, for very inexperienced programmers: if you store passwords in a database, don't store passwords in plain text form. Instead, use a one way hash like md5. If people lose their password, resend them a reset random password, which they can change again in their accounts.
This way, if your database ever gets compromised, the stupid ones among your customers (i.e. the ones that use a single password for all their stuff) have less chance of getting screwed - and blaming you, because you were the one that leaked their password.
(ofcourse crackers can still run wordlists against the hashes and have a fairly good chance of finding weak passes that way, but it's better than nothing)

Good Idea,thanx 4 sharing :thumbsup


Take care,
JOKER

I use cock10in

Very secure, and easy to remember.

Which brings me to the next tip...
If you have any type of protected area for which people can choose their own passes, you should keep a wordlist. Just rip a big one from one of the password forums, and try to keep it up to date.

Make your script check every new username password against the wordlist, and if it's in there, give the person signing up a "username (or password) already exists"-error.

That way, most wordlists will be useless against your sites, and crackers have way less of a chance of getting in :thumbsup

But since you probably wouldn't post your password on this board, I suppose the real one is slightly different? Something like cock4in maybe? :winkwink:

I feel like adding....


As a common rule you never make a username casesensitive but passwords should always be casesensitive.

It is really cock14in, but if I posted that, I would get shit for braggin':Graucho