LastPass – Better than KeePass?

LastPassI’ve been giving LastPass a try for about a month now as a replacement for KeePass, and so far it’s a keeper.  It does more of what I need it to do, and does it better.  For those of you that may not know what either tool does, these are password safes that keep an encrypted version of all of your passwords.  You just need your master password to gain access to a file that holds all of your important passwords.  Keeping complex passwords that are unique to each site or usage is a vital way of protecting your finances and identity.  These tools make that difficult task manageable and simpler.

lastpassSo what does LastPass do that KeePass does not?  Let’s start by talking about that.  LastPass works as a browser plugin that interacts with an encrypted file that is stored on your computer, and syncs the encrypted file with the LastPass servers for use on all of your devices.  Only encrypted data is shared via the Internet.  In a sense, LastPass does what I do with KeePass using DropBox natively.

LastPass does more though.  With LastPass, you can save a profile for auto completion of forms, monitor your credit, hold secure notes, and share safely your data with other LastPass users (like your spouse or family).  Both tools will generate complex passwords for you, but LastPass does it within your browser and in a simpler fashion.

Using LastPass is easier for me.  With the credit monitoring feature, and with the very reasonable annual fee, I can also have an app on my iPhone and iPad that syncs all of my passwords, too.  But perhaps the most important thing that LastPass does that KeePass does not, is multi factor authentication.  With even the free version of LastPass, you can use Google’s free application for multi-factor authentication with your phone.  This vastly improves your security and it’s easy to use.

The bottom line, I’m sold on LastPass.  So much so, I bought  a three year subscription even though the free version really does all I need it to do.

LinkedIn vs. Spam

LinkedIn - Spam CapitalI used to have a LinkedIn profile. I even provided a link to it from this website as I viewed it as a great networking tool and means of showing my CV and experience.  At some point though I came to realize that LinkedIn had to be the source for a large amount of the spam I was getting at work, and worse yet, unsolicited sales calls.

I get it.  People need to make a living and I’ve put my experience out there for all to see, including the kinds of projects I have worked on, tools I’ve used, etc.  That’s very ripe for data mining by any sales force team and my main employer is seen as a good catch by most everyone.

But I don’t want solicitations.  Neither in email, voice mail, mailers or otherwise – not in any form.  So I deleted my profile completely.  Or have attempted to.  I still get requests each week from friends, people I have worked with and vendors who want me to join their list of LinkedIn contacts.   Unsubscribing from LinkedIn’s mailing list appears to have absolutely no effect or benefit here and so I report it as spam and do what I can to block all email from LinkedIn.

Anyone out there have a better solution to share?

iThemes Security – A must have

iTheme Security Pro Earlier I wrote about a plugin for WordPress I found to be extremely valuable – Better WP Security.  Specifically, its ability to block brute force attacks against simpler passwords and username combinations.  This was a major threat to all WordPress sites almost a year ago.

Since then, there have been many updates to the Better WP Security plugin, and the developer has also been hired by iThemes to continue his development (and monetize the plugin’s advanced features).  This is great news really as the free version of the plugin is excellent and there are now a wider range of paid advanced features many web developers and site administrators should consider using, now.  The plugin is more robust than it was even; no small task for a developer starting with what already seemed to me to be a full featured security plugin.

If you are still on the older Better WP Security plugin, before you update, deactivate the older version of the plugin.  Failing to do this can make your site inaccessible as there are conflicts in the features and the plugin’s ability to update them when active.  Once you’ve updated to the iTheme’s version, you simply need to reactivate the plugin and check to see what new options are available that you should consider including in your site’s security features.

If you failed to deactivate the plugin, you’ll need to move the plugin directory for Better WP Security out of your site’s plugin folder and perhaps remove any updates the plugin did to your htaccess file.  Once you do that, you should be able to complete the update or reinstall the plugin.

1and1 wp-login.php Redirection Issues

WordPresFor a time on December 30th, 2013, my hosting provider 1and1.com was redirecting all WordPress logins to 128.0.0.1 whenever one hit wp-login.php effectively blocking all attempts to login — and logout for that matter – from any WordPress installation on their servers.

Their response was less than desired; they stated that this issue was effecting only .5% of their customers.  Even if that were to be true, which I would find doubtful given the widespread use of WordPress, and it seems to discount the severity of the issue for WordPress user, a program that they say they support completely. Read more

Securing Older Versions of Joomla

sheild

One reason I’ve begun to prefer WordPress over Joomla is that WordPress has made the upgrade process so much easier than Joomla. To upgrade Joomla 1.x to 1.5, you have to use special tools and again if you go from 1.5 to 2 or version 3, be prepared for a different toolset and migration path.  Ugh!  Worse still, Joomla Extensions have become very version specific due to a lack of backwards compatibility. WordPress on the other hand allows one to simply put the new code in place, and so long as there is not a conflict with a Plugin, the code takes care of everything else for you, including updating the database.

Perhaps it is only because I haven’t tried to migrate a very customized WordPress site that I feel this way, or that my more complicated older sites are nearly all in Joomla.  So long as I keep a copy of the changes I’ve made to styles or any core files, I’m able to keep things up to date really quite easily with WordPress. As noted above, sometimes an entire system isn’t easy to replace though.  There are times a client has invested heavily into very specific Joomla module or tool — only to have these items not become readily available to the newest versions of Joomla. (I am not finding this to be true of WordPress Plugins — another reason to go with WordPress today.)  So the problem to deal with is securing older versions of Joomla that have known security issues.  What exactly can one do to make an older Joomla site more secure? Let’s take a look at securing Joomla.

Read more

Brute Force Attacks? Get “Better WP Security” for WordPress Security

Over the past several days, I’ve seen a great many news articles about a bot based brute force attack on WordPress (and Joomla) based websites where the bot uses common password choices and attempts to login with the username “admin.”  Mind you, we are talking about hundreds, perhaps thousands of these common passwords and coming from tens of thousands of compromised servers.  The effort being to gain access to the server and then use the administrator site to add other files and code changes which further compromise the use of the website completely. You really need some WordPress Security.

Having already written about other hacking effort increases of late, I am bothered that yet again these content management systems are being hit with what amounts to the use of wasted talent; hackers show intelligence and problem solving skills, why not put them to use in a way that doesn’t harm others?  Thankfully, the open source community is quick to respond and build tools needed to protect websites from such harmful efforts.

Bit51 - Better WP SecurityBetter WP Security from Bit51.com is an excellent add on to your WordPress website.  It was written long before this current wave of brute force attacks, and is something I would recommend all WordPress websites use from day one.  It relies on both htaccess changes for blocking known bots and other file changes that remove vulnerabilities outright and through obfuscation.

Here is a list of some of the things this tool does:

  • Enforces stricter passwords for users at any level you determine.
  • Removes the backend file editor.
  • Scans the site for recently changed files and emails a report to you if there are such intrusions.
  • Blocks repeated login attempts.
  • Blocks SQL injection attempts.
  • Makes backups of your database and mails them to you are regular intervals

This is open source work at its finest.  It is free to use, but the developer does provide a means of paying him for his work — which I’d highly recommend doing as this tool is really quite will constructed and extremely valuable.