|
2009-11-24, 12:17 PM | #1 |
I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES
|
Password Protecting a Directory
I want to password protect a directory. I can simply do this in the cpanel at my hosting company.
Assuming I use a good long password, how secure is this method?
__________________
My Blog: Working The Business |
2009-11-24, 03:24 PM | #2 |
Porn Blog Addict
|
should be fine as long as you aren't storing credit card numbers or personal data.
|
2009-11-24, 04:19 PM | #3 |
Are you sure this is the Sci-Fi Convention? It's full of nerds!
Join Date: Mar 2009
Posts: 266
|
I've use that in some of our sites and it has worked without problems so far. Beaver Bob's advice is a good one, we don't store credit card numbers there, we have a separate database for that.
|
2009-11-25, 02:57 PM | #4 |
A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one!
Join Date: Nov 2009
Posts: 59
|
Pass Protect
If you have access to ssh you could run the following command htpasswd -c /PATH TO MEMBER DIRECTORY/.htpasswd USERNAME
Replace PATH TO MEMBER DIRECTORY with the path to your members directory and USERNAME with the username you want to use, once this is run you will be prompted to enter a pass, from their you can go ahead and enter the pass you want and then re-enter it. If you have cpanel you can login, on your main cpanel page scroll down to the security tab. You will have an option that says password protect directories. Click on that and just follow the instructions. it is quite easy and fast through cpanel. Thanks |
2009-11-25, 02:58 PM | #5 |
A woman is like beer. They look good, they smell good, and you'd step over your own mother just to get one!
Join Date: Nov 2009
Posts: 59
|
The secure way for me would be to use my ssh description that will encypt with md5 encryption.
|
2009-11-26, 07:21 PM | #6 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
With a long password, IF the directory isn't an attractive target for attackers,
such as your member's area or certain admin areas. However, as maxprohost mentioned, I'd also suggest using strong encryption rather than the default 1974 style. You can use this free online tool to do the strong encryption: https://www.bettercgi.com/strongbox/admin_pass.html Just copy and paste the output of that tool in your .htpasswd file which cpanel will generate for you, replacing the line created by cpanel. |
2009-11-27, 10:26 AM | #7 |
I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES
|
@maxprohost & Raymor
Thanks, that hit the nail on the head.
__________________
My Blog: Working The Business |
2009-11-27, 11:33 AM | #8 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
I probably should have also mentioned, for better security, such as on your
members' area, use Strongbox. |
2009-12-01, 07:35 AM | #9 |
Aw, Dad, you've done a lot of great things, but you're a very old man, and old people are useless
Join Date: Sep 2009
Posts: 23
|
You need a script that tracks access and stops it. If you just use htaccess, then the hacker can just keep hitting it with a brute force until they find the right user/pass combo's. A script would block them after x attempts and make it tougher (not impossible).
__________________
The No B.S. Guide To Adult Website SEO & Link Building. |
2009-12-01, 09:23 AM | #10 | |
Aw, Dad, you've done a lot of great things, but you're a very old man, and old people are useless
|
Quote:
Force Attack Protection feature. Too many 401 errors on an IP address, will get the IP address blocked. If the ip address has been associated with brute force, we remember/block the Ip address. It doesn't matter whether there were 10K attempts or 5k attempts from that Ip address ... it's IP address we block. The other key to stopping the brute force attack is this: if the do get a password Phantom Frog catches the abused password almost immediately using High-Resolution Geo-IP tracking .... pretty soon the hackers get frustrated and go somewhere else. Geo-IP tracks all accesses to the members area down to the city level. We offer a free trial of Geo-IP Pass Abuse Detection. This is in addition to our Automated Member Support (AMS) feature which provides 24/7 uninterrupted access to legit members and none to hackers. Thanks George |
|
2009-12-01, 12:39 PM | #11 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
It might be worth rephrasing what I said above since there are some
comments that may be unclear or misleading because the respondents perhaps didn't pay close attention to your question. As you may know, we sell the leading security system to protect you from brute force, but you do NOT need to buy our product or any other, based on what you've said. It sounds like your situation is one where you really don't need to worry about brute force, probably, so don't let any scare tactics in sales pitches you may come across confuse you. Although more sales for us would be great, we do NOT want to sell you something you don't need. That's based on your question in your initial post - "assuming I choose a good long password ... ". That tells me that it's just you accessing it, we're not talking about your members' area or another highly advertised URL. In that case, and assuming you choose a password, or better pass phrase, that is at least 10-12 characters long it will not be brute forced. Even with a user name and password of only nine characers here's the math: There are this many possible user names: 84,590,643,846,578,176 There are also this many possible passwords: 84,590,643,846,578,176 To successfully hack the site by brute force, the hacker has to guess a valid combination of username and password. To get the number of possible combinations he would have to try, we multiply the number of usernames he has to try by the number of passwords for each one: 7,155,577,026,378,634,231,908,944,079,486,976 That's a huge number, of course. How long would it take to brute force that? 113,450,929,515,135,626,457,207 years - time to brute force. 13,700,000,000 years - Age of the universe, since Big Bang. 65,000,000 years - time since dinosaurs So if God had started trying to brute force your site at the same time that he created the universe, His progress bar on his brute force software still wouldn't have hit 1%. The above math assumed he tries one combination per second. Even trying a hundred combinations per second, it'll still take this many years: 1,134,509,295,151,356,264,572 That's still longer than the age of the universe, so unless you expect your site to be a around a lot longer than the universe, you don't need any software that's being promoted to protect that directory from brute force. It would be a waste of money. It you WANT such protection, we can help you, and Strongbox is quite affordable, but you don't need it in this case, not for brute force protection. Another type of attack related to brute force is a "dictionary attack". That's where it's important that you said you'd choose a good password. If you chose a crappy password, like "admin" or "password" you'd need to get some protection, and really should also get a clue. But you specifically said "if I choose a good long password", in which case you need not be worried about a dictionary attack. One thought that helps to choose a good password is to stop calling it a password and think "pass phrase" instead. Something like "Living with quinns phone, Ray" isn't going to fall to dictionary attack (or brute force). So you do not need to buy, or lease, any special software if you choose a good long pass phrase. Our software, like others, is useful mainly when you have members log in. Members don't choose good long pass phrases. Since it won't fall to brute force or dictionary attack, what's left is social engineering (tricking you into telling someone) or cracking the password file. No software will prevent you from telling your password, that's just a matter of being careful. Because password files by default use encryption from 1974, cracking the password file is a real possibility and that's how many sites get hacked. Additionally, the default 1974 style encryption, called "DES", actually uses only the first eight characters of your password, so that good long password you chose it silently turned into a short weak one. ONLY our system takes care of that encryption, which is the only real issue you have. You don't need brute force protection software, you just need an encrpytion upgrade. Only our |
2009-12-02, 04:50 AM | #12 |
All the way from Room 101
|
BE UNPREDICTABLE
Choose long and weird passwords with odd character combinations. Change off the peg directory structures to custom ones when installing scripts. Why use domain.com/members/ , when you can use, domain.com/themembersarea/ ?
__________________
|
2009-12-02, 06:29 AM | #13 |
I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES
|
@raymor
You really did a good job dissecting my question. You are correct in that I don't intend to make a members area. You are also correct in that I would not use a dictionary password, but something more like the first letter of all my friends and family put together with the several numbers that when said together "sound" like a whole word. I typically use passwords of 20 alphanumeric characters. Thank you for the detailed explanation. I understand now why and where the encryption is needed. @urb I do need to get more creative with my directory structure. Once I get a feel for building adult sites in the kind of volume needed, I should be able to reduce the predictability factor. @fandango & gmr324 I like the idea of a script the tracks and/or blocks ip, even if I know that they will never crack my password with brute force. I've had my host shut down at least one site because someone decided to attack it. On a related note: What would be nice is if all commercial sites(not just adult) would just block all the ips of anonymous proxy sites. Probably would turn the economy around almost overnight.
__________________
My Blog: Working The Business Last edited by mark6188; 2009-12-02 at 06:32 AM.. |
2009-12-02, 10:13 AM | #14 |
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
|
Strongbox detect open proxies and handles them accordingly.
|
|
|