If you’ve ever designed a user registration script, a membership site or any script that creates or stores user passwords, there are some practices which every good developer should be aware of. While most small scale applications are not in danger of being targeted by anyone with malicious intent (simply due to the fact that they don’t have enough user accounts to make a blip on the radar), there is a point in the life of any good script whereby it becomes large enough that people can and will target your password list and security will become an issue. By implementing a few simple measures and understanding how password security is compromised you can limit the possibility of your password list being compromised and minimize the potential damage caused.
1. Hash & Salt
One of the most commonly committed cardinal sins of password storage is plain text- that is, storing passwords in plain text. This is frightfully common and I even remember one shocking instance of a fairly popular web application storing password and username combinations in a .txt file. Storing passwords in plain text is not only lazy, it’s a huge security risk. The most common method of storing usernames and passwords is within a MySQL table via PHP. This article explains the fundamentals of password hashing in such a setup, how it works, why it works and how easy it is to implement.
But, in a nutshell, hashing is the process of performing a one way algorithm on a user-supplied password so you can store it as a value which is useless by itself. Any potential hacker would also need to know your local hashing algorithm before they stood even a chance of brute forcing their way in to that account. Furthermore, brute force and dictionary attacks can also overcome by the simple salting method whereby you generate a unique salt for each password locally and store this with the hashed password.
The article linked provides PHP code to hash, salt and store passwords in a secure manner and provides much more information than I could hope to.
2. Passwords Will Be As Secure As You Require Them To Be
People are like lightning; they take the path of least resistance. In the realm of passwords, this means people will magnetize towards the shortest and most easy to remember possibility. In short, what this means is that if you have no restriction on the number of characters or types of characters allowed in your passwords, you will end up with passwords like ‘abc’, ‘123′, ‘password’ and ’secret’. This is not an exaggeration for dramatic effect, people will actually choose and use these types of passwords.
By enforcing some, if not all, of the restrictions below you can ensure the security of your password list will greatly increase:
Minimum character length. Require at least 8 characters. It is generally accepted and confirmed that 8 characters is the minimum required to generate a secure password. You may be scared to enforce long passwords in the fear that people will simply not sign up, but this is a misguided fear. If someone wants to sign up for your site the password field requiring an extra 2 characters on top of their existing password is an unlikely deterrent.
Other password enforcement policies should include:
- Password must contain characters and numbers.
- Password must contain uppercase and lowercase characters.
- Password must contain at least 1 symbol (outwith a-Z 0-9).
- Password must not be based on a dictionary word.
The Password Meter is an excellent resource to test the strength of a password while having a look at how it’s being analyzed. The script is free to download for use with your own applications. While there are pros and cons of making password strength a requirement, there is absolutely no reason not to show strength to the user in a system like this.
As a side note, never require passwords to be too strong. An 8 character password that someone remembers is much more secure than a 16 character password which has to be written down or saved on a desktop (and is therefor susceptible to being hijacked).
3. Retrieval/Reset Mechanisms
Password retrieval is part of password management which, in the field, commonly has vulnerabilities and programmer induced pitfalls. The most common mistake made, bar none, is to send out the users current password upon request. I.e. the user forgets password, clicks the ‘forgotten password’ link and enters their email. The script sends out a copy of their password via email and they get access to their account again. The problem here lies in the fact that hashing is one way. If you store the users password as a hashed value there is no way to send out a plain text version.
Therefor, any site or service you are registered with which sends you a copy of your existing password upon request is not maintaining your password securely. This is a useful tip to know, especially if you are using the same password on more than one site.
Instead, when someone clicks ‘forgot password’ and enters their email, the savvy programmer will have his script generate a new password, send it to the specified email, then store it in his database using hash & salt. This means the user will need to take the extra step of changing their password to something memorable again, but vastly improves the security of your password system and keeps the user safe.
4. Lockout Mechanism
An importantly overlooked part of maintaining a secure password system is having a lockout mechanism. This is a system whereby someone can report their account as hijacked or compromised which, upon review, will be temporarily locked. This prevents compromised accounts being used for malicious purposes. For example if someone gets access to Mrs Bloggs account, logs in as her and sends a message to Mr Blogg asking for his email address password or bank account details so she can “make a payment to the Jones’ next door” (better thought out rouges involving other personal info have been used successfully in the field). It’s uncommon, but it does happen and having a lockout mechanism limits damage caused and protects your users from each other.
An additional lockout mechanism which virtually negates the possibility of brute force attacks is password lockout. Include a simple script to count login attempts. If there are more than 3 failed login attempts, per minute for example, then lockout login attempts for that account for an hour. This makes it very unlikely for dictionary or brute force attacks to succeed and/or go unnoticed.
Passwords are as secure as you require them to be.
One of the most common methods for making money online is in making and selling websites. Setting up a customized WordPress or static site is easy to do and costs almost nothing and selling it on after a few weeks of work is an excellent way to make some residual cash. However, there is an equally easy method which takes exactly the same amount of time and effort to complete but is VASTLY more profitable. This article is a length look at a simple business model you can adopt immediately and start making three times as much income from making websites as everyone else does.
The basic overview and idea is to create a niche website with some content, build some incoming links and traffic flow just as you would with any regular site, then get in touch with and pitch to businesses offering different plans which they can rent and then use the influence and benefits of your site to help grow their existing business.
Let’s take Massage as an example niche. First we spend a few weeks or a few months building a nice Massage site with WordPress or XSitePro or perhaps just HTML and PHP, however you create websites already, this method will slot in. Typically I will build a WordPress site, because it’s what I’m good at. So I install WordPress and style it with a nice Massage image header and add some colours that fit into this category. I’ll install all my standard plugins which help SEO, communication, link building and more. I’ll install a wordpress forum and create several massage related topics in there. All these steps take me a total of around 30 minutes to an hour.
I then find some common Massage questions people are asking in massage forums and on massage sites. I’ll use these questions to write 40 or 50 articles which people are genuinely interested in in this area and are searching for the answers to. Once I have close to 50 articles I use WordPress’ built in future-scheduling feature to make it post one article every week, thus giving me a years worth of articles being posted to my site on autopilot. I can hire someone to write me 50 articles for around $200, depending on how important the quality is. If I’m short on cash I’ll write them myself in 3 or 4 days and gain the benefit of ensured high quality.
While my first few articles are publishing I’ll spend the first couple of weeks building incoming links for free from directories, forum signatures, commenting, article submission and Social Bookmarking. This takes a bit of time and effort but gets the site on the radar and usually to pagerank 3 for free. Next I’ll spend a few hundred dollars for some advanced SEO, buying links, a Yahoo! directory listing, some press releases and more.
In most circumstances I’ll spend a month and around $400 on the site and I’ll end up with a good massage site with pagerank 4 and a few hundred visitors per day. This is a pretty common strategy and at this stage most people would sell the site for shy of a thousand dollars and repeat the process. So next is the twist that earns me at least three times as much as everyone else.
I rent the site out. I spend a good chunk of my time getting in touch with massage businesses from around the world. These can be local massage parlors, a masseuse house in Germany, a site online that sells massage oils, or just about any business that is related to my niche. I tell them that I have an excellent and well positioned (in terms of SEO) website that revolves around their business and would be excellent at generating them leads, traffic or an advertising platform. Like most cold calling, I’ll get a response from around 10-20% of the people I contact and I’ll have to work pretty hard before someone will rent from me. But once they do I’m generating $50-$250 per month for virtually no extra work. If I can put together a PDF file as a report which details my growth details (in terms of traffic and SEO over the past month or two) and show examples of how I can use my site to generate them more business, they’ll be interested and buy in.
A good way to market this is offer different packages. Package A. at $50 per month offers them their own company logo or banner and a method for collecting customer details (a registration system you can export and give them contact details & leads), Package B. is $100 per month and offers them the same with their company colours styling your site and various links pointing to their existing site. Package C. is $200 and allows them to edit the content of your site, put up their own info and company details, write up articles, etc.
One of the beauties of this model is that once you have the basics down pat and know what you’re doing you can duplicate it with a new niche within a few weeks and start making cash within a month. If one of your contacts decides they no longer want to rent your service (though typically once they start seeing the benefits this doesn’t happen) you can contact someone else and bump up your prices as your sites rankings and traffic increase.
Another very cool benefit is that while you’re setting up your site or while you’re transferring to a new client you can sell affiliate products, paste in your AdSense code or sell advertising space for some extra pocket change. If you run out of clients or get fed up with it, you can still earn cash.
Yet another awesome incentive for adopting this business model is that if at any time you need an extra cash boost you can sell a few of your sites. Since your sites will be earning you cash each month over a period of time they’ll grow as you add to them and build more incoming links. After a year you could have a majorly profitable website on your hands and since you have a huge list of business contacts in your niche you will have no shortage of businesses wanting to buy your website. Depending on how well you do you can easily earn $5,000 or more from selling a reasonably sized website.
The numerous side benefits and possibilities from this business model are truly staggering and at no stage will you be short of new ideas. Since you have the ability to kick your clients each month and offer it to new businesses for increasingly larger monthly sums you’ll soon have a very low maintenance, very high income, always growing business model with huge room for experimentation so you’ll never get bored.
Backwards messages, known as Backmasking, in songs have been around since the Beatles (Tomorrow Never Knows is the first known song to contain a backwards message) and were at times surrounded by incredible media and public hysteria. In early 1982, the Praise the Lord Network’s Paul Crouch hosted a show William Yarroll, who argued that rock stars were cooperating with the Church of Satan to place hidden subliminal messages on records. Also in 1982, fundamentalist Christian pastor Gary Greenwald held public lectures on dangers of backmasking, along with at least one mass record-smashing. During the same year, thirty North Carolina teenagers, led by their pastor, claimed that singers had been possessed by Satan, who used their voices to create backward messages, and held a record-burning at their church.
Electric Light Orchestra singer and songwriter Jeff Lynne responded to allegations by calling this accusation (and the related charge of being “devil-worshippers”) “skcollob”.
Serial killer Richard Ramirez, on trial in 1988, stated that AC/DC’s music, and specifically the song “Night Prowler” on Highway to Hell, inspired him to commit murder. Reverse speech advocate David John Oates claimed that Highway to Hell, on the same album, contains backmasked messages including “I’m the law”, “my name is Lucifer”, and “she belongs in hell”. AC/DC’s Angus Young responded that “you didn’t need to play [the album] backwards, because we never hid [the messages]. We’d call an album Highway To Hell, there it was right in front of them.”
While the majority of famous backmasks have been imagined (a phenomena caused by the human brains need to explain everything, similar to how ink blot pictures work), there are several which have been acknowledged and confirmed by the artists who created them. Here are 20 of such backmasked messages.
Evil Eye by Ash
Message: “She’s giving me the evil eye, suck Satan’s c*ck.”
Said at the beginning of the song. Lead singer Tim Wheeler remarked that “Yeah, we did hide a secret message in ‘Evil Eye’, but it’s not that bad…”
Detour Through your Mind by The B-52’s
Message: “I buried my parakeet in the backyard. Oh no, you’re playing the record backwards. Watch out, you might ruin your needle.”
Rain by The Beatles
Message: “…the sun shines. Raaain. When the rain comes, they run and hide their heads”
Lennon stated that, while under the influence of marijuana, he accidentally played the tapes for “Rain” in reverse, and enjoyed the sound. The following day he shared the results with the other Beatles, and the effect was used first in the guitar solo for “Tomorrow Never Knows”, and later in the coda of “Rain”. Note that the last line is the reversed first verse of the song.
Lift Your Head Up High (and blow your brains out) by The Bloodhound Gang
Message: “Devil child will wake up and eat Chef Boyardee Beefaroni”
Said in a deep, odd-sounding voice. Preceded by “I hope you take this the wrong way / And misinterpret what I say / Rewind and let me reverse it / Backwards like Judas Priest first did”
Hate Yer State byChoking Victim
Message: “You think you’re alive motherf*cker? You’re just the walking f*cking dead, you’re a f*cking sheep, stepping on my back to stay alive. West coast, East coast, you’re all just a bunch of f*cking fools, you and the rest of this greedy f*cking world. Kill yourself! So remember, stay in school, say no to drugs, oh yeah! Hail Satan! Good night boys and girls, pleasant dreams.”
Reversal of undecipherable gibberish at beginning of song.
Rocket by Def Leppard
Message: “We are fighting with the gods of war”
A preview of another song, “Gods of War”, on the album Hysteria.
Fire On High by Electric Light Orchestra
Message: “The music is reversible, but time… (violin note) is not. Turn back! Turn back! Turn back! Turn back!”
Electric Light Orchestra were taken to court over an alleged backmasking message on their 1974 album Eldorado. This was during the time when media hysteria surrounded backmasking and many bands were taken to court, often for nonsensicle reasons. In response Electric Light Orchestra included 2 backmasked messages in their next album Face The Music, the more coherent of which is above.
Hot Poop by Frank Zappa
Message: “Better look around before you say you don’t care. Shut your f[censored]ing mouth about the length of my hair. How would you survive, If you were alive, Shitty little person?”
This profanity-laced verse, originally from the song “Mother People”, was censored by Verve Records, so Zappa edited the verse out, reversed it, and inserted it elsewhere in the album as “Hot Poop”.
Michael by Franz Ferdinand
Message: “She’s worried about you, call your mother.”
Right before the second verse. A reference to bassist Bob Hardy’s homesickness during the recording of the album. The band “wanted to do the exact opposite [of Satanic backmasking], put the most positive thing we could think of as a backwards message.”
Echo Side by Insane Clown Posse
Message: “Fuck the Devil! Fuck that shit! We believe in life legit. If you diggin’ what we say, why you throw your soul away?”
Everybody Rise by Insane Clown Posse
Message: “Yeah, if you flip this message cuz you think there’s some secret message, there ain’t shit!”
Reversal of gibberish at the end of the track. Said by Violent J.
Boys in Black by L7
Message: “All beef patties, special sauce, lettuce, cheese, pickles, onions on a sesame seed bun. Two all beef patties.”
The formula for a Big Mac.
Nightmare/The Dreamtime by Motorhead
Message: “Now tell me, about your miserable little lives. I do not subscribe to your superstitious, narrow minded flights[incoherent] of paranoia. I and people like me, will always prevail! You will never stifle our free speech in any country in the world, ‘coz we will fight forever[incoherent].” “In a single stroke, you poor, stupid, running dogs. Why is it…”
Throughout various sections of the song. Reputedly a message to the Parents Music Resource Center (PMRC). The PMRC claimed that popular music, and especially rock and heavy metal music, was partially responsible for the contemporary increase in rape, teenage pregnancy, and teen suicide. The PMRC also advocated against supposed subliminal backmasking in records, and accused bands including Led Zeppelin, Rush, Pink Floyd and Queen of backmasking to promote Satanism and drug use.
Bloodbath In Paradise by Ozzy Osbourne
Message: “Your mother sells whelks in Hull”
A parody of the most famous line from The Exorcist, in which the possessed child screams “Your mother sucks c*cks in hell.”
Empty Spaces by Pink Floyd
Message: “Dear Punter. Congratulations. You’ve just discovered the secret message. Please send your answer to Old Pink, care of the funny farm, Chalfont.” (voice in background) “Roger! Carolyne is on the phone!”
Coup d’Etat by Plasmatics
Message: “The brainwashed do not know they are being brainwashed”
After the Song “The Damned” (at the end of the album).
Perfect Sense by Roger Waters
Message: “Julia, however, in the light and visions of the issues of Stanley, we changed our mind. We have decided to include a backward message. Stanley, for you, and for all the other book partners.”
Waters deliberately recorded a backward message critical of film director Stanley Kubrick, who had refused to let Waters sample breathing sounds from 2001: A Space Odyssey.
665 by Soundgarden
Message: “Hail Santa. Santa, I love you baby. My Christmas king. Santa, you’re my king. I love you, Santa baby. Got what I need.”
Throughout the song. Obviously parodies the claimed Satanic messages.
Which Describes How You’re Feeling (Demo ) – They Might Be Giants
Message: “They Might Be Giants wanted to include a verse about the suffering people of the world, but we couldn’t figure out where to put it into this song.”
Towards Destiny by Tiger Army
Message: “Tiger Army Never Die, Tiger Army Never Die, Tiger Army Never Die. As the last tiger dies, the Ghost Tigers rise. Heed the call of the werecat Transylvania. We fight on the side of fate. Toward destiny, we ascend to it forever. Hail Satan.”
After the first verse, at around 0:36. Never Die was a song on the band’s first LP, and “Tiger Army Never Die” has since become the band’s motto. The title of Tiger Army’s third release, III: Ghost Tigers Rise was taken from this message as well.
Other instances of backmasking
In the computer game Doom II, a garbled message played at the start of Map 30, spoken by the “Icon of Sin”, can be played backwards to hear “To win the game, you must kill me, John Romero.” Romero was a programmer for the game; he put the backwards message (with distortions) in to get back at the artists who put the image of his head on the final level.
Blizzard Entertainment has released two games with known hidden audio messages. In Diablo, the message “Eat your vegetables and brush after every meal” is heard as the player enters the 16th level. In Warcraft III, clicking on the Demon Hunter hero a number of times produces the backwards message “I love green trees”, which sounds (forwards) like “siege niege avalya.”
In once scene of Beavis and Butt-Head Do America, Beavis and Butt-Head hallucinate, and voices are heard in the background. The voices are the two characters speaking phrases such as “Everybody go to college, study hard, study hard.”
The Red Dwarf episode “Backwards” includes various backwards messages, including “Oi! Hey! Oi, you robbing bastards, that’s our tandem!” and “I’m addressing the one prat in the country who’s bothered to get hold of this recording, turn it round, and actually work out the rubbish that I’m saying. What a poor, sad life he’s got!” The episode revolves around a return to an Earth where time is running backwards, so most of the dialogue in the show is backward. Most of the backward messages in this episode agree with the subtitled captions explaining them, with a few exceptions.
At one point of the Spongebob Squarepants episode “Opposite Day”, Spongebob and Patrick were talking backwards. When played normally it is gibberish but when it is played in reverse it has a hidden message. The conversation played normally:
Spongebob: Kcirtap yeh.
Patrick: Pu evig I.
Spongebob: Edis etisoppo eht ot teg ot.
The conversation played in reverse:
Spongebob: To get to the opposite side.
Patrick: I give up.
Spongebob: Hey Patrick.
