Posted on: August 22nd, 2011 by Famous Phil

Anymore, it seems like posting here is a seldom activity because I don’t often deal with server administration issues any longer (although I am working on changing that ).  Today, I was asked to reset the password on a Mac Server because the user didn’t remember the password.  Personally, I don’t know how a server oriented password can be lost, but whatever, I guess I’ve seen it all now

Mac, like Linux and its BSD roots, has a flaw when you have physical access to the machine.  Basically, passwords are stored as password hashes in a simple file on the server.  To change the password of any user account, you basically have to gain write access to the said password (or shadow) file and change the hash to something that matches the new desired password.  Typically, this is very easy to do for any kind of Linux or BSD operating system.  For all of you Windows fans, Windows stores the passwords encrypted in SAM files (if I recall correctly), and there are also password reset disks available that you boot from and overwrite the administrator account password with your own password.  Once again, resetting a password is very easy to do to gain access to a machine provided you have physical access.  One tiny exception to this rule on every platform, if the encryption feature is enabled on a user account (provided it exists), the files that were encrypted will never be readable again if you change the password using this method.

Since this is resetting the password of a Mac, I’m only going to cover the Mac OS.  Mac, like Linux and BSD, has something called single user mode which is basically a recovery environment built into the operating system.  When something doesn’t work properly, this environment typically boots and gives the local user (on the console) a command prompt that is running as the root user (or superuser).  Typically in single user mode, the local hard disk is read only, but because you are root, you can simply change that to write mode.  Afterwards, its a matter of changing the password.  If you aren’t a single user mode fan, Mac even puts a reset password link in the utilities menu of their installation disk that does the work manually.

So, using the single user mode shell, here is the procedure to resetting the password of your mac:

1. Shut down the computer
2. While holding the command (apple) key and S simultaneously, power the computer on
3. The command line will come up shortly
4. Type in “/sbin/mount -wu /” without the quotes, this enables writing to the root operating system directory
5. type in “passwd <user>”, where <user> is the username whose password needs to be reset
6. type in “reboot”
7. Login as the user that you reset the password for, using the new password you set.

Tags: Mac, password, reset, root, single user mode
Posted in Hosting / Server Administration, Technology
|| 2 Comments »

Posted on: September 30th, 2009 by Famous Phil

First, to cover my lack of posting here on my blog.  Between my school work and my personal email gateway server project I have had barely any time to myself for anything else (including this blog :/ ).    Hopefully my next post will be on how to configure an Exchange Email Filter Server (edge server) using Ubuntu Server, MailScanner, Spamassassin, and Clamav.  I’ve been working on this for a couple of weeks now and I’ve almost got everything working flawlessly!

I’m writing this blog to cover the lack of password security in today’s society.  Hopefully after reading this blog, you will be inspired to update your passwords and memorize pass phrases that are hard to remember for the sake of privacy and security.  To start, I’m going to tell you and use my first 2 passwords that I ever used as examples to prove my points.  My first password was “fish” and my second was “together”.  I’m posting these because I’m fairly sure that I no longer use these passwords in any environment that I care about although they may still linger on old geocities, yahoo, etc accounts that I may have created years ago.

Using dictionary passwords is the ultimate downfall to any password that you could ever come up with.  The reason why I say this is because passwords are generally turned into encrypted strings using several mathematical methods called algorithms in the computing industry.  These algorithms include the md5 and sha encryption algorithms (among many) and they are theoretically irreversible (meaning if you have the encrypted string, there is no one solution to getting the original password back).

For the longest time, I used passwords such as fish to secure my files because it was easy to remember.  I also used md5 encryption to protect passwords on my websites.  Little did I realize that being a dictionary password, an md5 lookup database exists that has all the known dictionary words in it.  This means that within a second of two, I can goto a rainbow table site and enter my encrypted (supposedly secure and irreversible password) and most of the time it will return my original password.  In addition to dictionary passwords, the rainbow tables calculate many common combinations such as 123, abc, !@# (123) and tack them onto dictionary words.  This means that passwords like fish123 are also insecure.

To fix this, many password encryption algorithms are supplemented by a salt.  This is a random phrase of characters added to the original password prior to encryption to further make the md5 irreversible.  This is great and all, but the salt usually can be easily retrieved if you compromise the system and get its value and the md5 password database.

As a system administrator, I am constantly paranoid about how secure my password is because I know how easy passwords are to crack if you use something easy or a predefined combination that is common.  Because of this, I now use passwords that look similar to “sdk3#8*(&JdS”.  I tend to use 10 characters that have no similarities or patterns to each other.  To generate these passwords, I bang my head (or hands) on the keyboard and see what comes up then I randomize that further.  Overall, I would consider the above password secure for about a year.

The reason why I say a year is because a super computer could easily brute force crack that password within a year going through every possibility up to 10 characters.  There is a chance the md5 would return multiple results when decrypted, but overall you wouldn’t go over your limit of entering bad passwords.  This is why it is strongly encouraged that you change your confidential passwords every few months or so.

For my server administrator accounts (full access accounts), I tend to use 25 character passwords that make cracking almost impossible.  Unfortunately, at the same time, they are very difficult to remember and I use a password book that is within a fireproof lock box.  I consider this secure since only 1 person (myself) has a key to this box.  I still change this password every 3 months, but it is far harder to hack.

Finally to ensure that no one can run a super computer brute force method (try every combination), I always make my computer lock up after 5 attempts so that you have 5 guesses to get my password.

Hopefully this inspires you to change your password often like I do!

Tags: md5, password, sha
Posted in Hosting / Server Administration
|| 5 Comments »

Posted on: April 25th, 2009 by Famous Phil

After a lot of googling, I had trouble finding any information on this topic from anywhere, so this is a topic worth blogging about.  Lets introduce the topic, shall we?

So, as long as I can remember, I have gone to many forums on the internet and other sites that require the user to login to do posting or other actions that only registered users can perform.  Naturally, I have signed up with these sites to gain access to either 1. contribute my knowledge, or 2. access the content that I need.  On all of these websites, when logging in, there are 2 options (in general), 1. “login and don’t save your login”, or 2.” login and remember me in the future so I don’t have to login again”. There are also a few sites that have a drop down saying how long you want to remain logged in for with options 30 minutes, 1 hour, 6 hours, 12 hours, 1 day, 1 week, 1 month, or never log me out.  I like those sites the best because they generally have 1 hour as the default session time which clearly notifys me about how long I can post before I’m logged out and will lose my post data.

Normally, On sites without this dropdown, I choose option number 1.  My reasoning is that it is an extra mouse click less (I hate using the mouse when I absolutely don’t have to, and this is my biggest reason), and 2. since my login isn’t stored, there is no possibility that anyone else can access my area if my computer was either stolen or accessed without my authorization.  My third reason is, I typically forget that tab will take me to that box where I can tap the space key.  I usually type in my password then immediately hit enter without thinking.

There are appropriate session lengths for sites.  For example:

1. Bank sites and sites that display confidential information such as paypal, ebay, amazon, walmart, etc should have shorter session times.  A shorter session on these sites can protect you if you walk away from the computer for a while and leave it unprotected (which I occasionally do).  Then there is the fact that these sites generally don’t require you to type in data that would take more than 5 minutes to enter without first confirming with the server some of that data.  Therefore, it would make no sense to keep the session longer.
2. Webmail services such as Yahoo Mail, GMail, Hotmail, and other services should expect that you will login and could possibly write an email that will take you more than an hour to compose.  Normally if a post is going to take this long, you should write it on your computer then copy and paste it, but many people don’t do this (I for sure don’t and I don’t know many people that do this either).  In addition, if you pay for these services, they have separate account management interfaces which have shorter time outs and require an additional login.  Therefore, webmail generally has a very reasonable time out for good reasons, and they still maintain approrpiate levels of security.
3. Most forums (except for 2 that I’m aware of) have session time outs that last longer than 30 minutes.  I feel that 30 minutes to post what you want to say is appropriate for a forum.  I usually end up writing for 20 to 25 minutes of time for each post that I make.  Usually if I have a feeling I will be much longer, I will write on my local machine and copy and paste it to post later.  I do this for a few reasons, 1. I’m afraid my browser will crash, and 2. I’m afraid that the session might time out (if over 30 minutes).  I’m the kind of person who won’t post unless I take the time to make my post very meaningful, and I feel strongly about sharing that knowlege.
4. Most blogging software programs that I know about (including my own wordpress) save drafts every minute which keeps my session active, therefore, making it need a lesser session time.  I’m not sure what my session time is limited to, but I’m positive that I will never lose my post due to a time out or an internet connection issue.

So now is the time for a quick rant that ties into the topic I’m writing about.  For 2 forums that I visit somewhat regularly (1 I have a lot of posts on, the other I don’t), and on 5 occasions, I have written a long post that has taken about 25 minutes of my time in each instance and I have lost all but 2 due to time outs.  Normally when this happens, I get mad and just leave.  Thats mostly the reason why I blog here now on my own server and not elsewhere. Anyways, these 2 sites have session time outs of less than 15 minutes (I think its 10, although its hard telling).  For me, I consider 30 minutes the minimum session length that is reasonable for a forum for people like me who post a lot of information in a single post.

These forums must have an easy option to increase the session time limit, so what is the big deal in increasing it?  By increasing it, you give your users more time to make a single post without fearing a time out (and losing a long post), and you won’t make posters who post a lot of content mad (Like me).  People who make large posts generally can help to increase SEO scores and make your site more popular, thus increasing advertising revenue. So I see it as a win win for increasing the session time out and spending the 5 minutes to find that option.

Anyways, I approached one of these site’s administrators once and mentioned this (and in recent times, have asked other close friends), and have gotten the same basic response: “Learn how to check that keep me logged in box!” Although it isn’t that hard, I normally forget that I can tab to it (mostly a systematic habit of hitting enter immediately after the last character of my password for that site), and using the mouse to do it is a waste of 5 seconds and hand movement because I’m usually too lazy to move my hand over to the mouse from my keyboard *chuckles*.  In addition, that check box will just get unchecked the next time I enter firefox because I have Firefox wipe out my cookies / history on exit.

Another point that I would like to make is that I use Norton Ghost to restore my computer to an original state that I made immediately after installing Windows.  I do this about once a week, so if Firefox doesn’t automatically remove my cookie I set, this certainly will.  So that extra effort for me is pointless.  This probably doesn’t affect most people, but for me, checking that box is pointless.

Basically, I join sites because I want to, and if I feel that admins of these forums don’t feel that something this simple can be fullfilled, then I feel I should take my content elsewhere (or just save the time and put it elsewhere in learning other stuff).  I’m not sure how many people would agree with me, but I’m the kind of person who is set in my ways and am somewhat resistant to change in habits that I have formed years ago.  Perhaps this is bad for me because I am a computer science student and should embrace change, but this is just how things are for me.  I consider some changes good and others very bad.

Anyways, Your comments are appreciated (both good and bad).  I’d rather keep these sites anonymous because I’m not bashing their techniques or sites (in fact, both of the 2 that I have had issues with are extremely helpful when I read them), I’m just stating what is on my mind.  So if you think your site may be what I’m talking about, I’d rather not see it posted on a comment.

Tags: banking, forum, ghost, login, password, posting, save password, session limits, time, time out
Posted in Hosting / Server Administration, Personal, Programming, Technology
|| No Comments »