Website Security – Passwords
Website security can be addressed on multiple levels. Web hosting accounts, website code, passwords….
Passwords are meant to provide a layer of protection in gaining access to a resource. This is a simple concept, and easy to implement. Many people are lax with utilizing this simple layer of protection on their site and though in all areas of their life.
Website security is a daily part of my job. As technology continues to change at lightning speed, outdated websites become more vulnerable. More and more, people contact me to fix their hacked websites. An easy step to keep your website secure is simply using strong passwords. This little bit of effort can save you a TON of stress and complications later on.
Keep in mind, every point I mention in this post applies to every password for every account you have. Not just your website passwords.
What are website passwords?
When I say “website password”, I am referring to any and all passwords associated with your web site.
This can include:
- web hosting provider login
- website control panel login (cPanel for example)
- FTP logins
- email accounts
- domain registrar
Password Security Tip 1
Don’t share it freely. Don’t share it over non secure means. By this I mean, do not send me your passwords over email or a text message. (I prefer them not to be told to me verbally because there is too much room for miscommunication.)
When I request a client’s login details, I provide you with a link to send it through a secure form.
Even though I request this, still people sometimes send me their password over email. Simply don’t. It’s not secure.
Password Security Tip 2
Don’t share more than you need to. Most of the time this means, don’t share third party account logins with me. Especially accounts that would be related to financial accounts. ie PayPal, Credit card merchant account. I never need these logins. I never want access to any account directly tied to your bank funds.
Some companies will have procedures in place for you to grant access to an account temporarily, rather than giving the full account logins. For example, GoDaddy lets you delegate your account to someone else as a way to temporarily share access with someone else.
Google Search Console allows you to add users to the property with different levels of access.
Password Security Tip 3
Don’t use the same password for more than one account. I get it. You want a complex password that’t not easy to remember. It’s a hassle to keep track of what password goes with what account. Its nearly impossible to simply remember. Don’t reuse passwords. If a hacker gains access to one account, they may try to gain access to other accounts you own.
Use a password manager. You have one password to remember to access the manager, then all logins are secure within this program. I use a little freeware program KeePass. Between all of my personal accounts and clients. I have over 1,000 logins stored in this program. All safe. All different (all of mine at least).
Password Security Tip 4
Make your password complex – really complex.
Here’s an example of what a password I may use would look like: N#[email protected]//]U5eATzbtB
It’s a mix of 20 characters; upper and lower case letters, numbers and symbols. No names, dictionary words… You should do the same.
Another great thing about the password manager I mentioned is that you can copy the password without viewing it and paste it into a web form. 10 – 15 seconds after you copy its is automatically erased from clipboard memory.
Password Security Tip 5
Reset your password occasionally. It’s a good habit. How often? Do it twice a year. Add it to your list when you check the batteries in your smoke detectors.
Is Your Website Vulnerable?
I’m amused at the response I sometimes get when I tell clients their website password is weak and their site is full of vulnerabilities that they should address. They respond that their site won’t get hacked, they don’t have anything a hacker would want. No credit cards stored, personal information…
What they don’t get is a hacker is not someone seeking out your site specifically. Their attempts to hack a website are unbiased. With today’s technology, a hacker writes a script that crawls the Internet (like a search engine indexing pages on your website).
They are going for quantity, not quality. By this I mean the crawler script hits as many sites as it can looking for easy vulnerabilities. If it finds an easy way in (like simple password), it will wreak havoc and then move on to the next site. Many times when websites are infected with malware it has to do with spam. Hiding links on pages on your site, exploiting a contact form to send mass email…. Anyone is a target that does not keep up with website security and maintenance . This can effect your search engine rankings and get your site blacklisted. It can be expensive to clean up too.
When was the last time you updated your password on your web hosting account? (and all of your password protected accounts) Don’t remember? Go do it now.
Can you easily remember your password? Does it have a word in it? Is it less than 14 characters? Yes? Go change it now.
Being proactive now will save you a lot of expense and frustration later.