Security
Backups
We live in a world now where everyone has data that is important and they don’t want to lose but, where all this data is on devices that aren’t perfect. Hard drives fail, pen drives are lost, discs get scratched and (for anyone still living 15 years ago) floppy drives get put on a box of magnets.
The point is, backup is very important, but it is something that no one really considers worth doing until after they need it, by then, it is too late. There are plenty of ways to back up all kinds of data now. Most of it depends on what kind of data it is, and where it is saved.
It is important to remember, it is not a backup if it is the only copy. This might seem obvious but I have seen people who have burned their photo collection to a DVD and then think the data is backed up so they delete the files from their computer. Then after 6 months of using the DVD as a coaster on their desk they want to show someone their holiday pictures and find the DVD doesn’t work anymore. They are then confused because it is a backup.
I’m a little paranoid when it comes to back ups. I don’t want to lose anything so I have at least 2 copies of irreplaceable data that I would be upset if I lost, and several copies of incredibly important data where I would be screwed completely if I lost it (such as my university work, data loss isn’t an excuse for a late assignment). The problem with all this is that I am really lazy. I don’t want to have to remember to back up everything all the time, I just want it to run automatically.
Windows Home Server helps with this a lot, it can automatically backup the computers on your network everyday. It will turn it on at 2 am and backup the entire hard drive. This doesn’t take long since it only does an incremental backup. Some of the important data I keep on the server such as my photos are saved in a share with folder duplication enabled. This makes sure that everything in that shared folder is stored on 2 hard drives so if one fails, the data isn’t lost. Obviously this needs twice as much space so I can’t have it for everything.
I’m a little more paranoid than that though. I have a program running on the server that will download a complete backup of this website every night over FTP, and I have a plugin installed that emails me a database backup every night. The programs I use for this are FullSync and the plugin WP-DB-Backup. I realise that my hosting company probably keeps backups, but I don’t want to have to rely on it only to find that they only do it once a month. I don’t think that it is a good idea to rely on someone else to back up your data.
To stop my inbox getting filled with backups I use a useful Gmail feature, you can have + and then anything you want after the username and it will still arrive in your inbox, e.g. username+backups@gmail.com. This then lets you set a filter on incoming email to that address. I have these are automatically marked as read, achieved to skip the inbox, and labeled as backups. This stops them being in the way of my normal email but I still have them.
However, I don’t trust Gmail. A couple of years ago I logged in to find that every email was gone. Gmail never responded to my support request and I still don’t know what happened. That is why I backup my emails as well now. I have a program call Gmail Backup that I run on a scheduled task every day to download all my emails into a zip file. It is possible to run from command line so I wrote a batch script to do it and have that run daily on a scheduled task. This is on my Windows Home Server as well so everything gets downloaded into my backups folder that has folder duplication on.
I also use Dropbox. This is more for convenience of synchronizing my work between my PC and laptop but it doubles up as an extra backup. You can set a folder as being your Dropbox folder. Everything in the folder is automatically synchronized to their servers. If you install it on multiple computers then it will automatically download changes as well so it can keep several computers synchronized. You get 2GB of space on a free account.
I recently started using Subversion for all my version controlling of code. I didn’t use anything before. The SVN server is running on my Windows Home Server and the repositories are in a share with folder duplication. For an extra level of backup, there is the latest revision of everything in the share as well. ‘svn update’ executes every night on a scheduled task. I never change the code in that folder so there should never be any problems with merging.
Finally, and again more of a convenience than a backup, I keep a copy of most important things on my pen drive just so I have them when I’m not on my computer. I have a portable version of Dropbox installed on it and the latest revision of my SVN repository so that is another backup as well.
I don’t expect most people are as thorough as me about backup but I think that everyone should have a system in place, an automatic one is even better because you can just set up and forget.
It is important to make sure that your backups are in a format that is easily restorable. Before I stared using WP-DB-Backup I was running a script I had written myself to back up to the database. It worked perfectly except the backup didn’t contain any SQL to create tables so it wouldn’t have been very easy to restore. There was also no compression on the file so they were starting to get quite big. I ran it on a cron on my hosting and it was starting to fill up my web space.
Online security
Following up on Tom’s post about Passwords I have noticed that there is an increasing amount of poor security online. As his post shows, people still use really insecure passwords.
I’m signed up to a website that sends me an email every couple of weeks to tell me about their latest offers and they attach my username and password ‘Just in case I forgot’ I wouldn’t be surprised if this the same website that Tom talks about and really there is no excuse for it.
The same goes for websites that will send you your password after running through the forgot your password wizard on the site. If they are able to send you it then they are doing it wrong. Any programmer who has made a login function for a system, has probably stored the passwords in plain text at some point. The main reason for this is probably laziness. I know that I have done it before. It was the first login system that I made.
It’s not even hard to make your database more secure. Store hashes of the password, MySQL has an MD5 function that will do it for you. Since there are online databases for looking up hashes then add a long random string to the password before hashing it, this is known as salting. That will make it almost impossible that it could be in the database. When the user tries to login, add the random string to what they type and hash it. If it matches the stored hash of their password then they must have entered the correct password.
This means that even the user has really bad password like ‘password1’ then the hash that a hacker might get hold might be of ‘password1ReallyLongAndRandomSaltForThePassowrd’. In reality it would probably be better to generate a random string to use for each user as a unique salt for them. Then store that in the database as well.
There are few more things you need to do, especially on the public websites, but as for passwords that is one of the easiest ways to keep them secure. Since the passwords aren’t in the database then a hacker wouldn’t be able to get hold of them. The random salt drastically reduces the chances of being able to look up the hash. It doesn’t help against a brute force attack though since they would have the salt so it is still important to use good passwords.
I started using KeePass a few months ago to store my passwords. It will generate random passwords for you if you want, but then it can save all your account details in an encrypted database. Then you only need to remember one password. I use the portable version of the software and keep it in my Dropbox along with the database. That way I always have the latest version of the database whichever computer I am on. I also have it on my pen drive for when I am out.
It might be more of a security risk to have them all together behind one password but I find it is much more likely that some hacker would get into my account by hacking the websites and not stealing the password safe and then trying to crack that.
A few years ago I had an insecure password and a forum that I was an admin of got hacked. The hacker found some exploit in PHPBB and was able to gain access the database. Once there, he was able to look up all the users passwords, wasn’t a very busy forum, only 40 members or something. We restored the forums from a backup and then carried on as normal.
The next day he did it again, we had updated to the latest version of PHPBB by this point that fixed the bug he used to gain access last time so we didn’t know how he got in. He then emailed every user a list of every other user’s passwords. We had kept the same admin passwords and he had just logged in. On his last attack he had saved all the hashes and since we all had really insecure passwords he had just looked them up. He started to login as us on MSN messenger and things, just generally being annoying. I, like a lot of the users, had the same password on most of my accounts and he had my email address and most common username so he had basically unrestricted access to everything. I was quite worried about this since some shopping sites save your card details, he could have easily logged into them and spent all of my money.
I, and the other users probably, spent the best part of that evening changing all of my passwords to something more secure, still mostly the same but I checked that it couldn’t be found in a hash database.
Although I was one of the admins of that site though, I could just have easily been a user with no control over how secure my data was. Just one forum that wasn’t updated unlocked the key to my entire online identity. Since then I have learned that you can never be too safe and until someone comes up with a better method of identification than passwords we will have to put up with remembering them and trying to have ones that are secure.