Category Archives: security

How to create unique passwords for every site and remember them easily?

In general

It's an algorithm that could be applied almost everywhere and requires no special skills. First of all, lets define the cons and pros for you so to be able to chose whether you would get the advantage or not.

Cons

  • depends on the particular site at some point (changes dependant)
  • requires few seconds for thinking (depends on complexity of your own algorithm)

Pros

  • absolutely and undoubtedly unique algorithm. The base is clear, the implementation is on your own.
  • could be extended or tuned if needed - flexibility is everything
  • no need of keystore or Internet connectivity
  • hardly guessable if someone steals one or two of your passes

If you count on the pros, there we go.

The trick

 This password algorithm is similar to the ones in the websites. Where you have:

a) domain name

b) keyword of yours

so the website hashes the domain with your keyword and generates a unique string literal to be used as a password value. The problem stands in the unreliability of the websites - you might not have Internet connection, or it could be change, or someone could break through or something.

Our algorithm works that way:

  1. you take some areas of the website/program (domain name, header, title - something not willing to change soon)
  2. you crypt it on your own
  3. you use the final sequence as a password
  4. as a result, every final sequence for each site might look different and hardly guessable

The main issue here is that you count on the site/software to be constant at all. If you rely on the domain name and the owner migrates to another one, you have to use the 'forgotten password' link or just remember the last version change. Shitty, but rare case.

Examples

Few examples for prove of concept.

Simple Algorithmwe count the domain symbols (length), multiply by 3 and append the number to the reversed website name.

If we take for instance google.com, then our password would be elgoog27 (google reversed and the length 9 multiplied by 3).

When using freelancer.peshev.net, there we have recnaleerf57 (if we use only the first part of the domain as algorithm).

Complex Algorithm: we get the second and third letter of the website, increment the first letter alphabetically ('a' becomes 'b', 'd' becomes 'e' etc.) and decrement the second. We use the string '$xZ' as a constant after the transformed letters. We append the last 3 symbols of the source code of the main page. At the end we add the length of the subdomain (if any), the main name and the top-level domain.

Taking the same example google.com, here we have: pn$xZpt>63 ('oo' with inc(1) and dec(1), then the literal, then the last three symbols of the source, which is script tag and finally 63 (length of 'google' and length of 'com'). Hardly guessable, although that the source code might change at some point (use at your own risk). 

If I apply it to my own freelancer blog - freelancer.peshev.net, I would have sd$xZml>1063 ('re' translated, the constant, the html tag end and the length of 'freelancer', 'peshev' and 'net').

...

You could define an algorithm of your own, based on your own needs and expectations. The point is that you remember only the steps, the rest is some translation on runtime, when you enter the site.

 

del.icio.us Digg DZone Facebook Google Google Reader Magnolia reddit SlashDot Technorati ReadMe.ru Dobavi.com Dao.bg Lubimi.com Ping.bg Pipe.bg Svejo.net Web-bg.com

Digital signatures and PDF signing

 

I am working on a project that requires PDF signing through a website.

The current infrastructure includes Apache + PHP website available. What we need to achieve is integrate the digital signature module of a user visiting the website and sign the required files. One of the most appropriate solutions after the negotiations was signed applet that signs PDFs.

  1. The steps for the project creation are the following:
  2. Create an applet
  3. Create a certificate to sign the applet via keystore tool (if root CA's are not available)
  4. Sign the applet (allowing read/write access to users' hard drives)
  5. Create a REST implementation that could read/write to the server database via HTTP
  6. Implement the iText API
  7. Create an appropriate interface to list certificates and documents, too
  8. Sign each of the documents

Some useful materials on the topic:

How to sign a Java applet

How to sign an applet (and get it to work)

Oracle Signed applets tutorial

Creating PDF with Java and iText

How to sign a PDF using iText

LifeCycle ES PDF signing (the Adobe way)

del.icio.us Digg DZone Facebook Google Google Reader Magnolia reddit SlashDot Technorati ReadMe.ru Dobavi.com Dao.bg Lubimi.com Ping.bg Pipe.bg Svejo.net Web-bg.com