Jan 14

Should You Do This Before Your Server Gets Hacked?

Security is something we often don’t think about for our websites. However, it is definitely something you should think about and take action on.

Why?

Well, quite simply, if you Earn 1K A Day and your server gets hacked, you’re in a heap of trouble!

Rob Shultz over at Truebluetitan has an interesting article on security. I agree with all of his points except for two.

Specifically, he says the following:

Complex/Strong Password: Do not use something easy to guess like your name or your username. Instead, use a tool like Microsoft’s Password Checker to ensure that your password is strong.

Change Your Password Periodically: You should change your password at least once a year, but if possible it you should change it every 3 months. And if your IT systems let you change it to the same password…Don’t. Instead, be proactive and choose a new unique password.

Basically he would want you to use some password like ‘a73nhehpe’ and then change that password every few months.

Yeah, right, like that’s gonna happen. And even if it did, most humans are just not going to remember some crazy ass password like the one above. Especially when you’ve got to change it every few months.

To make matters even worse, I’m sure Rob would tell us that we should not use the same password on multiple sites. Well, that’s fine and dandy if you’ve got something like Roboform, but if you do not, then you’ll end up writing the password down.

Now, as this article points out, I fall on the usability side of the equation while and Rob falls on the security side.

What do you think?

G-Man

P.S. Truebluetitan is a good blog you might want to add to your feed reader.

Trophaeum says

SSH Public key authentication, suhosin patch and module, mod_security, mod_evasive, a lot of holes are easy as hell to plug

January 14th, 2008 |

Rob Schultz says

Hey there! Thanks for the mention. While I strongly STRONGLY recommend that you follow my suggestions that I listed in my post, I don’t think that you need to make it as difficult to remember as the one you mention in your article. Uppercase and lowercase letters in combination with numbers and or symbols is plenty adequate. It’s your password so you should make it something that is easy for you to type in, but still difficult enough for others to guess. Years back, I liked to use something like: asdfJKL:

It was simple and quick for me to type in and someone watching me type could probably not have guessed it with the speed at which I entered it.

Also, a former co-worker of mine loved using keepass. It’s worth a look so you don’t have to remember all of those passwords.

Nice blog….I’ll be back!

January 15th, 2008 |

G-Man says

@Trophaeum - Yeah, every little bit helps!

@Rob - I see what you’re saying but humans are creatures of habit and like water, they’ll take the easiest route to get someplace.

So while, in theory, it works to say this is what you should be doing - how many people are really going to do it? Perhaps, rather than trying to enforce a standard that most people won’t keep, we should come up with a better solution.

I don’t have the URL handy but I think I saw something in the news recently about an open standard where your personal information is stored with some vendor and you can login to websites with it as long as they support it.

KeePass looks prretty neat. They need to add the ability to enter your information into forms like RoboForm does

Thanks for the comments on the blog.

G-man, are you referring to OpenID? I’ve been seeing more and more sites switch over to this as well.

January 16th, 2008 |

Yeah, that’s the one! Thanks for the link!

It’d be interesting to see if someone could develop something for wordpress that would let it use OpenID.

What…like this?