A word you use to prove that you are truly you to a computer. You will have a password to log on to your
operating system, one for each affiliate, and even one for various free services on the web. Snoops can look at
your files without knowing your login password by booting with an Ubuntu Linux CD (Compact Disk) and examining your files, bypassing Windows and its passwords. To protect against that,
you need to encrypt your files. Then you have passwords on your files, not just Windows as a whole.
Selecting Passwords
Passwords that are easy to guess include the names of loved ones and relatives, words in the dictionary,
especially ones with strong emotional connotation like God, whale, love.
A tool can crack your password just by trying all words in the dictionary. So you must disguise them. Add
digits, mix the case. This little program will generate you an impossible to guess password. If want to make sure
I am not keeping a copy, download the source, check the
program out, and run it on your own machine.
- Make sure you paste the generated passwords somewhere for safekeeping. Doing
this also helps verify the value you are pasting blind into web forms.
- The Australian government recommends changing passwords frequently, at least
twice a year, to prevent identity theft, and using unguessable passwords at
least 8 characters long with a mixture of digits
and both upper and lower case letters. The password generator defaults to 10
characters. The Australians celebrate a special day in early June to change
their passwords.
- Don’t use the same password at multiple sites unless you don’t care
at all about the security of any of them.
- A word in the dictionary can be cracked in under a second. That is no security
at all.
If, Password, the above Password Generator Java Applet (that can also be run as an application) does not work…
- If Copy/Paste (Ctrl-C/Ctrl-V) do not work, you can turn them back on by
modifying your java.policy file. This is not for the novice or faint of heart. instructions
Your alternative is to download this program and run it without a browser.
- Often problems can be fixed simply by clicking the reload button on your browser.
- Make sure you have both JavaScript and Java enabled in your browser.
- This Java Applet (that can also be run as an application) needs 32-bit (not 64-bit) Java 1.6 or later.
For best results use the older 1.7.0_17 not the latest buggy 1.7.0_21.
In the Java Control Panel, configure medium security to allow vanilla unsigned applets to run.
- You also need a recent browser.
- It works under any operating system that supports Java e.g. W2K/XP/W2003/Vista/W2008/W7-32/W7-64/W8-32/W8-64/Linux/LinuxARM/LinuxX86/LinuxX64/Ubuntu/Solaris/SolarisSPARC/SolarisSPARC64/SolarisX86/SolarisX64/OSX
- You should see the Applet hybrid above looking much like this screenshot. If you don’t, the following hints should help you get it working:
- Especially if this Applet hybrid has worked before, try clearing the browser cache and rebooting.
- To ensure your Java is up to date, check with Wassup. First, download it and run it as an application independent of your browser, then run it online as an Applet to add the complication of your browser.
- If the above Applet hybrid does not work, check the Java console for error messages.
- If the above Applet hybrid does not work, you might have better luck with the downloadable version available below.
- If you are using Mac OS X and would like an improved Look and Feel, download the QuaQua look & feel from randelshofer.ch/quaqua. UnZip the contained quaqua.jar and install it in ~/Library/Java/Extensions or one of the other ext dirs.
- If you are using Microsoft Internet Explorer 7, 8 or 9, try another browser. Seriously. Microsoft has taken great pains, over and over, to screw up Java and every other multi-platform standardisation.
- If you are using Microsoft Internet Explorer 7, 8 or 9, you must click to allow blocked content permission for Active X to run. This also gives permission to Java to run. Click the Information bar, and then click Allow blocked content. Unfortunately, this also allows dangerous ActiveX code to run. However, you must do this in order to get access to perfectly-safe Java Applets running in a sandbox. This is part of Microsoft’s war on Java. Don’t put up with it! Use a different browser.
- If you are using Microsoft Internet Explorer 9, makes sure the Java Plug-In SSV helper add-in is installed and enabled.
If it is not, try reinstalling the Java JRE.
- If you have Windows 7 64-bit
and Internet Explorer 64-bit,
in theory you can use 64-bit Java,
but I never been able to get it to work.
- Try upgrading to a more recent version of your browser, or try a different browser e.g. Firefox, SeaMonkey, Safari or Avant.
- If you still can’t get the program working click HELP for more detail.
- If you can’t get the above Applet hybrid working after trying the advice above and from the HELP button below, have bugs to report or ideas to improve the program or its documentation, please send me an email at
.
Get New Java Get New Browser
If the print is too small to see, use the Opera browser and zoom. Or copy/paste the
generated password blind.
Implementing Passwords
In a highly secure system, each end has a public and private key. They each encrypt and digitally sign a
random message for the other to establish identity. Even these have to be carefully designed to withstand a
man-in-the-middle attack.
There are some lower tech alternatives:
- If you have Java on both ends, the server could send a random string of bytes to the client. The client
could concatenate that with a string of bytes representing the password, then run it through a SHA-1 (Secure Hash Algorithm 1) or MD5 (Message Digest algorithm 5)
digest and send it back to the server. The server does the same thing and compares its version with the
client’s.
- If the server is C++ it won’t necessarily have access to a SHA-1 or
MD5 digest. You could then have to come up with a digest function you can implement
easily in C++. You could use an Adler or CRC (Cyclic Redundancy Check) with some wrinkle to make it a
tad harder to crack, or use one of the HashCode algorithms.
- If you want to avoid a two way exchange for faster login, let the random key be the time of day stamp in
UTC (Coordinated Universal Time/Temps Universel Coordonné). The client sends it along in plaintext with the digest. The timestamp is rejected if it is too far from
now.
- For something even lower tech, but unfortunately easy to crack, try XORing the bytes of the password with
something you change periodically.
- Base64 alone, cascaded Base64 or ROT13 is no protection at all.
Digest Passwords
Servers often don’t store bald passwords. They store some sort of digest of them. That way if someone
cracks the password file, they still don’t know the passwords.
Typically raw binary bytes generated by such authentication schemes are
exchanged in base64.
Tomcat has a single signon so that all applications in a realm share the same set of user-ids and passwords.
If a user logs into one application, he is logged into all. This scheme uses cookies to authenticate each
request.
Tomcat lets you configure the tables and columns to automatically look up and
validate passwords. Caucho Resin similarly lets you configure SQL (Standard Query Language) queries to
automatically find the passwords in your database.
Graphical Passwords
Another way is to use graphical passwords, easier for the user to remember, and harder to steal. The basic idea
is you display a complex image to the user and he selects a number of click points. I suspect this scheme is much less
secure than it creators claim, since there are a limited number of natural points of interest in a photo, which
could be easily discovered by showing the photo to 100 people.
Passwords at the Client
When your Applet or JWS (Java Web Start) applications is pretending to be a browser talking to a
server, you can use the java.net.Authenticator to automatically insert the userid and
password base64-encoded in your HTTP (Hypertext Transfer Protocol) headers in the Authorization field. If the server
does not like you userid/password combination in return a 401 Unauthorized response code.
The server gives you no hint as to whether the userid or the password is the problem. You might consider this
obnoxious behaviour, but it is done that way to make life difficult for people trying to hack the system.
Passwords at the Server
How passwords are handled is specific to each application server. Most will provide a rudimentary,
unsuitable-for-production flat file scheme. The better ones will provide a means of configuring a database for
the users. Almost all allow you to extend a class to provide a custom source.
Java Servlets defines a simple password scheme controlled entirely by a flat file web.xml. This would be suitable for a small company where the list of users and passwords could be
maintained with a text editor by the system administrator.
The best approach (for expandability) is to incorporate a third party SSO (Single Sign-On) (some application servers come with one). This allows
you to add new applications and share the login across them with a minimum of effort. Also, they typically plug
into an existing LDAP (Lightweight Directory Access Protocol) taking user and password management out of the application’s
hands. This allows corporations to take advantage of existing LDAP
data when deploying applications.
Tomcat offers five different interfaces to databases of passwords. JDBC (Java Data Base Connectivity) Realm lets you interface to a SQL
users and userroles tables. You configure the name of your
table containing the user ids and passwords (among other things) and your roles table which describes which roles
a user can play. You assign Tomcat a userid/password and jDBC connect string to give it with read-only access to
your database to perform the authentications. It is much simpler than it first looks.
Puzzles
Things I have not yet figured out include:
- How do you arrange for a timeout, so that after a period of inactivity, the login expires and the user has
to re-enter his password. I know how to do it from first principles, but not with Tomcat.
- Just how much does the Applet get in involved with cookies, or do they get piggybacked behind its
back.
- Does Java Authenticator understand the Tomcat cookie scheme?
Diceware
This is a scheme for picking a password without using a computer, just some casino dice. The paranoid instructions are somewhat
tongue in cheek. The scheme is just as vulnerable as any other if there is a keystroke logger (hardware or software) installed
on your computer. It is just as vulnerable as other schemes to others discovering a copy of your password stored somewhere. The big advantage is you
don’t have to trust the author of password-generating software.
Hacking
Here are some ways to hack passwords:
- Get a list of common passwords, and try them all.
- Set up a little website and ask people to give you a password. Chances are they will give you one of their existing passwords.
- Snoop on the conversation between user and website, pluck the password out of the initial message.
- Try all possible combinations of 4 letters and digits.
- Look for passwords written in a book or slip of paper in a desk.
- Look for a master list of passwords in a text file on disk.
Alternative
Passwords are very primitive. They are little better than no security at all. There are better systems, called private/public certificates that have
been around for decades that
don’t require you to reveal your password to anyone, not even yourself, so they do not require websites maintaining good security.
They don’t require you to memorize anything.
There is another school of thought that you should keep passwords to 4 to 6 letters and force users to accept
frequently changed ones. This discourages users from writing them down and discourages them for reusing them
elsewhere.
We could invent a portable hardware password wallet that generates random passwords, and coughs up the corresponding
password for any given URL (Uniform Resource Locator). This would defeat a keystroke logger. It could be implemented with software similar to
PWSafe (augmented with browser plug-ins) on a AES (Advanced Encryption Standard) encrypted USB (Universal Serial Bus) Flash Drive.
password
