The story of how a weak password threatens your website and your security.
Recently, I have delivered a client a new website for them. After launching, there’s no issue that I know of with the site: pages loaded, images are fine, speed is loading under 2 seconds. All is well.
When it’s time to hand over the reign to my client, I’ve created their admin accounts, handed them the username, and asked them to change their password upon login. What I forgot to warn them, don’t use a simple password.
And with just a few days, this happened:
Suddenly, there is a burst of traffic coming in to the website. Of course, this would be a cause for happiness on a normal case, but not this. These are bots and they are attempting to take down the website but loading it with massive requests. Have a look at the next screenshot.
To put it in a normal business scenario, the first bar shows 1,180 people turned up at the store, divide by 60 minutes, so that’s 20 people entering the store EACH MINUTE. And when these people are in the store, they are asking… 16,148 questions PER MINUTE. Any small store employee would’ve collapsed by the sheer number of questions.
What you are looking at, is a mixture of hacking due to an easy password and DDoS (Distributed Denial of Service)
“A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.”
Cloudflare
And to confirm my suspicion:
Someone from Bangladesh had gained access to the admin backend, managed to install some funny codes to the backend, and possibly also ordered the DDoS attack on my little server.
The consequence:
The website is down.
The golden lining:
It’s a Sunday. Few visitors are expected to come in.
The regret:
I missed my Sunday service because I need to clean this up, sorry Pastor.
I spent the afternoon cleaning up the mess, deleting all the client’s access, and reissuing new ones. Come Monday, I confronted them and…
While I still don’t know what password my client has used, the Bangladeshi guy knows.
Why are simple passwords dangerous to you and the website you use them on
First, let’s define what is a Simple Password.
“Simple passwords only have lower case letters and numbers. They are easier to remember but might also be easier for someone else to guess.”
dinopass.com
Because we are not born to remember them, it is something that we humans have come out with to protect something that is important to us. Bad password habits?
Funny thing is, using a lousy password to protect something important? It’s like using a 1 digit padlock to lock your house door.
Don’t think that’s what protection really means.
Desmond Ng
We commonly use easy-to-remember passwords, especially personally identifiable information because we don’t want to think or remember when we want to access those important accounts (e.g Banks, Shopping Sites), and yet these are the ones that have access to our personal details and financials.
Common passwords that you definitely have used before:
– Your Birthday
– Your Name
– Family Name
– Your favourite stuff
– Your IC number
– 000000
– 123456
– Password
Some of the requirements to get a strong password:
– Alphanumeric (mix of numbers and alphabets)
– Capital Letters (one of the characters must be a capital letter)
– Special Characters (~!@#$%^&*()_+)
– Minimum number of characters (commonly starting from 8)
– Force reset (Normally every 6 months, the system will prompt and force password change after a successful login)
Because there are so many people that use a password that is easy to guess, websites (especially the banks) will have to come up with a lot of rules and requirements for their password policy, not just to protect your account, but also to discourage the mean people from attacks as well.
How to ensure that you can protect yourself and your assets in the online world
There’s no denying that you will have lots of accounts online, across multiple websites, for multiple purposes. In summary, I have a few suggestions on how to make the password combination harder for bad people to gain access to your accounts and assets, just so you can avoid such headaches and financial loss in the future.
1. Use a stronger password (duh!)
What I mean here is, don’t use the bare minimum for security. If the system allows a minimum of 8 characters, go longer. Most websites don’t have a max character limit for their password policies, go for 16-20 characters if possible. MAKE IT HARDER.
2. Alphanumeric, Lowercase Letters, Uppercase Letters, Special Character. Throw them into the mix
Mix up the password combos so that it MAKES IT HARDER to guess. TheR!ghTP@ssW0rdIsWrong.
3. Use a unique password for each account
Different sites, separate passwords. Try no to reuse the same ones. You can also include the site identification into your password so that it’s always catered to that specific site only. But don’t use the same template as well, else it makes it a pretty easy guess too once people figured out the concept behind it.
It’s tiring to come up with a unique password for each website. Is there a better way than this?
Yes – Password Manager.
As the name suggests, it helps to manage your passwords in one dashboard, so that you don’t have to remember them. All you need to remember is just the Master Password. Best of all, you can install them on all your devices, so technically you could have access to your secure passwords at all times.
And my choice – 1Password.
Are there other ways to better protect my account, instead of just using a complex password?
Yes. Though this might not be applicable to all websites, they are methods of helping with securing your account.
1. Single-Sign On (SSO)
I’m sure you’ve noticed some websites enable you to sign up or sign in using Google, Facebook, Twitter, LinkedIn, and so on. Once you click on those buttons, select your account, and then you’re in! This method actually relies on the security of these big giants to verify your identity (especially if you are logged in the browser on those platforms). Simply put, since you are already browsing those platforms, the current browser should be good enough to verify your identity as well. This method does not require you to enter a password.
2. 2-Factor Authentication (2FA) / 2-Step Authentication
This is like a secondary gate. Even after you have entered your password, the system will need to verify if it is really you that is trying to login. Works like the SMS OTP you receive when you perform an online purchase.
Options available now are:
– Email : They send the code to your registered email.
– SMS : Like the usual banks do.
– Security Questions : Banks normally use this
– QR Code : Using a 3rd party app like Google Authenticator to generate a login token. The token refreshes every 30 seconds.
– Token Device Approval : Have to click on confirm on a separate device to approve the transaction or login.
– App-based : You will need to have the App from the same company installed on your mobile device. When you initiate a login from your computer, the app prompts for login approval.
Check out also how to enable 2-step verification for your Google and Microsoft email accounts.
3. Don’t share your password
If you really really really need to, change it after whatever it is done.
Is there any other (unusual) way to protect my account?
Yes. Literally, don’t remember them. How?
In each sign-in form, you would’ve noticed that there’s a button for a “Forgotten password?” or a password reset link, normally found under or around the password field. Click on it and they will normally prompt you for your registered email.
The idea is this, for sites that you don’t regularly access, you don’t need to bother to remember the password as well. You can use a random password generator tool (the point here is to make it as complex as possible, not to remember it) to get it.
Else, just simply smash your keyboard in a text file -> reset your password -> login -> delete the file.
When you need to come back to the website 3 months later, repeat the process. This can all just be done in 5 minutes, worth spending for your security?
Some other questions about password
Is a phrase a good password?
In plain simple English words, maybe not so. Since phrases appear a lot of times on the web and chances are, they might appear on Google search results makes it predictable. However, you can make it harder by using longer phrases, 32 characters and above, throw in special characters in between.
Where should you write down your password?
Ideally, nowhere.
It should remain proprietory in your brain as your Intellectual Property.
Realistically, I’ve seen:
– People saving it in a word doc, excel sheet, txt file, and name the file as…. “Passwords”
– Evernote, Notion – Along with both username and password
– Google Doc and Google Sheets, both in personal and business drives
If you plan to record them, I strongly recommend you use a Password Manager instead, and not save them in files and showing in plain text formats.
As we all move further into the digital world, do take more precautions especially when dealing with online accounts.
Thanks for reading so far. Are you managing passwords like the examples I have given above?
More thoughts that I haven’t covered? Leave them in the comment below.
Think I did good work covering the topic above? Buy me a beer.