Without strong passwords, your site is open to thieves
We want to speak to you about the importance of using strong passwords.
In just the past five days, we have recorded 128 separate attempts to access WordPress accounts on our various servers. Undoubtedly there have been more, as our security software is configured to send us reports when a user has been locked out after entering the wrong password multiple times. This is not a deliberate attack on our servers. Attacks like this go constantly, day in and day out, on every web server on the internet.
Resistance is futile without strong passwords
These attacks are carried out by networks of compromised computers known as botnets. An individual computer can be infected in various ways and become part of a network which is then used, without the knowledge of the owner, in endeavors such as denial of service attacks and password guessing schemes. There are literally thousands, in some cases hundreds of thousands of computers involved in a single network.
Our security software allows four retries before imposing a 20 minute lockout. After four lockouts, the lockout time increases to 24 hours. This slows down an attack, allowing only sixteen guesses per day, but there is no way to stop password guessing without locking you out as well.
These attacks are not very sophisticated. They do not have to be, as there is zero cost to the attacker who is using someone else’s computer for the attack. These attacks often succeed because the average person does not use a strong password. The following statistics on passwords from 10,000 Top Passwords, published in June 2011, should make it obvious why these attacks work:
- 4.7% of users have the password password
- 8.5% have the passwords password or 123456
- 9.8% have the passwords password, 123456 or 12345678
- 14% have a password from the top 10 passwords
- 40% have a password from the top 100 passwords
- 79% have a password from the top 500 passwords
- 91% have a password from the top 1000 passwords
Securing your site
Your minimum goal is to make sure you are not part of the 91% using the top 1000 passwords. It is not as difficult as you may think. You can have a reasonably strong password that is not impossible to remember.
Simple / common passwords are always tried first. Cute or unusual spellings are no replacement for a good password. While you may think that unusual spelling or replacing letters with similar numbers, i.e. secure spelled s3cur3, will make it hard to guess, someone else has already come up with it many times before and it is in the common passwords list. Simple, short, one word passwords just are not good enough. In this case, size matters.
Use either a totally random string of characters, such as this, FT3GvOUZn4WOZ077hL5B (make up your own, do NOT use this one), from my password generator, which requires a password manager to remember (which is what we do), or use at least two random words and at least one random number. Go ahead, write it down (but don’t reuse it anywhere else). You are not defending against someone that’s breaking into your office to search your desk, you are defending from automated attack by a botnet.
A great resource for generating random words is unique-names.com. Just open the page and pick two or three words from the list. Stick in one or two random two or three digit numbers between and/or after the words, and you have a password with extremely low odds of being on the list of guessed passwords. The words themselves are almost guaranteed to be on the list, so DO NOT use only one word. It is the particular combination of words and numbers which is strong. If you’d like to use a truly random number, ramdom.org has a true random number generator on their front page. Just enter a minimum and maximum, say 100 and 999, click Generate, and use the three digit random number you’ve just generated. Write your password down or enter it into your favorite password manager.
Manage your passwords
Should you wish to start using a password management system, there are several good ones reviewed at InfoWorld, both free and commercial. We prefer KeePass, but read the review and see which one works for you.
Changing your password in WordPress is easy. There’s a video at WordPress.tv showing how to do this.
One of the most important things to remember when using a password manager is that there is now a single password which grants access to all the others. It is imperative you use a very good password to access the password manager’s database. We recommend trying several words arranged into a memorable nonsense phrase (those random word lists at unique-names.com are handy for this). Again, size matters.
You may think, why should I worry about someone guessing my password, there’s nothing valuable on my website. What happens to your brand’s reputation if malware is installed on your site and all your visitors are infected? And what happens when Google marks your site as infected and posts that in conjunction with your URL? If your site spews malware, you’ll see all the hard-earned SEO efforts you’ve dedicated yourself to crumble.
Don’t share your login with others. If you must share with someone, so they can perform maintenance or install software or perform some action you have authorized, change your password after the task is completed.
Last, but extremely important, never, never, ever, reuse passwords. Once a password is guessed, the attackers will attempt to identify other accounts you own and try the password on all of them, like your online banking accounts. What about your domain registration? What would it cost your business, in money and reputation, if someone logged into your account at your domain registrar, and stole your domain? What if they then linked it to a pornography site?
In this case, we figure a word to the wise is sufficient. Create strong passwords. Don’t share them. And never resuse them. Your business and reputation depend on it.
Photo credit: flickr creative commons user Alex Brown AlexBrn