A couple of weeks ago, there was a lot of news about a massive brute force attack against WordPress sites to install Minero Miner, Minero is a javascript Crypto miner. The attack used information from the site, like the domain name, common logins and common passwords, to try and gain access to the site.
Let me say this again. The attack used common logins and password to gain access. This means the attack basically used a whole lot of computers to try and guess credentials. And guess what? If a site uses “admin” and “password123” as the credentials, it was compromised in about five seconds, probably less.
So this is my regular please to please, please use strong passwords and don’t reuse passwords. What’s a strong password? My tips are below:
- Create a long password. Some sites recommend 6-8 characters. That’s outdated information. Make your password as long as you can. My Windows password at work is 15 characters.
- Don’t just add numbers or replace letters with numbers. DOgFi$h123 may have been an acceptable password in the past, but no longer.
- Don’t use a common phrase from life, a book or the movies. It’s easy to think that “DoOrDoNotThereIsNoTry” is a great password because it’s really long. But guess what? This phrase exists in dictionary attacks used by hackers. Don’t use this password.
- You are better off stringing together words that are meaningful to you, but don’t commonly belong together. For example, I was staying at the Bellagio Hotel one time and I needed to change my password. So I looked up, saw some balls on the ceiling and came up with “99BouncingBellagioBalls)).” How Secure is My Password says it would be 15 octillion years to guess this password, which I don’t believe, but you get the point that this password is strong because it’s long, it’s got a combination of upper case, lower case, numbers and non-alphanumeric characters. And yet, most importantly, this password was easy for me to remember. I will sometimes string random English, Tagalog and French words together and add in some numbers in the middle of the password to create a strong password.
- Use a password manager. No, Excel is not a password manager, especially if the file is called passwords.xlsx. A Word doc is not a password manager. A spiral bound notebook locked in your house is much safer than an Excel file on your laptop or share drive. Instead, use a manager like LastPass, KeePass, 1Password or Dashlane. At the company level, use an enterprise password manager like Secret Server (which Matrix Group uses as a company.) Me, I use KeePass.
- Commit commonly used passwords to memory; let the password manager handle the rest. Me? I remember my office network password and my KeePass password. For everything else, I create long passwords or let KeePass generate them, and then I store them in KeePass.
Want to learn more about passwords? I like these articles:
https://lifehacker.com/how-to-create-a-strong-password-1797681069
https://www.technologyreview.com/s/542576/youve-been-misled-about-what-makes-a-good-password/
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
Make it one of your 2018 resolutions to replace your passwords with strong ones NOW!
One reply on “The One Thing You Can Do Now to Protect Your Website From Hackers – Create a Strong Password”
Password Safe is a very good product to use (https://pwsafe.org/). I do not know if you know about Bruce Schneier but he is a cryptographic expert.