The Importance of Password Security


Wednesday, November 15th, 2017 - Security

We have seen a growing number of web hosting accounts being hacked and when investigating and tracking down the reasons for the hacks, we are finding most of those accounts are hacked through weak admin passwords on their website CMSs (WordPress, Joomla!, Drupal, etc).

One thing you should understand, if you are using a weak admin password for anything tied to your web hosting account then you share some of the blame for it’s hacking. That may seem harsh to say that, but it is the truth. Being an administrator of your web hosting account you are responsible for practicing good security on your web hosting account. Sure, it sucks that there are malicious users and hackers out there taking advantage of your web hosting account – but there is also some level of responsibility on you for allowing a weak password to be used.

How do I choose a secure password?

A good password will use a combination of upper and lower case letters, numbers, and non-alphanumeric characters. I like to use the Password Strength meter at

http://www.passwordmeter.com

to determine how strong a password might be. I generally aim for something above 80% and the closer you can get to 100% the better.

I also encourage the user of local password managers. I’m less thrilled by online password managers, because if those get hacked, then all of the passwords you have stored there could then potentially be hacked as well. I like the portable version of KeePass. The portable version allows you to run it from a USB thumb drive – this way the database is not installed on your local computer. If you have a password manager installed on your local computer, and your local computer gets infected with malware, a virus, or a keylogger then the information stored in the installed password manager could potentially be compromised.

Putting a password manager – like KeePass – on a USB thumb drive and keeping it near your computer insures that your passwords are safe from any malware infections you might have on your local computer, and also available to be used whenever you need it.

To download the portable version of KeePass, see:

https://keepass.info/download.html

Instructions for setting up the portable version of KeePass is at:

https://keepass.info/help/v2/setup.html#portable

Why do hackers hack into my site?

The simple answer is because they can. You might think that you have a small web site that doesn’t really garner a lot of attention. But if you are using a weak password, outdated script/plugin, or otherwise have something in place that would allow malicious users to take advantage of your web hosting account – you’d better bet that they will eventually.

Commonly hackers and malicious users will hack into a web hosting account to setup phishing sites, send out spam, SEO Spamming, or Search Engine Poisoning.

Phishing sites have to do with creating a look-a-like mirror of a popular with the intent of tricking visitors to disclose personal information about their real account at these popular websites. A NetFlix phishing scam recently went through this cycle, hackers had to have a place to host the NetFlix look-a-like site. They do this by hacking and exploiting other smaller websites.

Spamming pertains to the sending of unsolicited messages. We’ve all received spam messages and we all know what spam messages look like. Most of those messages are sent out because someone allowed their web hosting account to become compromised.

SEO Spamming or Search Engine Optimization spamming has to do with building a network of links to raise the search engine rankings of one website. That website can then monetize this popularity with ads.

Search Engine Poisoning is similar to SEO Spamming but has to do with poisoning the content that search engine crawlers see when they crawl your website. This can have the effect of associating your website with various pharmaceuticals, gambling, or other shady businesses.

How do I keep my web hosting account safe?

• Keep your scripts, plugins, themes, components, etc. all up to date. When an update is released by it’s developers that update is not automatically applied to your installed version. You will need to update it. Sometimes this is simple, sometimes it is not. But not doing the update is dangerous to the well being of your web hosting account.

• Use reputable scripts, plugins, themes, and components. Stick to popular and well maintained scripts. When looking at plugins, themes, and addon components check to see when it was last updated. The further back this is, the less reputable this plugin is. Check to see how many active installations the plugin is said to have, the more the better. Check the plugins overall rating, the higher the rating, the better. A plugin that was last updated 3 years ago, has less than 1000 active installations, and 3 or fewer stars is probably not reputable and probably something to avoid.

• Use strong and secure passwords. The weaker a password is, the easier it is for hackers and malicious users to guess the password and log into your account. If your website is important to you, then you will want to insure that you are using strong and secure passwords.