As website security vulnerabilities go, weak passwords seem like no biggie.
A friend of mine learned the hard way the truth about weak passwords and the visitors who love them.
So as not to embarrass my friend, let’s keep his name out of this. It’s enough for you to know he operates a successful B2B website with thousands of paying subscribers.
They come to his online enterprise for fast, easy access to hard-to-uncover biz information. Users access these data once they create an account and supply a password.
Most passwords on file at my friend’s site earn at least a grade of B for strength.
However, some deserve a grade of F.
They qualify as weak passwords because anyone with a tiny bit of smarts can guess them.
And guessing them is exactly what happened at his site this past spring. Clever hackers figured out a few very weak passwords and then used them to access the vulnerable customers’ accounts.
From there, they went on to penetrate the website’s inner machinery. Just waltzed right in.
Then they hoovered-up practically his entire trove of super-valuable data—the info his subscribers were paying big bucks to utilize.
To appreciate how valuable my friend’s business-insights data were, check this out. When the thieves broke in, all they took was the biz data. They completely ignored the user credit-card account numbers and anything that might have helped them commit identity theft.
Weak Passwords are Dangerous
The loss of these business data devastated my friend’s enterprise. Nearly sank it, in fact. Thankfully, though, he rebounded and survived to tell the tale.
But the point is, all his woes stemmed from weak passwords. Not his passwords. Those of his site users.
Make no mistake, weak passwords create website security vulnerabilities. In turn, security vulnerabilities hurt website health.
I mention all this because cybersecurity firm SplashData just released a list of the Top 100 weak passwords of 2018. (The Los Gatos, California, company puts out such a list every year after analyzing the millions of passwords stolen during the previous 12 months.)
Topping the new list is an old favorite. It’s 123456. Coming in dead last is qwerty123.
Next time, I’ll list the whackiest of the weak passwords—but with a twist you’ll see nowhere else. In addition to giving you the weak passwords, I’ll also offer a tongue-in-cheek analysis of what each one reveals about the user’s personality.
OK, sneak preview. The common thread in all 100 weak passwords is laziness. People use weak passwords because it requires no real mental effort to create and memorize them. They also require only a minimum of physical effort to type when asked to give them at login.
Mix Those Characters
So, let’s cut right to the chase. How do you avoid creating weak passwords? How do you instead create strong ones that make hackers hate you?
Here’s what the experts usually suggest.
First, make your passwords at least eight characters long.
Better yet, make ‘em 12 or more characters long.
Second, use a hodgepodge of letters, numbers, and special characters. That’s letters, as in abc. Numbers, as in 123. Special characters, as in !*@.
But don’t go like this: abc123!*@. Yes, that’s nine characters—more than the safe minimum. What’s wrong is it merely groups these different characters instead of shuffling the deck.
The different character types need to be interspersed, like so: ab1*[email protected]!2
The reason for interspersing is that it forces hackers to work super-hard to crack your password.
And if they have to work super-hard, they may decide it’s not worth the trouble to mess with you. They’ll leave you alone and go try to crack the weak passwords of other people.
Use a Password Generator
Now, it might happen that you lack the time or creativity to come up with a strong password on your own. In that case, use a password generator. It does all the work for you.
Another reason to use one is it arranges characters randomly. Many people end up with weak passwords because they fashion them from easily memorized names or dates.
For example, they’ll use their spouse’s first name as the password. Or their favorite pet’s name. Maybe the address of their home. Or the date of an important anniversary.
Advice to you: don’t do this. At hacker school, cyberthieves learn on the first day of password-cracking class to plug in the names of the targeted person’s loved ones. Those names turn up easily enough in Google searches of public records.
As well, break the habit of saving and storing your passwords on the browsers you use. Your browser is the first place hackers look when they manage to penetrate your firewalls.
Don’t even write passwords down on a sheet of paper. Instead, commit them to memory or use password-management software from a trusted source. Norton comes readily to mind.
Be sure to close your browsers after every online session. Better yet, close them after each visit to a website. According to security experts, an idled but open browser is practically the same as rolling out a red carpet to cyberthieves and putting up a big neon sign that reads “Hackers Enter Here.”
Talk to Valet—They Understand Site Security Issues
Let’s return to the story of my friend the B2B website owner.
After the hacking that nearly ruined him, he took steps to prevent a repeat.
One of those steps involved contacting every user of the site and warning them about weak passwords.
He sent them emails, he used his blog, and he added a passwords section to his website’s FAQ page.
But he did more than just warn. He also provided instructions for how to make wimpy passwords look like Popeye’s biceps after a can of spinach.
The instructions he offered were very similar to those you read here today.
Please take to heart the tips I’ve shared with you. Meanwhile, if you’d like to talk to people who truly understand the role of good security in keeping your website healthy, then please fire off an email to Valet.
Valet has some website health and security ideas you’re going to like.