Archive for passwords

Online Security: Strong Passwords are a First Line Defense

Image Credit:

A client asked me recently why anyone would want to attack his “little website”. Most attacks aren’t personal, they are typically not after your website, they are after the computing power of the server your site is hosted on. The usual motivation behind these attacks is sadly the most common of all, profit and greed. The majority of hacking attempts are an automated activity. Other hacked websites are running code to try to automate the process of hacking yours if you’re vulnerable.

Everyone is at risk and needs to take steps to secure their websites and online accounts. A strong password is an important part of a strong defense. Last week in the Wall Street Journal, the president implored Americans to go beyond simple passwords and start using two-factor authentication or cell-phone sign in.  I also suggest using a strong and reliable password manager like LastPass or 1password. Nothing online is 100% secure, but users can help keep their accounts and websites secure by using strong passwords and changing them several times a year.

If your website is running on WordPress, you will find the following information released today by Wordfence of interest.  One of the things they monitor is the number of brute force attacks on WordPress sites.  Brute force attacks are password guessing attacks, where an attacker tries to sign in as you by guessing your password. Over a 16 hour window, they gathered information on brute force attacks on sites using their services. According to this blog post, Wordfence says;

“We saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.”

Be proactive and build a strong defense.  Use strong passwords, and change them frequently (see this article on the risks of re-using passwords). Consider using two-factor authentication, see here for a list of sites that support two-factor authentication.  The Google Authenticator app can be used to secure more than just your Google account.

If you have a WordPress site there are several other steps to making your site more secure.  Contact me for information on my Security Audit and Lockdown service.

How to Defend Your Site Against a Brute Force Attack

Brute Force AttackBy now many of you have heard about the brute force attack being used to create a giant botnet from Hell.  Most news stories are focusing on WordPress sites, but any PHP-based web publishing platform is susceptible,  including Joomla and Drupal.

Highlights of What You Need to Know:

  • This is not a WordPress specific attack
  • A strong password and username are your first line of defense.  Do not use “admin” as your username. Ensure all usernames and passwords are alphanumeric and complex enough and can’t easily be guessed (upper and lower case, numbers, symbols, no word found in a dictionary at least 10 characters).  I recommend using a random password generator.
  • Do not share your username and password with anyone.
  • When accessing your accounts over a public network or computer be PARANOID.  In these settings, do not access accounts with sensitive information like your website admin, bank accounts, credit cards, etc. unless you are using a strong password management tool with two-way encryption.  Even then, I don’t login to sensitive accounts on public network unless necessary.
  • Use a password management program.  Gone are the days when you can combine your pet’s name and date of birth for ALL your login accounts.  You aren’t still doing that are you?  Many people have dozens if not hundreds of online accounts these days.  You should not use the same password across sites.  If one site is compromised it can open the doors to all the others. I recommend LastPass, but there are other programs available like 1Password.  Do your research and choose a program with a good reputation.
  • Change your passwords regularly.  Implement a schedule to change the passwords on your most sensitive accounts on a regular basis, at least once per year but every 6 months would be better.
  • If your site or blog is hosted on your site is secure, but your password may not be.  Consider changing your password and using two-step authentication.
  • This article on the WordPress Codex gives more tips for protecting your WordPress site against a Brut Force attack.  It includes a list of plugins that can limit the number of login attempts