Website Security (even for those that don’t have anything to hide)

Website security might be the most boring topic of owning a website, but can either ensure your website is returning on your investment, or turn your site into an expensive time sync.

Why Security?

The first question people often ask about website security is, “why should I care if someone gets access to my website if I don’t keep any personal data on it?” That’s a reasonable question because most websites don’t process credit cards or manage customer health records.

To appreciate the answer to this question, you need to remember that a website is really just a robot. You’ve programmed it to display your content and layout when a visitor arrives in hopes that they will be interested in becoming your customer. However, robots can be reprogrammed to do other tasks as well and this is why hackers want to gain access to your website.

Once a hacker has gained access to your site he can insert malicious programming, such as viruses and ransom ware, or he can operate your site as an authorized administrator, adding hidden pages to advertise illicit products or creating pages with links to another page to boost his SEO rank. These disruptions can result in your site being blacklisted by Google, require costly services to remove malicious code/rebuild your site or force you to pay cash ransom in order to regain access to your website.

The easiest way to keep your website secure – STRONG PASSWORDS

There are many best practices for protecting your website, and that will be discussed in a later post, but by far the easiest way to mitigate damage done by a hacker is to prevent hackers from ever getting access to your site! While there are many ways unauthorized users can “break into” your server, the most common is by simply finding or guessing your password. There are many programs available on the internet that can make quick work out of iteratively guessing weak passwords.

With all of the passwords a person needs to create these days, it’s always tempting to pick something that’s easy to remember, but passwords that are easy for you to remember are the easiest ones to guess!

In 2013 the servers were hacked and passwords were unencrypted for 38 million account holders. Do any of the top 20 most common passwords from Adobe’s accounts look familiar to you?

  1. 123456
  2. 123456789
  3. password
  4. adobe123
  5. 12345678
  6. qwerty
  7. 1234567
  8. 111111
  9. photoshop
  10. 123123
  11. 1234567890
  12. 000000
  13. abc123
  14. 1234
  15. adobe1
  16. macromedia
  17. azerty
  18. iloveyou
  19. aaaaaa
  20. 654321

If they do, you’re not alone! You can bet the hackers have seen this list and these are the first passwords they try.

There are several precautions a skilled web master can configure for your site, but the easiest and most effective security precaution is ensuring that only a limited number of necessary accounts are created and that the passwords used for those accounts are strong (difficult to guess).

Best practices for creating new passwords

  • Avoid peoples names and words (or any of the common passwords shown above)
  • Use at least 12 characters
  • Use a combination of upper and lower case letters, numbers and symbols
  • Create different passwords for different accounts

At this point you’re probably ready to give up and go back to using the name of your first pet and your birth year. Before you do that, I want to make you aware of a couple easy ways to ensure strong/unique passwords for all of your accounts.

Password encryption apps

First, there are a number of well-regarded web app tools that allow you to maintain a vault of encrypted passwords. In these systems, a user only needs to remember a single master password to get into the vault and an account’s password can be applied by clicking on the account name. In these systems, once you add the password, you never need to know what it is in order to gain access to your accounts. This allows you to use strong, difficult to guess (and difficult to remember) passwords for all your accounts.

If this approach sounds interesting, you can begin your search looking at the following applications:

A simple trick for creating strong unique passwords you can remember

The second approach, for those that would rather not manager their passwords with a computer app, can use the following trick to create unique, strong passwords. Here I’ll describe one such strategy:

I’ll work backwards, starting by showing the password, then revealing the account and process that created it.

Take the following password:    aWa|iay5!ZON

You would have to have a pretty good memory to remember that password alone, but then try remembering all of the other passwords in your life and it quickly becomes impossible!

However, once we see how that password was “built”, our task becomes more manageable.

1) Build a strong core

If you’re a Beatles fan like me, it’s easy to remember the center section comes from the first letter of each of the words to the song Yellow Submarine –    aWa|iay5!ZON

We all live in a yellow submarine! > We all |ive in a yellow 5ubmarine! >    Wa|iay5!

Notice that to make the password stronger using symbols and numbers, we’ve replaced the letter “l” with a pipe symbol (“|”) symbol, the letter “S” with a number 5 and added an exclamation mark at the end.

2) Add uniqueness using characters from the domain

The prefix and suffix of our password above are taken from the url of the account. In this case we’ll create a password for our account.

You’ll need to choose your favorite character positions from the domain. In the password above we’ve taken the last four characters before the “.com” and using a small case for the first letter prepended it to the front of the “core”. The last three characters of the domain name we capitalize and append to the right side of the core.

So, for my account the login password would be –    aWa|iay5!ZON

My account would be tWa|iay5!UBE and my account bWa|iay5!OOK. You can use this system to create strong and unique passwords that you can easily remember!

Since I might be able to guess your passwords if you decided to use Yellow Submarine to form your password core, I would recommend you choose a different phrase that is meaningful to you and decorate it with some numbers and symbols that resemble letters. You will also want to decide which character positions from your account domain will bookend your password and which will be capitalized.

I hope this will be useful to you and save you the damage and frustration of having to remediate a hacked website or account!

If you would like to discuss this or any website/digital marketing issues please contact us. We are always happy to provide a free consultation.