Earlier this week I had a very small conversation with Pedro Mendes on twitter (well in terms of twitter it might be a long dicussion). It was initiated by him calling for suggestions for a password safe. I suggested better using a system for your passwords, which he thought was a bad idea. So lets have a look at both solutions.

You all know about these rules for choosing a password. It should contain a mix of lower and upper case letters, numerals, special characters, and punctuation. Moreover, it should be at least eight characters long and has to be more or less random. Since our brain is limited in remembering such things we tend to use easy-to-remember password (e.g. replacing letters using leet). But of course hackers are aware of that and it is quite easy to also encode such rules in their cracking algorithms. Equally bad is using one strong password for all accounts. So, how to solve this problem?

The second idea is using a system to generate passwords for each account. You have to choose a very strong password $$p$$, and a function $$f$$ that creates a unique password $$u$$ for every account using $$p$$ and the (domain) name $$n$$ of the related service: $$u = f (p, n)$$. You just need to remember this very good $$p$$ and $$f$$. Depending on your paranoia and your mind capabilities there are many options to choose $$f$$. An easy $$f_1$$ might just put the 3rd and last letters of $$n$$ at the 8th and 2nd pos in $$p$$ (see example below). More paranoid mathematicians might choose an $$f_2$$ that ASCII-adds the 3rd letter of $$n$$ to the 8th position of $$p$$, puts the $$\lfloor\sqrt{n} * 10\rceil/10$$ at the 2nd position in $$p$$, and appends the base64 representation of the multiplicative digital root of the int values of the ASCII letters of $$n$$ to $$p$$. Here you can see the examples:

$$p$$ $$n$$ $$f_1 (p, n)$$ $$f_2 (p, n)$$

So, you see if the password for twitter gets known the hacker isn’t able to log into your google account. To be honest, I guess that nobody will choose $$f_2$$, but I think even $$f_1$$ is quite good and leaves some space for simple improvements.

However, as expected this solution also has some dramatic disadvantages. If one of your passwords gets compromised you need to change your system, at least choosing a different $$p$$ and maybe also an alternative for $$f$$. As soon as a hacker is able to get two of these passwords he will immediately recognize the low entropy and it is not difficult to create a pattern for your passwords making it easy to guess all other passwords.

## Supp: The Conversation

just for the logs (in twitter chronology: new -> old):

Pedro Mendes @gepasi at 1:13 PM - 30 May 13
@binfalse I agree, but using 30 character completely random ones seems to be the best.

martin scharm @binfalse at 5:40 PM - 29 May 13
@gepasi either using a password safe (which also has drawbacks) or a system with a strong p and a complex f.

martin scharm @binfalse at 5:39 PM - 29 May 13
@gepasi however, i support the attitude seeing every pw as compromised. so the most important rule is using unique pws for every service.

martin scharm @binfalse at 5:39 PM - 29 May 13
@gepasi even after reading this article i’d say that ur:M~a{eim0 is quite strong and i’d expect to find it within the 10% uncracked.

Pedro Mendes @gepasi at 1:18 PM - 29 May 13
@binfalse but thanks for the tip on KeePassX

Pedro Mendes @gepasi at 1:18 PM - 29 May 13
@binfalse a system is not recommended. Anything a human can remember is broken within 24h. Read http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

martin scharm @binfalse at 1:03 PM - 29 May 13

martin scharm @binfalse at 1:03 PM - 29 May 13
@gepasi quite easy to remember (when you know p), very hard to guess and brute-forcing the related hash really takes some time.

martin scharm @binfalse at 1:03 PM - 29 May 13

martin scharm @binfalse at 1:02 PM - 29 May 13
@gepasi you just need to remember p and f, which may put the 3rd and last letter of n at the 8th and 2nd pos in p.

martin scharm @binfalse at 1:02 PM - 29 May 13
@gepasi choose a password p (as strong as possible) and a function f(p,n) that creates a unique password from p and a (domain) name n.

martin scharm @binfalse at 1:02 PM - 29 May 13
@gepasi afaik KeePassX is a good one. but i recommend to use a system!

Pedro Mendes @gepasi at 9:07 AM - 29 May 13
I need suggestions for a good password manager. Ideally only local storage (ie no cloud storage)

Currently observing a lot of brute force attacks trying to get access to my WordPress installation. Fortunately, I’ve been aware of such cranks when I installed WordPress, and now I want to share my technique to prevent such attacks.

## What's the problem?

The idea is to reject any login from anyone but you. For instance, using apache (most common webserver) you may only allow the access to wp-login.php from defined IP adresses:

This piece of code, included in a vhost or in an .htaccess file, will only allow connections from 1.2.3.4 to your wp-login.php . All other requests will be forwarded to / . You need to have the module mod_access installed. For more information take a look at the documentation of the mod_access . Other web servers like nginx or lighttpd have similar solutions. (And I think hope even the microsoft crap is able to do such basic stuff without much configuration overhead, but I’m too busy to read microsoft documentations…)

### Workaround for dynamic IPs

This command will create a tunnel from your local system to your.web.server . Connections to port 8765 at your systems will be forwarded to your server, hence, connections to your wp-login.php through the tunnel will be allowed. From now on only users having access to the server (physically or via SSH) are allowed to access you wp-login.php :-) There’s only one restriction left: you need to SSH to your server and you have to configure your browser to use this socks proxy before you can access WordPress. I recommend to use FoxyProxy.

## Testing

Ok, let’s ensure that our config works. Try to access wp-login.php from an IP which is not allowed to access this file, e.g. using curl :

Since I’m not allowed to access this page I got a 302 and am redirected to / . Ok, what happens if I connect from an allowed host?

Excellent, 200 == allowed! If you want to verify your proxy connections using curl pass another parameter -x socks5://127.0.0.1:PORT to the command:

Great, everything’s fine :D

## More Security

Of course you can add similar rules for other web sites or scripts. For example to restrict the access to the whole admin interface of WordPress add another restriction to the vhost / .htaccess :

I’m sure you’ll find even more reasonable rules.

## KDE file type actions

Annoyingly, KDE’s PDF viewer okluar always opened links to websites with an editor presenting me the source code. But I just figured out how to change this behavior.

KDE maintains a central config defining what to do with certain file types. Unfortunately, in my case the default application for HTML files was an editor (kwrite/kate). I don’t know who or what defined this stupid behavior, but there is a tool called kcmshell4 to edit the KDE configuration. That said, to edit the filetype-application-mapping hand it the parameter filetypes :

You’ll get a dialog to define a mapping for each known file type. In my case I had to configure okular to open links to HTML pages with konqueror. Hope that helps you to save some time ;-)

## encfs: transparent crypto overlay

encfs is a cryptographic file system (encfs-website). The principle is very easy, you “bind-mount” one directory (containing the crypt stuff) to another directory (where it’s unencrypted). Thus, you can share the encrypted stuff and nobody but you can read your data. So this system is excellent applicable for cloud services like Dropbox, which trap you with some space in the cloud “for free”, but want you to share your private data with them. In some <p>’s we’ll see how to setup encfs for Dropbox, but let’s first take a look at encfs itself.

## encfs

First of all you have to install encfs. Assuming you’re sitting in front of a Debian-based os:

Since encfs is fuse-based the user who wants to use encfs has to be member of the group fuse . You may use the groups command to make sure you belong to fuse :

If you’re not yet member of that group edit the /etc/group file or use the useradd command (howto). To apply the changes you need to re-login or use newgrp (man newgrp).

That’s it, now the way to use encfs is parved. Let’s say we want to work with our data in /dir/clear , while the whole stuff is stored encrypted in /dir/crypt . It’s quite simple to setup this environment, just call encfs [crypt-dir] [decrypt-dir] :

Give it a p and choose a password. This command will install an encrypted container in /dir/crypt and immediately mount it to /dir/clear . Feel free to create some files in /dir/clear (you’re new working directory) and compare this directory with /dir/crypt . You’ll see that you are not able to understand the files in /dir/crypt , unless you’re a genius or the setup failed. Thus, it’s no issue if anyone might have access to the content in /dir/crypt .

To unmount the clear data use fusermount -u /dir/clear . To remount it just call again encfs /dir/crypt /dir/clear , it will just ask you for the password to decrypt the data.

Of course it’s not very convenient to mount the directory every time manually, hence there is a workaround to automount your encfs directories on login. You need to install libpam-mount and libpam-encfs :

To automatically mount an encfs on login the password for the crypt-fs has to be the same as the password for your user account! If that’s the case, add a line like the following to /etc/security/pam_mount.conf.xml :

On your next login this directory will automatically be mounted. Very smart!

## Using encfs for the cloud

Ok, let’s get to the main reason for this article, winking towards Norway ;) . As you might have heard, there are some file hosting services out there, like Dropbox or Ubuntu One. They provide some space in the cloud which can be mounted to different devices, so that your data is sync’ed between your systems. Unfortunately, most of these services want to read your data. E.g. the Dropbox system wants to store a file used by multiple users only once. Even if they pretend to assure that nobody’s able to read your private data, you all know that this is bullshit nearly impossible! However, I strongly recommend to not push critical/private files to these kind of providers.

But, thada, you’ve just learned how to sync your files using the cloud while keeping them private! Let’s assume the directory /home/martin/Dropbox is monitored by Dropbox, you just need to create two more directories, like /home/martin/Dropbox/private (for encrypted files to be sync’ed) and /home/martin/Dropbox-decrypt (for decryption). Mount /home/martin/Dropbox/private to /home/martin/Dropbox-decrypt using encfs and work in /home/martin/Dropbox-decrypt . As explained above, feel free to setup an automount using pam ;-) Everything in /home/martin/Dropbox but not in the private directory will be sync’ed unencrypted, so you won’t loose the opportunity to share some open data with [whoever] e.g. via web browser.

Of course, this method comes with some drawbacks:

• It is a bit more work to setup every client, before you can start working with your private data (fortunately the overhead is kept in reasonable limits)
• You cannot access these files through the web browser, or using your mobile phone (unless your phone comes with encfs-support)

All in all, you need to decide on your own, how much you trust Dropbox (and alike) and which kind of data you commit to Dropbox unencrypted.

## Sync the clock w/o NTP

The network time protocol (NTP) is a really smart and useful protocol to synchronize the time of your systems, but even if we are in two-thousand-whatever there are reasons why you need to seek for alternatives...

You may now have some kind of »what the [cussword of your choice]« in mind, but I have just been in an ugly situation. All UDP traffic is dropped and I don't have permissions to adjust the firewall.. And you might have heard about the consequences of time differences between servers. Long story short, there is a good solution to sync the time via TCP, using the Time Protocol and a tool called rdate .

## Time Master

First off all you need another server having a correct time (e.g. NTP sync'ed), which can be reached at port 37. Let's call this server $MASTER . To enable the Time Protocol on $MASTER you have to enable the time service in (x)inetd. For instance to enable the TCP service for a current xinetd you could create a file in /etc/xinetd.d/time with the following contents:

Such a file may already exist, so you just have to change the value of the disable -key to no . Still using inetd? I'm sure you'll find your way to enable the time server on your system :)

## Time Slave

On the client, which is not allowed to use NTP (wtfh!?), you need to install rdate :

Just call the following command to synchronize the time of the client with $MASTER : Since rdate immediately corrects the time of your system you need to be root to run this command. Finally, to readjust the time periodically you might want to install a cronjob. Beeing root call crontab -e to edit root's crontab and append a line like the following: This will synchronize the time of your client with the time of $MASTER every six hours. (Don't forget to substitute \$MASTER using your desired server IP or DNS.)

## Notes

Last but not least I want you to be aware that this workaround just keeps the difference in time between both systems less than 0.5 secs. Beyond all doubt, looking at NTP that's very poor. Nevertheless, 0.5 secs delay is much better than several minutes or even hours!

If it is also not permitted to speak to port 37 you need to tunnel your connections or you have to tell the time server to listen to another, more common port (e.g. 80, 443, or 993), as long as they are not already allocated by other services..