A general user account can get away with a less complex password than an administrator; an admin account should be longer and more random in nature. Since administrators have more powerful accounts, they are a greater target for some attacks. This is not to say that a general user is not a target. They always are, as they tend to have weaker passwords.

Always make any regular password at least 8 to 10 characters long, include upper and lower case letters, as well as numbers and punctuation. Administrative passwords should be longer, more complex, and changed often.

Password aging

Different companies have different business rules for how long a password can ‘live’. This should be different for different types of accounts. Getting general users to change their passwords monthly is only going to encourage weak passwords (tammy1, tammy2, tammy3) as they try to circumvent the extra work of creating and remembering new passwords all the time.

Administrator accounts, however, have more responsibility, and therefore should be changed more often.

When an account password is aging, it is always a good idea to have a grace period. If you log in during a meeting and your system says it’s time to change your password (NOW!) you are not going to have the time or frame of mind to come up with a decent, memorable password. You might type in some jibberish and write it down, and swear under your breath that this always happends at a bad time, as you have a meeting to run.

A grace period of 3 to 5 log ins will fix that. The user knows that it’s time to start thinking of a new password, but they are given some time to think about it.

Give passwords to users or let them make their own?

Do not reuse passwords

Your system should track user passwords, and not let a password ever be reused once it expires. In addition, it should track for variations that are too similar. For example, if an account had T0my2Tone for a password that expired, the would not be allowed to use T0my2Tone2000 later, as it is too similar.

No identifiable information in a password

Passwords should never be based on anything that is related to them. They should not use anything like their account or server name, username, personal information

Longer passpharses

Another approach that some people take is a passphrase. You might choose a sentence like Happy Birthday, Mr. President and then mess it up a little bit with a date or something like H@pyB1rthDAY,_mr.PREsident!-19May1962.

Other resources:

http://www.microsoft.com/technet/security/smallbusiness/prodtech/WindowsXP/select_sec_passwords.mspx

Very often, computer users find themselves regularly visiting the same sites. These might be news sites, blogs, forums, web mail, or something else. Usually, this requires redirecting a browser to each sites, then browsing the contents of that site.

The fundamental idea of RSS is to simplify this process by making the user’s computer collect all the updates from the user’s favourite sites in one place. That ‘place’ is a program on the user’s computer, called an RSS feed aggregator or feed reader.

I’ll try to give an explanation with some examples to help clear the difference up.

Meta Tags

Those webmasters who have been using a robots meta tag know that if you tell a compliant (considerate?) spider or robot to ‘nofollow’ it means they should not follow any links that you have on your page. The meta tag goes in the head of your web page and might look something like this:

<meta name="robots" content="nofollow" />

You can take it a step further and ask the spider to not even index your page at all:

<meta name="robots" content="noindex, nofollow" />

You can indicate that you would like to be indexed or have your links followed, or not, or any combination. For example, these are all valid:

<meta name="robots" content="index, follow" />

<meta name="robots" content="noindex, follow" />

<meta name="robots" content="index, nofollow" />

<meta name="robots" content="noindex, nofollow" />

This is done on a page-by-page basis. In other words, each Web page would have a meta tag in the head of the document that might look something like this:

<head>
	<title>Some page on the Web</title>
	<meta name="robots" content="noindex, nofollow" />
</head>

Note that you are indicating your wishes here, and that robot spiders may or may not listen to your request.

There are other attribute values you can use. See the links for more reading.

Robots.txt

You can control how search spiders and robots index your site (or parts of it) by using an ASCII-encoded text (not HTML) file called robots.txt (case sensitive) in the root directory of your Web server.

This plain text file can define some simple guidelines for robots to use. For example, if you ask all robots (identified by a wildcard character of *) to not index your site at all (everything from the root of your server: /), your text file would look like this:

User-agent: *
Disallow: /

If you wanted all robots to index everything, you might try this:

User-agent: *
Allow: /

You could single out a single robot and ask it to do something link this:

User-agent: Googlebot
Disallow: /admin/

You can have several different rules for different robots. Again, not all robots will follow your requests.

Rel=”nofollow”

Here is where some of the confusion starts. Some people think that when you have a link on a page to another page, and you use the rel="nofollow" attribute/value pair, that search engine spiders will not follow this link.

Considering the name of the value (nofollow), plus the behaviour of the robots meta tag with nofollow, this seems like a logical assumption. However, it is false. Here’s why…

Back in 2005, several large search engines agreed that comment spam (comments in blogs, forums, etc with links to Web sites that existed only to drive traffic and were not really there are legitimate comments or links) was a serious problem. They came up with a plan to add an attribute to the (X)HTML anchor tag to help describe links that the site owner could not verify as being approved.

So, a normal link might look like this:

<a href="http://www.lanoie.com/index.html">Lanoie.com</a>

but if it was put there by a user in a comment block, the software could alter it to look like this:

<a href=http://www.lanoie.com/index.html rel="nofollow">Lanoie.com</a>

As links are often counted as part of the ranking of Web sites by search engines, the more links that link spammers can have their scripts automatically put in comment blocks, the more popular their sites would become in the search engine result pages (SERPs). The idea is that if a search engine spider sees a nofollow link, it will not use it for ranking algorithms. This does not mean that the spider will not follow the link and index the destination page, it just means that it won’t help with that page’s rank.

So that’s the theory. What happens in real life? That depends on the players in the game.

Yahoo, Microsoft, and Google all initially agreed in 2005 to respect this attribute with their spiders. Ask and several other search sites seem to be aware of it, too. The trick is that they are not all doing the same thing with it.

Some sites do not follow the link or index the destination page at all. Other spiders seem to follow the link and index the page, but not count it towards the rankings, while others seem blissfully unaware that it even exists and ignore the attribute entirely.

The end result is that, with all three of these tools, you are only giving your wishes and you have no guarantee that they will be followed.

Personally, the comment spam was so bad on this blog that I had to disable comments entirely.

This might seem obvious to some but an effective web site is focused on one subject. If it’s your business web site, then it’s about your business, your products, your services, and what you can do for your customers. That’s the theme of your site and you should stick to it.

A focused site is easier to develop and maintain. It offers a clear signal to the user about what you are trying to do and offers a similar signal to search engines. Search engines consider a tightly focused site on one topic to be more valuable than a random smattering of topics, all other things being equal.

Focus on one topic per site

Sites that have mixed signals as to their purpose lack focus, efficiency, and clarity. Everything you do should be focused on one topic area. If you are running a pet store, your web site should be all about pet information, products and services. Talking about real estate, online gambling, and your favourite music might best be served on a separate web site, both from a user’s point of view as well as search engine ranking.

If a search engine sees that each and every page on a web site is about pets in one form or another, then the site is focused on pets and, therefore, might have some authority (combined with other factors) on the topic. If different pages follow wildly varied topics, then the site isn’t all about one thing and, therefore, is not an authority on any specific topic.

Which brings up a good point: if you keep your users in mind and design the site to give them the best overall experience you can, you will already be well ahead of others in making your site search engine friendly, as they have similar needs and goals.

One subject per page

Just like choosing an overall theme for your site to keep it focused on one purpose, any given page within the site should also be focused on one specific subject where everything is in sync.

When people type in keywords to search for topics, you need to carefully place similar words and phrases in your site.

Let us say that you have a web site about selling pet products. You might have several web pages, each with a specific topic. Let us try to imagine what the titles of some sections and pages might look like:

• About Us
• Canned Cat Food
• Canned Dog Food
• Cat Food
• Cat Toys
• Contact Us
• Dog Food
• Dog Toys
• Dry Cat Food
• Dry Dog Food
• History
• Home
• Location
• Pet Food
• Pet Toys
• etc.

Each separate web page should be about one specific thing and have the title, headings, and keywords match to give a strong impression to the user and search engines exactly what the purpose of each page is.

Storyboard your site

You need to brainstorm exactly what pages your site is going to have and how you want to organize them. You can organize them with fancy software tools, common office suites, or even on a paper napkin over coffee.

Some people visually sketch out the logic like an organization flow chart. That is sometimes called Storyboarding or flow charting the site.

Other people might list pages in groups related by topic. Do whatever works best for you but it is an important stage as it helps your visitors focus and find what they need quickly and easily.
This will also help you identify any orphan pages that do not fit the overall theme, as well as pages that might need to be merged or broken apart for better usability.

When you are organizing your pages, avoid forcing your users to click 20 levels deep to get to a page. Some search engines do shallow crawls (only a few levels deep) when your site is young and only do deep crawls after the site is more mature. Try to keep all content three or four clicks from your home page. This is best for users and certainly can help with spiders.
In the end, this step is a prerequisite for creating your web site navigation.

Creating a text site map of your site benefits both users and spiders. This is a page that lists all the major (and, if the site isn’t too large, minor) pages in one spot. It should show the organization of your site (information architecture) so that your users can easily focus on what they want by scanning the page with their eyes. This helps users to quickly visualize the content of your site without having to use a search form to find pages within your site.

Text site maps and search forms

Spiders cannot use forms to search your site, so your text site map can give it easy access to all areas for indexing. Sites that use content that is dynamically generated from a database (Content Management Systems, for example), may not be fully accessible to the search engines, as the spiders cannot themselves enter a term in a search box and hit the ‘Search’ button to search your site. Much of your content would be ‘dark’ (hidden or unteachable).

By having a site map and creating static text links deeper into the content, you can get much more of your site indexed to attract traffic. Site maps on small to medium sites help spiders index more thoroughly by pointing to all major areas of the site. Medium to larger sites might try using Google Site maps to ensure that the spiders crawl as much of your site as possible.
Make your site maps for humans first but do not forget about the search spiders.

Give us stats and give us details, but present them in a usable, accessible way. Let us choose the level of detail we want to see. Let us choose if we want to get them from a Web page, RSS feed, email, or whatever. Let us choose if we want to know every stop along the way or just the major events.

Thomas has a post that should be read by FedEx, USPS, Canada Post, and every major player in the game. He offers a usable package tracking solution that is clean, efficient, and easy to read. Add alternative ways to deliver that information and I think we can get our package’s status quickly and get on with our lives.

You can read his thoughts here:
http://www.baekdal.com/articles/Usability/package-tracking-usability/

Log in to your Unix account (locally or remotely) with your current username and password. The messages may change from system to system, but the basics will be the same. Note that passwords are usually case sensitive.

The command to change your password is passwd. At the command prompt, type:

passwd

Hit enter. The system will say something like:

Changing password for {username}

Where {username} is your account log in name.

Enter current password:

Type in your current password and hit enter.

New password:

Type your new password and hit enter.

Retype new password:

Retype your new password to make sure you didn’t enter it incorrectly.

passwd: all authentication tokens updated successfully.

In this post, we will discuss a few ways to get users to create reasonable passwords.

Better passwords are random passwords

One method to make decent passwords is to use very random characters. That’s tougher than you might think. If software can create it, then software can guess it. Some people might want to use electrical noise or atomic decay as a password
salt, but now we are getting really geeky.

Initial character passwords

The average user can get away with something much easier. Just come up with a phrase that is at least 8 or 10 words long and start having some fun with it. When January 2000 rolled around, my monthly password (my account was changed every 23 to 32 days) was based on a phrase like this:

The year 2000 bug has gone away… see ya!

Which would be shortened to:

tY2kbHGa–>CYA!

Since this is now publicly exposed, it should never be used by anyone again. If you have ever seen an example of a good password, then it’s not good anymore.

Passwords based on lyrics or sayings

Some people base a password on a song’s lyrics or some phrase. Let’s see what we come up with a few minutes of playing around.

Hey Jude, don’t make it bad. Take a sad song and make it better

This is a very popular Beatles song from 1968. It is longer than 10 words and it is easy to remember if you know the song, so it could work as a start of a basic password.

HJdmibTasSamib

We take the first character of each word and mix the case up. That looks like a decent password, except that millions of people know that song, and might try the same combination. It’s a good first step, but needs a little more tweaking.

HJ ,dm1b. T@sS&mIb!

Basic character substitution, like changing the letter ‘a’ to ‘@’ looks good to most users, but as we mentioned in other posts, it’s so common that it is easily cracked. However, the addition of some basic punctuation and spaces can help.

HJ ,dm1b. T@sS&mIb!1968

The addition of numbers makes it even more unique. Some might argue that using the date of the song is still rather weak, but in reality, this is a pretty decent password.

It is true that putting extra information at the beginning or the end of common passwords is a proven pattern, but that’s more for passwords like 1969FordMustange (more common than you think) or Sandra1972 (even worse, as it is only a single word and date).

HJ ,dm1b. 1968 cha-cha-cha T@sS&mIb!

Ok, now we moved the date inside the password, and added some stuff that has nothing to do with the song. While this isn’t a random password, it is certainly unique enough to be reasonable. If you make something up like this yourself, and you remember the pattern or logic in how you made it, then you can come up with a combination that is easy for you to remember but hard for others to guess.

Passphrases

Some people will simply make a short sentence their password. If you have a password of several words, complete with punctuation and spaces, you have an easy to remember password that is longer than 8 characters, contains no personal information, and is not in a dictionary.
Add some funky spelling and other characters and numbers, and you should be fine.

• i-H8TEmodays, don’t u?
• WhydoIHave2000passWorz?!?
• MyBossIsGreat;i’m*self*employed!

Of course, since no one should ever know your password, you can type things about your boss that you would never actually say Be careful, sometimes these passwords do get out.

Phonetic Passwords

You can make up your own nonsense word that means nothing but is speakable and easy to remember. Phonetically, these can be spoken (in your head) when you are learning them:

• yo-mah, suTEEy8t
• dach,Tez.CHi’set
• pL8t.=,Sk8t

Use multiple passwords for multiple accounts

Remember to use different passwords for all of your accounts. This is a pain, but a necessary evil. If someone cracks one of your passwords, they cannot get into everything you have.

For example, imagine that someone uses their parent’s phone number for all of their banking PINs, online bill payments, work and personal email passwords, and so on. Once someone finds out that password, they are going to try it everywhere.

Don’t make it any easier for the bad guys.

In theory, every password you have should be totally random and unrelated to anything.

(Good luck with that, human nature goes against it.) If you are given 12 passwords for 12 different systems that are totally random, chances are you are going to record them or forget them (or both). The average person will not memorize a dozen passwords, especially if they are not all used daily or if they change too often.

Different people handle this problem in different ways.

Some might use a passbook or a keychain system, where all their passwords are encrypted in a single, reasonable secure way. They would have one ‘master password’ to open the keychain and access whatever other password they need to use. This is popular, as the user only needs to really remember 1 strong password (it had better be strong!) and allows them to have many passwords for many systems.

It does, however, have some drawbacks. First, if the master password is lost or forgotten, then all their passwords are lost or forgotten. Second, if the master password gets cracked, then all of their passwords are exposed.

Another thing that some people try to do is have a common base password that they build other passwords on. For example, let’s assume that a person has to use several systems, and that they want a unique password for each.

• Work email
• Personal email
• Work computer 1 (local Windows workstation)
• Work computer 2 (Unix server)
• Personal computer (Macintosh)

Maybe they come up with a password root based on some of the examples earlier like

G^3d’a-,fc. They might then use that as a basis for their different passwords:

• Work email:
  
  G^3d’a-,fc-WorkEmail
• Personal email:
  
  G^3d’a-,fc-HomeEmail
• Work computer 1 (local Windows workstation):
  
  G^3d’a-,fc-WorkWin2k
• Work computer 2 (Unix server):
  
  G^3d’a-,fc-WorkUnix
• Personal computer (Macintosh):
  
  G^3d’a-,fc-HomeMacOSX

The base of the password is reasonable, and the extension isn’t always the same pattern, so if one password is exposed, the others still have a chance of being secure until they can all be changed to something new. If a password does get exposed change them all (you should be changing passwords every now and then anyway).

Technically, if you are going to use this method, you might reverse the order and have the unique part of the password first, and the common parts near the end. This way, if someone is casually watching you type, it looks like a completely different password, and so it’s harder to find a pattern.

In other words, using the above example, you might use this:

• Work email:
  
  WorkEmail-G^3d’a-,fc
• Personal email:
  
  HomeEmail-G^3d’a-,fc
• Work computer 1 (local Windows workstation):
  
  WorkWin2k-G^3d’a-,fc
• Work computer 2 (Unix server):
  
  WorkUnix-G^3d’a-,fc
• Personal computer (Macintosh):
  
  HomeMacOSX-G^3d’a-,fc

The first part of the password helps scramble the repeating pattern that is common to all of them.

What is an account?

Unix and Linux computers were designed to have many different people (accounts) using the same computer at the same time, remotely connected by networks.

Each account is separate from every other account; so one person’s work will not interfere with another person’s work on the same system, even if they are both using the system at the same time.

Normally, a Unix system requires you to authenticate yourself (prove that you have access rights) before it will let you use system resources. This helps determine such things as what resources you are allowed (printers, applications, etc), where to put your files, the types of permissions you have, and what preferences you have set for your work environment.

To authenticate you, most Unix systems ask for a username (account name) and password. The combination of the two helps determine what you are allowed to use and do once you log in.

How many accounts should you have?

Different accounts for different privileges

Unix is a multi-user system, and not all users need to have the same privileges. Here are a few examples of the different roles you might see on any given system.

User accounts

This is a normal account. A user account has limited access to anything outside of their work environment. They might create and edit documents, run applications and utilities, and other normal day-to-day work.

They usually cannot change system settings that would affect other users, only themselves. They can only modify their own account and preferences.

If you think in terms of keys and responsibilities, a user account only has a key to their own office space. They do not have keys to other people’s offices or to the front doors of the building. If you lose that one key, only one office might be compromised and only one lock needs to be changed.

There are usually many different users on a Unix system.

Administrator accounts

Administrators have more responsibilities than regular user accounts. They might be able to create/modify/delete other users, change system-wide settings, install software or hardware, and perform maintenance or upgrades that affect all users.

Experienced administrators only log in with these privileges when they need to. They usually use a regular user account when doing day-to-day work. This least-privilege-required mentality helps the overall security of the system.

To continue on with our keys analogy, the administrator is like a custodian. They have keys to many offices, in addition to broom closets, electrical panels, and so on. If the keychain is lost, many locks need to be changed, and a serious security breach has occurred.

There may be more than one administrator for a Unix system.

Superuser (root) accounts

The

superuser, or

root, account is the most powerful account on a Unix system. They can do anything, delete any files, and can cause complete chaos if in the wrong hands. Many system administrators will only use the root account when they have to, and then switch to a lesser account as soon as they have completed the task required.

The root user has the ’skeleton’ key. It opens all doors in the building. If it gets lost, people lose their jobs.

Yes, he admitted, he was getting traffic from other sources (other search engines, some pay per click traffic), but it was Google that was on his mind.

I asked if they were using any SEO techniques that would be considered cheating. He looked at me as if I was new to the planet. “Of course, how else do you get to the top of the SERPs?” I just smiled and asked if I could see his site.

The Web site was very common for his industry (I’ve done sites in that industry, too, so I recognized the format right away). It was basically a shopping cart, lots of marketing graphics, and TONS of tricks to get Google to notice it.

No content. No articles. No forum, blog, or community building features. Not even a decent FAQ. Just marketing ’sell’, ‘Sell‘, ‘SELL‘ messages with a lot of ‘Buy now!‘ graphics. I am sure you know what I mean.

No wonder the floor fell from underneath him when Google did an update to its search algorithms. There was nothing left to use once the tricks were ignored.

Tip: Create a Web site that users will love and want to use, and Google will follow.

I am not saying “Build it and they will come”. Not by a long shot. There are billions of Web pages, and not enough people are going to fall into your site (in your target audience, and a qualified buyer, in the correct mindset) out of nowhere to keep you in business.

However, it is a good starting point.

If you take a look at the top 10 results of an average Google search, one thing is usually common to them all: content. They have something you want. Information, views, facts, gossip, whatever, but they have content, and it’s probably well written and organized.

Too many companies are trying to reverse engineer Google. What are they looking for? How can I trick their software spiders into giving me preference?

They should turn around and think of it from Google’s point of view. Google is on top of the search world. Why? They spend time trying to find out what their search customers want and then figure out how to give it to them.

One method of cracking the password is with a login dictionary attack.

With this kind of attack, software consecutively tries words from a list in a dictionary file (also known as a wordlist). While other attacks, like brute force attacks, are also effective, in real life, dictionary attacks succeed so often because people base their passwords on short, easy to remember words. The larger the dictionary file, the better the chance the attack will succeed.

While a research attack requires some basic knowledge of a person or system, a dictionary attack can be effective without any starting point. However, if you know that someone speaks French, English, and Spanish, you can load up those three dictionaries as a starting point, effectively narrowing your focus to relevant choices.

You can easily find dozens human language dictionaries for these types of attacks in minutes. Why did I say human? There are also Vulcan, Klingon, and other non-human dictionaries available. Actually, word lists go way beyond basic language dictionaries. Celebrities, aircraft, cars, brand names, sports terms, model numbers, jargon, and pretty much anything else that someone might use for a password has been thought up and added to a word list.

Better attack software might also do character manipulation. It’s common practice for people to substitute the number zero for the letter o, for example, or the number one for the letter l.

The software might try:

• dig, Dig, DIg, DIG, dIG, diG , dIg
• dog, Dog, DOg, DOG, dOG, doG, dOg
• dug, Dug, DUg, DUG, dUG, duG, dug

as well as:

• d1g, D1g, D1g, D1G, d1G, d1G , d1g
• d0g, D0g, D0g, D0G, d0G, d0G
• dvg, Dvg, Dvg, DvG, dvG, dvG
• dVg, DVg, DVg, DVG, dVG, dVG
• d19, D19, D19, D19, d19, d19 , d19
• d09, D09, D09, D09, d09, d09
• dv9, Dv9, Dv9, Dv9, dv9, dv9, dv9
• di9, Di9, DI9, DI9, dI9, di9 , dI9
• do9, Do9, DO9, DO9, dO9, do9, dO9
• du9, Du9, DU9, DU9, dU9, du9, du9

Common character substitutions include:

Also, decent word lists will contain common (and not so common) misspellings. They will also contain keyboard patterns (asdf, qwerty) and common variations of any known pattern of characters that people tend to use.

Tip: don’t use words based on any kind of dictionary, even if you purposely misspell or manipulate the characters.