There are many aspects of a website to consider when dealing with security. One that is often overlooked is the administrator’s username and password. Choosing strong login credentials further increases the security of your site, while using default credentials or easily compromised credentials can completely circumvent all your security efforts elsewhere.
Often when a new web hosting account is set up, your host will assign you a username and password to administer your account. Sometimes the host is wise enough to use a strong password, but it’s not uncommon to get a username and password that are very easy to guess, perhaps something as obvious as your domain name. It is critical, especially in cases like these, to change your password to something that is not easy to guess. When a hacker or malicious program comes to your site with the intent to break into your administration panel, easy passwords like these are some of the first ones they try for this very reason: most people don’t use secure passwords.
A good analogy is the rebates that are sometimes offered when you buy a product. While the seller could offer the same discount up front, they are betting that you won’t bother to send in the rebate, or that you’ll simply forget. This allows them to advertise the product for a “lower price,” but they will still end up receiving the full amount most of the time. Hackers use similar reasoning when cracking passwords. They’re betting that you haven’t bothered to change it from the default, or that you’re using something easy to guess in order to help remember it yourself. So think of your password like a rebate form, except that using an insecure password will cost you more than a few saved dollars — it compromises the security of your entire site and all of your customers’ private information. This is a frightening prospect for your customers — they see that their transactions on your site are encrypted with SSL, but their information really isn’t secure at all if the database where the information is stored can be easily compromised by even the least experienced of hackers.
Your password should never include:
- the name of your site or your domain name (e.g. mysite for mysite.com)
- the word “password”
- the words “miva” or “mivamerchant” (in the case of a Miva Merchant administration panel)
- any part of your username (your username and password should never be the same)
- a word that is often associated with your business (e.g. “pepperoni” for a store like Papa John’s or Pizza Hut)
- any other phrase that appears prominently on your site.
Generally, when creating a secure password, you’ll want to use a mix of upper and lowercase letters, as well as numbers and non-alphanumeric characters such as # and %. (For example, a very strong password would look like this: 5X]M@hkeGI2jBK.) It is also a common misconception that substituting certain letters for their “leet speak” equivalent (e.g. p@$$w0rd) make the password more secure. Any password cracking software will be trying these combinations as well.
Changing to a secure password is a very small task. It takes only a few moments. But the damage that can be done to a site with weak login credentials is no small matter at all.
Miva