Strong passwords help secure your site and your reputation

Some things are so important they bear keeping in mind. This evergreen post was initially published in 2012 and has been updated to make it current.

Without strong passwords, your site is open to thieves

We want to speak to you about the importance of using strong passwords.

In recent days, we have recorded thousands of separate attempts to access WordPress accounts on our servers. Undoubtedly there could have been more, as our security software is configured to send us reports when a user has been locked out after entering the wrong password multiple times. This is not a deliberate attack on our servers. Attacks like this go constantly, day in and day out, on every web server on the internet.

Resistance is futile without strong passwords

These attacks are carried out by networks of compromised computers known as botnets. An individual computer can be infected in various ways and become part of a network which is then used, without the knowledge of the owner, in endeavors such as denial of service attacks and password guessing schemes. There are literally thousands, in some cases hundreds of thousands of computers involved in a single network.

Our security software allows multiple retries before imposing a lockout or total ban on your IP address.

These attacks are not very sophisticated. They do not have to be, as there is zero cost to the attacker who is using someone else’s computer for the attack. These attacks often succeed because the average person does not use a strong password. The statistics on most cracked passwords from 10,000 Top Passwords make it obvious why these attacks work:

  • 4.7% of users have the password password
  • 8.5% have the passwords password or 123456
  • 9.8% have the passwords password, 123456 or 12345678
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

Check to be sure your password is not on a list of the worst passwords.

Securing your site

Your minimum goal is to make sure you are not part of the 91% using the top 1000 passwords. It is not as difficult as you may think. You can have a reasonably strong password that is not impossible to remember.

Simple / common passwords are always tried first. Cute or unusual spellings are no replacement for a good password. While you may think that unusual spelling or replacing letters with similar numbers, i.e. secure spelled s3cur3, will make it hard to guess, someone else has already come up with it many times before and it is in the common passwords list. Simple, short, one word passwords just are not good enough. In this case, size matters.

Use either a totally random string of characters, such as this, FT3GvOUZn4WOZ077hL5B (make up your own, do NOT use this one), from my password generator, which requires a password manager to remember (which is what we do), or use at least two random words and at least one random number. Go ahead, write it down (but don’t reuse it anywhere else). You are not defending against someone that’s breaking into your office to search your desk, you are defending from automated attack by a botnet.

A great resource for generating random words is unique-names.com. Just open the page and pick two or three words from the list. Stick in one or two random two or three digit numbers between and/or after the words, and you have a password with extremely low odds of being on the list of guessed passwords. The words themselves are almost guaranteed to be on the list, so DO NOT use only one word. It is the particular combination of words and numbers which is strong. If you’d like to use a truly random number, ramdom.org has a true random number generator on their front page. Just enter a minimum and maximum, say 100 and 999, click Generate, and use the three digit random number you’ve just generated. Write your password down or enter it into your favorite password manager.

Manage your passwords

Should you wish to start using a password management system, there are several good ones reviewed at InfoWorld, both free and commercial. We prefer KeePass, but read the review and see which one works for you.

Changing your password in WordPress is easy. There’s a video at WordPress.tv showing how to do this. While this video was generated a number of years ago for WordPress.com, the basic functionality still applies and works for both WordPress.com and self-hosted WordPress.

One of the most important things to remember when using a password manager is that there is now a single password which grants access to all the others. It is imperative you use a very good password to access the password manager’s database. We recommend trying several words arranged into a memorable nonsense phrase (those random word lists at unique-names.com are handy for this). Again, size matters.

You may think, why should I worry about someone guessing my password, there’s nothing valuable on my website. What happens to your brand’s reputation if malware is installed on your site and all your visitors are infected? And what happens when Google marks your site as infected and posts that in conjunction with your URL? If your site spews malware, you’ll see all the hard-earned SEO efforts you’ve dedicated yourself to crumble.

Don’t share your login with others. If you must share with someone, so they can perform maintenance or install software or perform some action you have authorized, change your password after the task is completed.

Last, but extremely important, never, never, ever, reuse passwords. Once a password is guessed, the attackers will attempt to identify other accounts you own and try the password on all of them, like your online banking accounts. What about your domain registration? What would it cost your business, in money and reputation, if someone logged into your account at your domain registrar, and stole your domain? What if they then linked it to a pornography site?

Adding 2 Factor Authentication to your site

Adding two factor authentication (2FA) to your site is one way to add another layer of security. It uses something you know (like your password) with something you have (your phone for example which can generate or receive other login information.

WordPress writes:

Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your Phone or another device to authenticate with something you have.

WordPress Beginner offers a tutorial on adding Google Authenticator as a 2 factor authenticator service.  Plugins for 2FA can be installed as well. Here’s one from techjourney.com about how to use Authy for 2FA on your site.

Make sure you have a strong password, and consider adding 2FA

We figure a word to the wise is sufficient. Create strong passwords. Don’t share them. And never resuse them. Your business and reputation depend on it.

 

Planning Makes a Difference: Announcing Difficult Decisions

Difficult decisions lead to old camps being closed

Announcing difficult decisions or actions can backfire without preparation. Whether an organization is a for-profit entity or a not-for-profit, if you must choose what will surely be an unpopular course, do some advance work so you are prepared.

Difficult decisions for the Girl Scouts

In Iowa and across the nation, there is turmoil among the Girl Scouts. No, someone didn’t steal the cookie money; the Girl Scouts of Eastern Iowa had to make a set of difficult decisions regarding their summer camps. They along with others across the country have had to choose to sell their camps. The potential sales have caused quite a ruckus among those who feel these camps are essential to the real scouting experience.

Nationwide, Girl Scout councils are confronting intense opposition as they sell camps that date back to the 1950s and earlier. Leaders say the properties have become a financial drain at a time when girls are less interested in camp. Defenders insist the camping experience shaped who they are and must be preserved for future generations…

The Girl Scouts, which began a century ago, established hundreds of camps nationwide as the organization expanded. But in recent decades, the group has consolidated its local councils. That process accelerated dramatically under a plan that cut them from 330 to 112 by 2009.

The restructuring left groups with additional properties to manage, many featuring old cabins and dining halls that need upgrades. Read more

Now confronted with lawsuits and disgruntled members, the Girl Scouts are having to expend precious resources responding to and trying to resolve this situation.

How could it have been different?

When announcing any difficult decisions or drastic changes realize that your constituents are going to have a reaction. Managing bodies whether boards of directors or owners have fiscal responsibility to their organization, but they may lack comprehension of how emotionally fraught their change-making decisions can be. Customers and donors alike have opinions, feelings and will react negatively if they feel they are loosing an essential service, or in the case of the Girl Scouts, a much beloved feature of the organization.

Beware of core DNA changes.

Scouting emerged in the 19th century as a way for young people to engage with the land and learn leadership. This DNA is embedded in the psyches of members and the public. By choosing to sell camps, Girl Scouts have essentially decided to alter their DNA. While they may be doing so for all the right reasons, this drastic action has created a gut-response from core constituents.

Preparing for difficult decisions

Your corporate reputation will be enhanced by bring a group of highly engaged members into your decision making conferences. While neither quick nor easy, laying out the situation, seeking alternative options and engaging with those most likely to react negatively will help prevent emotional riots among your members or customers.

Make use of the innate desire most people have—to be of useful service.

Steps to facilitating community involvement when making difficult decisions:

  1. Identify the issues, both worst case and best case scenarios; e.g. If we do nothing what will happen? If we do X what will happen? Back up with hard facts
  2. Comprehend the situation from the view of each potential stakeholder.
  3. Identify key stakeholders and potential leaders among each of these affinity / stakeholder groups
  4. Meet singly with leaders from each camp to gauge their reactions and learn if they will help you navigate the way forward
  5. Meet with stakeholders either as individuals or as groups based on their affinity
  6. Outline the situation
  7. Invite alternative solutions / ideas
  8. Task a leader for each stakeholder group to come up with alternatives and funding mechanisms to support their ideas
  9. Seek Angels whose interests may align with or help provide funding or alternative support; forestalling the hard choices
  10. Receive reports
  11. Have stakeholder leaders make recommendations
  12. Finally, have the board make the decision and make sure that decision is supported by clear, credible evidence

If your board or you as an owner must make the difficult decisions which you know will cause a negative reaction among stakeholders or customers, keep in mind that the more evidence you have of why you were forced to make these decisions and the more evidence you share, the better off you will be.

… a “considerable number” of councils have opted to sell one or more sites, said Mark Allsup, a property consultant for the organization. He said some councils have handled sales smoothly by keeping members informed during reviews so that final decisions aren’t a surprise and are backed up with data.

Some decisions “are being made soundly, and we are very supportive of them,” he said.

Transparent, clear, fact-based communication with all stakeholders at all times and participation of stakeholders in seeking alternatives can mitigate some of the bad blood which may occur. However, if your board must make the unpopular choice, recognize you will have fallout, dissension, and loss of business, and this must also be factored into your future as an organization.

As a woman who benefitted from going to Girl Scout camp, I know how heart-wrenching the decision to sell a camp must be, however as a business owner, I also understand needing to have funding to support every part of my enterprise.

Need to plan the announcement of a difficult decision? Need guidance on how to communicate your firms new direction or gain alignment with constituents? If your business or firm is facing a crisis, contact us at 843-628-6434 for consultation and assistance. If you would like to have us perform a crisis audit for your firm so you are prepared in advance, we welcome your call.

In a Crisis, Your Firm Will Be Judged in the Court of Public Opinion

Click to view video if not visible above.

There is a reason that across history and in religious ceremonies burning effigies have helped quell the public’s anger, calm fears, and refocus the mind on new beginnings. Courts of law decide guilt and innocence and accomplish the same thing. Contemporary institutions would do well to learn from this and understand the call of the masses for visible acceptance of responsibility. There is a court of public opinion and they will determine your organization’s fate – if only in their individual minds.

After months of study, an independent investigation [PDF] report regarding the Skip Reville Citadel sexual abuse crisis has been released. The report finds there was no attempt to cover up or conceal the situation. Instead the report describes a limp, pallid attempt at mitigation and single uninformed corporate counsel staff member’s investigation attempt that never raised a red flag or reported the severity to his superiors. This failing, is the cause of much of the public’s continual disgust with The Citadel. The leaders at The Citadel have failed to understand this and continue to lack the boldness to offer public contrition for this omission. Instead, they have danced around the point of “legal obligation” to report.

In his Executive Summary attorney Joseph M. Mcculloch, Jr., who acted an independent coordinator of the investigation performed by two firms writes,

“ … there appeared to be no conspiracy or decision process with an underlying purpose of concealment of the allegation. Rather, it was a well intentioned but inadequate investigation conducted by a single administrative member, operating in a vacuum of policy or procedure, with the administration passively relying upon incomplete and sporadic progress reports which were perceived by administration to be adequate at the time, and general counsel’s unilateral decision that due to the expressed position of the complainant and family desiring privacy the institution should not report.”

The two portions of the report review the investigative actions [PDF] taken at the time of the sexual abuse report to the Office of the President of The Citadel and an institutional review [PDF] of The Citadel’s policies and procedures which must be strengthened or put in place to prevent any further opportunities for child sexual abuse.

What the public wants

I know the public believes that there was a cover-up in this case because there was no raising of a red flag, no light on a horrible event—then or now. So, in the ongoing opinion of the public, there was no shock and no statement of “a terrible thing has happened.” The public believes that The Citadel deliberately hid what happened. No report is going to change this perception now.

If your firm finds itself involved in a scandalous situation, always put yourself in the emotional place of an outside onlooker. Feel their intense emotions – then respond to those emotions with sincere statements of sympathy for the victims. While you must also address the details of the incident and how it will be prevented in the future, any missteps in addressing the intense emotions of  onlookers who put themselves in the place of the victim will leave your firm damaged, no matter how well you mitigate physical or financial damage.

Of the two independent investigations into the 2011 high-profile higher-education sexual abuse cases (Penn State and The Citadel,) the Freeh Report did more to begin the repair of Penn State’s damaged reputation, because it was emotional, vivid and immediate in addition to addressing facts. And it called for dismissal of those perceived to be guilty of allowing the environment where abuse occurred.

Public guilt and contrition required

The only thing that might have changed the public’s perception of The Citadel then and now is absolute openness – the bright light of public scrutiny on any similar incident. The public wants a scapegoat or a flogging. And in these reports released by The Citadel, there is none.

While President Rosa is on record as going on air and declaring, “We could have done more…” it was far too little, too late, and no wimpy report is going to remove the stench of perceived guilt now. The Citadel has too many clumsy mis-steps to clear their name in the short-term. Perhaps becoming the beach-head of child abuse prevention, or time, and dedication to prevention, and education will repair their damaged reputation. And in this there is hope.