Secure cake

I have a directory on this site which is linked from nowhere and I know that for an absolute fact. There is no way it has been indexed. I could put it’s name into robots.txt but then you could look there and see what I don’t want the search engines to see. For the curious, here is my robots.txt

User-agent: HenryTheMiragoRobot
Disallow: /

User-Agent: OmniExplorer_Bot 
Disallow: / 

User-agent: *
Disallow: /images/
Disallow: /catch/
Disallow: /gallery-ink/
Disallow: /nota/
Disallow: /stats/

Of those, /images gives you a 403, /catch no longer exists, /gallery-ink is renamed, /stats is really old and the /nota directory will ban you. Really it will – it’s there to catch bad bots. Anyway, the point is that the directory I mean is fairly secure. You can’t find it.

Now to my point. I have a lot of information I need to keep and keep safe. It’s backed up here but I’m thinking of an online backup too. A wiki. But how to keep that safe given there may well be a link somewhere – it would take just the one for the bots. So if I have cpanel information and blogs logins for people – which I do and it’s a lot of people (and no, its not FreshlyPressed clients) – how can I keep them safe?
I like .htaccess file and passwords like g&unbj8[_1-7Xa but I regularly see some people claim that such files are easy to crack/bypass and they offer little security. Do they?
If I was to store your cpanel / blog logins on a site of mine what would be your chosen method of protection? It’s got to be easily usable should I need too. If I said here is the link and cracking it would get you information how would you want that protecting? How would you protect it?

I’m forever telling people that once it’s on the net should must assume it’s there for the world to see and you cannot whinge if that actually happens so I suppose I want to see if I can have my cake and eat it.

What’s the best way I can protect my information?

8 thoughts on “Secure cake

  1. I’d be interested in the answer to this one too. I’ve got so many passwords that I need to keep a record of, which I do securely on my windows machines, but I need something that will be compatible with linux too. Storing on the net is the ideal solution, apart from the security angle, which I’m not great with.

    So I hope somebody gives you a solution, it’ll help me too! :D

  2. Personally, I’d recommend an encrypted disk image, or whatever you can encrypt and password on windows that keeps your files in a very high level of encryption. Upload that, and set it so NO ONE can see it, put it in the main directory so dirlists can’t show it, etc. Keep it out of /public_html or whatever, so no matter what they can’t see it. Boom done. two reasons. 1) don’t trust the web host with that shit if it’s others, because they might look, no matter what their TOS says, and 2) someone else might find it and download it and crack it if you put it where they can.

  3. Yeah I was thinking along the encryption lines too.

    I manage my passwords with, currently, Password Coral, and have swapped several emails with the creator to suggest some way of sync’ing between home and office, easiest way would be to encrypt the details, upload to a server and download again when needed.

    So yeah, I’d go with Cameron and go down the encrypted route. That way if people DO get the file they still have a lot of work left to OPEN the file.

  4. I’d use Keepass and upload the password file to a secure part of the webspace. Depends on the tradeoff between convenience and security of course, but perhaps encase the file in an encrypted RAR as well?

    Other than that, everything else is pretty much desk003’s advice on how to keep the file relatively obscure from bots :)

    I also use something called pwsafe for some passwords but not sure if this runs on Windows (probably not, it’s a command line tool).

  5. I have and use Keepass on my machine and a USB key. Damn good program.

    But a wiki. How would you protect a wiki?
    I could use IP + .htaccess but only if I know the IP’s and that limitation is okay.
    I could use really long passwords
    I could use more than 1 level of .htacess

    Example: You need to keep some data online and you need a colleague in Cornwall to be able to see it and manipulate it. You’ll be using it to exchange static and possible complex data. Email is no good so you will use an online solution. How do you raise the drawbridge ?

  6. Hmm. Use a password protected wiki? Set it up on a new subdomain or domain, stick that thing that bans everyone who hits it for the main page, put the wiki in /goomba or something, tell your friend not to go to the main directory because he’ll be banned? It seems a bit over the top though.

    I don’t really know of a good solution.

  7. Hmm, ok. Sorry, I misread your post earlier. The first thing I’ll probably say is “don’t do it”, but you knew that already :)

    There are two issues that I can see here: one is how to protect access via the web (how do you authenticate a person as being legitimately allowed to access the password) and how to protect the resources that are on your hosting disk.

    You determine web access rights by .htaccess (basic/digest authentication is sent in clear text IIRC, so a packet sniffer/key logger between your router and your webserver is a problem) and by ip address (IP spoofing is a problem).

    The second problem is how to protect access from snoopers on your shared hosting. See, wikka (for example) stores the database username/pwd in clear text (in wikka_config.php). Get a mysql prompt into the database and your passwords just vanished into the sunset :) Wikka does not (for example) encrypt the content before storing it in the database; which you really should do in order to stop people going straight to the database and dumping your passwords.

    I’ve seen a quote that said “wikis are not designed to be secure” but I don’t know about that – maybe someone else has had the same problem you have and written something for it :) I’d still suggest trying a public/private key encrypted password database that can be downloaded and used locally… the worst that could happen is someone swiping the entire file and trying to crack it offline – and you do change passwords frequently enough for that not to be a problem, right? :)

    Sorry, this was a long winded way of saying “I don’t know” :)

Leave a Reply

Your email address will not be published. Required fields are marked *