In the wake of major hacks announced recently by popular websites like LinkedIn and Tumblr, you’ve probably been thinking about changing your passwords… but if you’re like most people, you probably haven’t. The hacker attack on Facebook CEO Mark Zuckerberg recently demonstrated how vulnerable most people are—a big reason his accounts were easy to hack is because he used the same simple password across multiple sites. After we tell you a little bit more about why you need to protect yourself online, we’ll give you some tips on how to keep your information secure.
Don’t Assume You’re Safe
You certainly don’t need to be an Internet big shot to be hacked—it seems like if anything, hackers are becoming less discriminating and simply going after any low-hanging fruit they can find. Not only is basically any password-protected account you may have on a website or social network vulnerable; your business’s website is vulnerable, too. Even if you don’t have site members or logins, or if you do but don’t collect personal data or financial information, there’s no reason to assume that your site is immune from being hacked.
Many sites get hacked simply because they can be. In the best-case scenario, it’s disruptive—your site is down for a while, but you can restore it. In a worse but all-too-common scenario, you’ve lost your site’s files and information and need to start again from scratch. And in a possibly even worse scenario, your site is held ransom by hackers and you can get it back—if you pay up. Hackers also sometimes use hijacked websites to send email and hack other sites. Even if your site doesn’t go down, you could find your search rankings and email open rates torpedoed as your domain and email address wind up blacklisted. “But it wasn’t my spam!” isn’t a good enough excuse for Google.
Smart Steps to Protect Yourself
Mark Zuckerberg’s hack teaches you basically everything you need to know about what not to do to keep your information secure. He used the same password for multiple sites, which is a huge no-no—and on top of that, the password he used (dadada) meets exactly zero of the criteria for creating a strong password. What should you do to create a strong password?
- Use both upper- and lowercase letters. At this point, pretty much any site you need a password for will be case sensitive.
- Add in numbers and special characters. One trick that can let you make a more secure password that’s also easier to remember is to swap in numbers and special characters that resemble letters. For example, you can replace a B with an 8, or an use ! for i.
- Keep away from words you’d find in a dictionary—hackers use dictionaries to crack passwords. (We know, Zuckerberg didn’t exactly violate this one, but he didn’t use terribly complicated gibberish, either.)
- Make it long. While some websites limit the number of characters you can use in a password, if there isn’t an upper limit aim for 12-15 characters.
The trouble with strong passwords, and why so many people avoid using them? It can be difficult to remember one really strong password, let alone a whole slew of them (not to mention keeping track of which password goes with which site!). Your best bet is to use a secure password storage solution like Passpack or Lastpass. With these, you only need to remember a few things (for example, Passpack requires a password and then a “key”—typing a specific sentence). Once you’re in, you can copy and paste passwords as needed. There are also a number of apps are available for storing passwords on your smartphone. Depending on which app you use and what kind of phone you have, you may be able to access passwords using a series of swipes or your thumbprint rather than using a password at all.
Worried you’ll have trouble remembering even a few important passwords? Don’t write them down. You’d be amazed—or maybe you wouldn’t be—how many people write down important passwords and stick them in prominent places like their computer monitor or keyboard. And if you don’t think anyone in your office would possibly want them, think again: Hackers can use “white glove techniques,” which involve everything from calling under false pretenses and asking for passwords to getting into offices on made-up errands and literally going through your trash.
Instead of writing the password down, if you really want that kind of backup jot down a word or phrase that will jog your memory but that wouldn’t be meaningful to another person reading it. You’re basically making an analog version of the kinds of security questions that sites use when you’ve forgotten your password or username and are trying to retrieve it.
Ways to Protect Your Website
Being proactive is the best way to protect your website. Even if you think your site has nothing that would interest a hacker, it’s still important to you. Having your site hijacked and held ransom, or even just having the files erased (a particularly obnoxious form of online vandalism) creates problems that are stressful, time-consuming, and often costly to fix. In general, the cost of cleaning up and restoring your site after a breach will be substantially higher than the initial cost and ongoing maintenance that will protect it from vulnerabilities and keep its security up to date.
What preventative measures should you take to keep your site secure? Make sure that you know exactly who’s allowed to log in to the back end (i.e., who can access the code and/or make edits) of your website, and give each user his or her own login credentials rather than sharing them. Each user should only have as much access as they need to do what they need to do. For example, while as the site owner you probably will want to have full administrative privileges. You don’t want other people using your login if they only need to do something simple (like changing a date on a webpage or creating a blog post); these users should have their own credentials that give them a more limited scope of options. The other reason it’s a bad idea to share login credentials is because if something does happen, it can be more difficult to reconstruct what went wrong—looking at your site’s log, it will appear as if the same person simply logged in again and again when in actuality it may have been multiple different users.
The other vital preventative measure you should take is to have your site backed up. Your hosting company will likely offer a backup solution as an add-on feature—it’s worth it to sign up. Some providers will email you the backup; with others, you’ll need to contact the provider to let them know you need a copy. You don’t need to keep an archive of backups that goes endlessly, but it’s important to keep a backup on hand that is at least a month old.
Why would you want a backup that’s a little bit older, instead of one that’s just from yesterday? While in some cases it’s obvious immediately that a site has been hacked, other times you might not catch the problem right away. When that’s the case, you want to be sure that the site can be restored from a backup that’s clean—you don’t want to overwrite the hacked site with a backup of the hacked site. Even if you lose a little data (like if you had added a blog post in the previous two days, for example), it’s easier to make that one fix manually than to be stuck with a site that’s been compromised.
Even if you have a backup, it will take some effort to restore your site. However, it’s much less than would be the case if you don’t have the files. Your website isn’t just the stuff you see—the text, the image files, and so on. It’s also everything behind the scenes that it’s built on, which can be a dense thicket of code. If you store customer or subscriber information, there’s that database as well. It’s pretty easy to see why—to paraphrase Ben Franklin—a megabyte of prevention is worth a terabyte of cure.
At Higher Power SEO, we take website security seriously. Our hosting packages include regular backups, and unlike with the big guys, you know exactly where your site’s files are—on one of our secure servers. To learn more about how we help ensure business’s websites stay safe—and are promptly restored if a breach occurs—call us at 760-881-4736.