One of my pet peeves about logging into sites on my phone is the password field. On a large screen it makes sense that the field is obscured by * characters but what about on a small device only you can see?
I can’t be the only one bothered by this because the wifi login form on Android devices has a handy “Show password” setting. Maybe it’s because people use the default wifi password set by their ISPs so much it’s their only “strong” password. Anyway, I wished there was a similar setting for other login forms.
Well, now there is, sort of. A handy Xposed Framework module called HideNoPasswords that reveals the letters behind the dots. I found I could even swype my password which makes logging in with phrases so much easier.
There are downsides. Security is the most obvious one. An application could take screenshots in the background when it detects the keyboard is in use and send that data somewhere. Someone could look over your shoulder and see the password.
Also, your phone has to be rooted, and you need the Xposed Framework installed but if you’ve conquered those hurdles installing this module is simple.
Here’s the XDA Thread on the module, and the XDA blog post where I found out about this handy extension.
Earlier today Jeff Atwood tweeted:
you should *really* be scared if your passwords are all lowercase. 12 chars in 75 days on my box..
He was referring to his post on speed hashing where a video card GPU is used to calculate the hash of any given text. Compared to a computer CPU it does it much faster.
all 6 character password MD5s 47 seconds
all 7 character password MD5s 1 hour, 14 minutes
all 8 character password MD5s ~465 days
all 9 character password MD5s fuggedaboudit
It’s honestly scary and really time for everyone to use pass phrases. They’re not perfect either but they’re better because they’re longer and easier to remember. Some of my passwords are not phrases yet, this pass phrase generator (or this one) should help make it easier to change those.
* obligatory xkcd cartoon.
What is the significance of “20f1aeb7819d7858684c898d1e98c1bb”? It’s the MD5 hash of the name “Anthony” and was the password used by someone who broke into lightbluetouchpaper.org. Searching for the md5 hash was clever, but it won’t work for long because Ryan is working on securing the WordPress cookies and passwords.
In case you’re wondering, the hacker got in because the blog was running an outdated version of WordPress.
Tips to help keep your blog safe:
- Keep all your software updated, not just WordPress. Make sure your plugins are updated.
- Use a strong password. Don’t use words or sequences of characters like “12345” as your password. Make it a mix of characters and numbers.
- Don’t ever store your database dump online in a place Google will index it. It is very easy to use a Google search to find it.
- If you use public WiFi or a net cafe regularly, use SSL to secure the communication with your blog. Use the secure admin plugin for just this purpose.
- If you use Firefox, install PwdHash. It’s simple to use and works really well.
WordPress MU admins – Fire up phpmyadmin and look at wp_users. Try these sql queries to find weak passwords in your database:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘wordpress’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘12345’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘qwerty’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘anthony’);
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘Anthony’);
and because of the season:
SELECT count(*) FROM `wp_users` WHERE user_pass = md5(‘christmas’);
Scary isn’t it how many people still use simple passwords? I must release that “Strong password” plugin we use on WordPress.com soon. That will certainly help avoid account hijacking.
If, as sometimes happens, you’re working at something and are called away from your desk, it’s nice to know you can lock Excel and stop others fiddling with it. Unfortunately it’s also possible that you might forget your password. *ahem*
If so, go download the Free Excel password remover and watch it work wonders and crack that password and get you back into work mode faster than you can read a long winded run-on sentence that’s meandering nowhere, fast.