Your birthday. Your dog’s name. Or even worse, 1234. These are common passwords that are easy to remember — and an easy way to let people exploit your website. When you own your own website, it’s even more crucial to create a smart password that will keep your site safe and secure, since upping the ante on your password game is one of the best ways to protect your business.
“It’s important to have strong passwords because 81 percent of hacking-related breaches are due to weak or stolen passwords, according to the 2018 Verizon Data Breach Report,” says Darren Guccione, CEO & Co-Founder of Keeper Security. “Passwords are the single easiest entry point you can protect.”
While a quirky word or secret nickname might seem unexpected to you, that’s not much trickier for a pro to solve.
“Criminal hackers have password cracking tools at their disposal that actually plug-in well-worn, easy to guess passwords into website logins,” says Robert Siciliano, a security analyst with Hotspot Shield. “For example, many usernames are ‘admin’ and if the password is ‘princess’ that is easy to crack with a ‘dictionary attack,’ which is a software used to crack passwords.”
If you have employees who have access to your company’s website, it’s crucial to share with them how to create a secure password. After all, even if you maximize all the steps to creating a strong password, if you’re not requiring your users to do the same, then that’s essentially creating an Achilles’ heel. Stay safe and secure by trying these 12 techniques to build a strong password.
11 Password Tips to Help Keep Your Website Safe
1. Make your password long.
“Generally, a longer password takes longer to be cracked; however, it should also follow other rules to make it strong,” says Rema Deo, Managing Director at 24By7Security, Inc. “Length alone is not enough.” Aim for at least eight letters and/or characters since anything less than that takes less time to crack. The longer the password, the longer it takes to figure it out.
“However, a long password doesn’t necessarily make it more secure,” Guccione cautions. “To be secure it should be both long and random, meaning it should contain a combination of upper and lowercase letters, numbers, and symbols. A password should be no less than eight to 16 characters, but certainly, more can be better. Some websites require a certain character length so be cognizant of those requirements when creating your passwords.”
Want more security tips to protect your website? Sign up for DreamHost’s monthly newsletter today!
2. Don’t use a common phrase.
As Siciliano mentioned, the ‘dictionary attack’ is the main reason to avoid popular words and phrases. Passphrases are increasingly becoming more popular, but they can easily be guessed if it’s something obvious to you or the account. And don’t make the mistake of thinking that using an exclamation mark instead of an “I” or a “3” for the letter “E” will throw them off guard.
“Algorithms used to crack passwords already consider common phrases and even common letter substitutions,” Deo cautions.
3. Test your password.
“Most websites have testing tools built-in to the setup process when creating a password,” Siciliano says. “The other option is to go to haveIbeenpwnd.com and look at their password checker tool.” While password strength meters help, keep in mind that they are not necessarily fool-proof.
4. Don’t reuse your password.
More than half of all people use the same password for all their websites and applications. “This is a common and very dangerous problem,” Guccione says. “Hackers keep dictionary lists of the most commonly used passwords. They also know that if they are successful in breaching a single account, they will often be able to access multiple accounts for the same person due to the high frequency of password reuse. So, the more you reuse passwords the easier it is for an attacker to gain access to every account that uses that same password.”
As security breaches have become increasingly common, that’s another reason to keep mixing it up when it comes to your password.
“There have been 12 billion records compromised just in the past two years alone, equating to over 10,000 data breaches,” Siciliano says. “That means criminals have access to billions of usernames and their associated passwords. This allows them to use that data to access any site where your credentials are reused.”
Related: Why Security Through Obscurity Isn’t Enough to Keep Your Website Safe
5. Use a password manager.
If you’re creating passwords the right way — meaning they’re long, with lots of numbers and characters and on the gibberish side — it’s probably pretty tough to keep track of all of them. That’s where a password manager comes in. They allow you to have multiple passwords for all of your accounts and it remembers them for you.
“Password managers generally store your passwords in an encrypted vault and therefore are meant to be more secure than other means of storing your passwords,” Deo says. “They also offer features like suggesting passwords; allowing you to enter, store and remember long complex passwords; identifying duplicate or reused passwords and allowing you to fix them.” Just be sure to pick the right one, since password managers have been known to have the occasional security flaws. Using a password management application will enable you to create stronger passwords, since you won’t have to remember each one.
“They also allow you to be faster online by auto-filling your login credentials for you,” Guccione says. “Creating strong passwords is not difficult—remembering them is. We call this dilemma ‘password fatigue.’ The easiest way to create strong passwords is with a password manager. There are many options that once you’ve tried I can guarantee you’ll want the ease of use on every device.” And whatever you do, do not store your passwords on sticky notes or spreadsheets.
6. Don’t store passwords in your browser.
We know what you’re thinking: keeping passwords in your browser means they’re always at your fingertips. But like many other shortcuts in life, it just isn’t worth it. While password managers are security companies designed to protect your data, the same standards don’t apply to browsers for password management. “Browsers don’t encrypt your passwords, and if a hacker gets access to your computer, the passwords stored in your browser are open game,” Guccione says.
“Further, passwords stored in a browser can’t be used for native applications and are also not available on your other devices or on other browsers. Passwords stored in a particular browser are not cross-platform, and browsers are not military-grade ‘vaults’ for securing and organizing your passwords and other private information.”
And remember, generally speaking, Deo warns that passwords can be viewed once you are connected or logged in. If a hacker gets control of your browser with your login password, then the hacker can see all the accounts and their passwords. This is one risk that definitely isn’t worth taking.
7. Follow the rules every time.
It might seem OK to break a rule now and then, but that can be a slippery slope. Always — and we mean every single time — stick to the essentials. “Long and strong, lowercase, numbers and characters, indecipherable passwords that don’t spell anything out are best,” Siciliano says. “Otherwise, phrases incorporating the above can work. But a password manager does it best—that’s their job.”
If you want to go above and beyond (and which business owner doesn’t when it comes to their website?), take it up a notch by setting a truly unpredictable password, one that simply has nothing to do with you or any other common phrase. “Since such unpredictable passwords are hard to remember, a password manager might be the next best thing to use to protect your accounts,” Deo says. “Multi-factor authentication is also a useful idea so that you would need multiple different methods to access your accounts.”
8. Use two-factor authentication.
Any extra protection you can take is a good idea, and two-factor authentication means that simply having your password won’t be enough. Two-factor authentication adds in a second layer of security for protecting access to your accounts, making the cracking process much more difficult. This second layer can consist of a code-generating app on your smartphone, a numeric key fob or a USB key.
“A simple username and password combination has already been hacked and cracked with the 12 billion records compromised,” Siciliano says. “If you have two-factor installed, it doesn’t matter if a criminal has your username and password — they would need your mobile phone to get access.”
Related: 13 of the Best Security Plugins to Keep Your WordPress Site Safe
9. Consider the Passphrase/Diceware Method.
The Passphrase/Diceware Method mainly consists of random words to create a secure password. “It is a good way to create a strong, long password,” Deo says. “Experts say that the number of words you need to truly make the Diceware passphrase strong used to be five, but now they recommend that you use a minimum of seven words to make a strong passphrase.”
The downfall? “Just be aware that what you create, you also have to remember,” Guccione says. “Passphrases are becoming more prevalent. Therefore, it’s best used in conjunction with a password manager.”
10. Use security questions wisely.
Though security questions might seem like they’re there to help by adding an extra layer of protection, they can actually do more harm than good. “If possible, it’s best to avoid security questions because they tend to be questions of very common things about yourself,” Guccione says. “But if you do have to use them, I recommend setting a customized security question and answer to prevent hackers from planning a brute-force attack against common security question and answer lists.”
In other words, be creative with your answers and record that data so that the information can’t be easily found via social media. “Answers to security questions can often be guessed easily or even found on public sources,” Deo says. “For instance, some security questions ask you the model of your first car or the high school you went to. These are not private questions. It is important to select questions that offer you a certain level of privacy where you may be the only one who truly knows the right answer.”
11. Keep an eye on your smartphone.
“Today, most people keep everything about themselves on their smartphones, from notes, contacts, lists, text messages, passwords, photos, videos, and emails—it’s all there,” Guccione says. “Hackers target smartphones because they are small and easy to steal. When a hacker is able to get physical access to your device, their chances of breaching that device increase exponentially. Each year, over 3 million phones are stolen. Keep them locked with a passcode and under a close eye!”