In our last post, we discussed the three main points of weakness that hackers target when trying to gain access to a website, and why it’s important for every site of any size to make sure they have a solid defense in place.
There’s one thing it’s much harder to secure against: Someone who has your login and password, and walks in by the metaphorical front door. Believe it or not, a malicious person logging in using correct login details is one of the most common ways that a business loses control of their website. Most people have no idea how insecure their password habits are!
There’s lots of things that can be done to keep your passwords from ending up in the wrong hands, but no one else can do them for you or for your employees. When it comes to protecting the keys to the kingdom, security is everyone’s job. Here’s a few simple rules to live by to keep yourself (and your business) safe online.
Password hygiene rule #1:
Choose good passwords to begin with. But what is a good password?
- The longer the better. A minimum of 10 characters is a good rule of thumb, but more is always better. To make your password memorable and hard to crack at the same time, use long strings of words. For example, you might include an entire stanza of song lyrics. You can remember the words to your favorite song, right?
- Do not use any part of your company name, including initials
- Do not use any part of your own name, username, initials, etc.
- Do not use common phrases like “password” “letmein”, names like God or Jesus, or sequential numbers like 123 or 8910
- Adding special characters such as $, # or & is a good idea. However, bots know that most people will only include a single special character, and most people only do so at the end of their password. The most common special character in a password is an exclamation point at the very end — so put the special character somewhere in the middle.
Why does this matter? There’s an exceedingly common type of attack known as a “brute force attack.” This is when a bot will continually guess passwords until it cracks the code. Such a bot can make about 10,000 password guesses a minute, it never gets tired or bored, and it knows all the common patterns that many humans use when creating a password to make its guesses even more likely to work.
Most well-secured modern sites (certainly the ones we create and administer!) are set up to detect when a brute force attack is occurring and lock the bot out after a certain number of wrong guesses, but some bots are wiley and will simply switch IPs to try again several more times. You can make this process too time-consuming and difficult even for a bot by following the above rules when creating passwords.
Password hygiene rule #2:
Do not reuse passwords. Each site you have a login to should utilize its own, 100% unique, not-shared-with-any-other-site password. This is true for all sites, but ESPECIALLY for:
- Your email
- Your banking accounts
- Your logins to company properties
Why is this important? No matter how secure you make your OWN site, you can’t control (or even know) how secure OTHER sites are. Say you join a forum to discuss fishing and camping with other hobbyists, and a year later that forum is hacked. If you’ve used the same password as you do for other sites, that hacker now knows a likely username that you might be using elsewhere, your email address, and your password for that site. It’s easier than you’d believe for a bot to be set up that crawls the web attempting that combo of username/email/password and seeing if they can log in anywhere else that’s more important! If you happen to re-use the same password for your email address, then you’re really in trouble; the hacker can log in to your email account and use the password reset form on any site they like, such as your company website or your personal bank account. You can foil this scheme simply by not reusing the same password for any two sites.
Password hygiene rule #3:
Give each person with access to your website or online portal a unique login, and de-activate it if they leave the company. As much as possible, do not share logins. If you must, remember to reset the password every time there’s a staffing change.
Why is this important? When it comes to a site being compromised because the attacker used a correct password to get in, most people’s first guess is a disgruntled employee or contractor who had the password when they were fired, and the company forgot to change that password or remove their personal login. Revenge vandalism or theft can happen, though it’s not as close to the top of the list as people think. I’ve seen it a few times (and helped to clean up the damage) in my career.
Password hygiene rule #4:
Every computer in your office should have an up to date anti-virus program up and monitoring the computer at all times. Run regular deep scans to make sure no one is spying on you. If you or your employees work from home or other computers, make it company policy that they need to install and keep active an anti-virus program on any machine they use to login to the site.
Why is this important? If your computer is infected with malware, there are many different ways that that malware could gain access to your passwords. It might do a search on your hard drive for any file where you have stored password information, and send that back to its master. Even if you aren’t storing that information on your computer, malware can simply record every letter that you type throughout the day (called a key logger) and send the record back to its master — you can’t get away with not typing your passwords! Therefore, make sure your computer is virus and malware free at all times.
Password hygiene rule #5:
Store and transmit passwords securely.
You will most likely want a solution that allows you to look up/use your passwords from many different devices (desktop, laptop, phone, etc.). Make sure that that solution saves your passwords with encryption. Here’s some potential options:
- Use Evernote encryption to keep and store your passwords.
- Password manager pro
When you need to give someone else a password, such as a new hire at work, don’t just email or IM them the username and password! Email and IM are inherently insecure, and if either of you experienced a hacking, malware, device theft or even just a plain old “forgot to log out from your email before leaving the hotel business center and flying back home” event, then that password is toast. So when your passwords must leave the safe storage of your encrypted environment to make the trip to someone else’s safe storage solution, send them the username as normal, then the password through a site like onetimesecret.com — this site only let the recipient look at the password once, before destroying the information. That way, even if one or both of you loses control of their email, the person who got in won’t be able to find any useful passwords. And even if onetimesecret experiences a security issue, the person who sees your secret will only see a jumble of characters, with no clue as to what site and username that password matches.
Why is this important? If you follow all of these rules, you’re going to have too many passwords to memorize. You’re going to have to store them somewhere; so make sure that somewhere is safe too, so all this effort doesn’t go to waste!
Does all of this sound paranoid or like too much work to be worth it?
Something is only paranoid if it’s an unrealistic level of alarm or caution. Keep in mind that roughly 30,000 to 50,000 websites are hacked per day, and most of that hacking is being done by bots who never get tired or bored. Hackers are a real threat to your business!
And is it worth taking the extra precautions to defend against them? If protecting your customer information, financial data, and reputation are important to you, then yes! If your options are spending thousands on a clean-up after a hack and potentially untold quantities of money defending against customer lawsuits after their information was taken from you and running PR damage control OR spending a few extra seconds encrypting your passwords and a few extra bucks making sure your sites are hardened against common attacks, then yes.
Cultivating good password hygiene habits (and including them in your company policy manual!) is a necessity not just for modern business people, but modern people from all walks of life.