1) DO NOT duplicate Passwords on multiple accounts
It is common knowledge that most people do not like having to remember passwords. Some years ago, the people who ‘knew’ told us to use the same password for all our online dealings. “It will make life easier”, they said. And they were right; it did – for a while. Then we went online for shopping, banking and several other purposes and this led to numerous accounts with passwords.
Most people knew at this stage that using the same password was probably not a good idea but a recent survey showed that although they are aware of this fact, 66% still do it.
If your password is compromised on any site, it can be used to log into several accounts, with devastating results. Sometimes, a person’s password-reset is used in this way and their entire digital identity is taken over.
It has been found that some WordPress sites are using the same password for their hosting account, FTP credentials and WordPress Dashboard area. This is extremely dangerous and should be avoided at all costs.
(2) DO use Multi-factor Authentication
Very few enjoy the inconvenience of multi-factor authentication. It’s great to just key in a password and go. As we’ve explained, passwords can be uncovered by various means and for the sake of a couple of minutes, it’s quite simple ‘to be sure, to be sure’ (as we say in Ireland).
There are 5 methods.
1) SOMETHING YOU KNOW: Typically your password or pin code.
2) SOMETHING YOU ARE: This refers to biometrics, such as a fingerprint or retinal scan.
3) SOMEWHERE YOU ARE: Based on your location, where you log in.
4) SOMETHING YOU HAVE: Like an app on your phone that generates a time-based passcode or a token device that generates random numbers.
5) SOMETHING YOU DO: Perhaps swiping a pattern on your phone screen or analysis of your typing behaviour. This is used to determine BOT access.
Multi-factor authentication typically uses two or more of the above, usually Something You Know (such as a password) and Something You Have (perhaps a code to your phone or authenticator app).
We recommend that you enable WordFence’s built-in two-factor authentication. If your password is compromised, this double layer of security will make it far less likely that your site will be illegally accessed.
(3) DO NOT use Passwords That Are Too Short
Short passwords are easier to crack, just as those with low complexity. Generally, the best advice here is to use a minimum of 10 characters. If you use a password manager, use as many characters as you are allowed. Basically, it is best to make compromising your password as difficult as possible.
(4) DO remove Ex-Employee, Developer/Support User Credentials
When you provide access to an employee, contractor or developer, keep a detailed account of the access on an internal document or list. Always ensure this document is kept in a secure place. If their access is removed for any reason, make sure their removals are also recorded on the master list.
Not all terminations are amicable, so always make sure this protocol is adhered to at all times.
(5) DO NOT use Personal Information in Passwords
This is a really common thing to do, as personal details make it easier for many to remember passwords. It’s really easy for someone to find your personal details from social media platforms (children’s names or names of pets or even a postal code area). This again is another reason to use a second authentication factor. Non-personal passwords may be harder to remember but your password manager can make sure they’re readily available to you.
(6) DO NOT use Passwords that are Too Simple or Contain Dictionary Words alone
It makes sense that simple passwords are easy to hack. Making passwords complex is essential and this is easier when characters and not dictionary words are used in their composition (e.g. #$%^&* or numbers). Also using a combination of upper and lower case letters makes it even more difficult again. Hackers will investigate commonly used words, to begin with, so have some fun and keep them out!
(7) DO Regularly Monitor and Audit Passwords
It’s not enough to create passwords and assume all is well. It’s imperative that the systems are monitored and updated/audited regularly. There are several simple, safe ways to do this so there’s no excuse. Many browsers have features that include password analysis and a system to establish if they have been used in an attempted breach of security. Password Managers also have integrated password checkers built into their management platforms. This is another reason I recommend that a Password Manager is used.
(8) BE Aware of Surroundings When Using Passwords
When anyone logs in to a website in a public area over an open WIFI system, their password is transmitted in a way that it can be intercepted and read. So many people do not realize this fact. Many websites use TLS/SSL to encrypt information being sent. However, I still recommend you use a Virtual Private Network (VPN) when logging into sites in public places. This will encrypt all of your data in transit. Another point to remember is being vigilant when you’re logging in. Be aware of who is in your space, looking at your screen. Sometimes it’s that easy. Using a private screen in public is very effective and most importantly, do not forget to log out when you’re finished.
(9) DO NOT Share Passwords
Unless you absolutely have to, make it a habit to NOT share your passwords with anyone. All of these suggestions are critical for your safety. You cannot afford to be casual. If you follow points 1 – 8 and then share your password, you are increasing the risk to your online safety.
There is an alternative, in that you can create a temporary second user account if someone has to work on the site. When the work is complete, No.4 comes into play, where the access has to be removed and the paperwork updated. It sounds complicated but it’s quite simple.
The beauty of WordPress is that it’s possible to create as many separate user accounts as you need and delete them once the access is no longer needed. If several user accounts are needed, when they are removed from the audit list, a new password can be created for extra safety.
(10) DO use a Password Manager
Many people are not aware of the existence of password managers. Some don’t trust them and feel insecure about having all their eggs in one basket.
However, the evidence is clear that all the above points improve security and the best way to keep track of all the passwords is with a password manager. This is because they store your passwords with advanced algorithms. There are several password managers to choose from, each having features that make managing complex passwords easier. Different password managers suit different personal requirements.
Nothing is ever one hundred per cent infallible. These recommendations are about learning to minimize risks in today’s risky online world.
For more information or help with anything WordPress Related contact David Browne – The WP Guy at david@thewpguy.ie
Find out more about David Browne, the WordPress Guy visiting his Profile on WhatsWhat.ie
https://whatswhat.ie/the-wordpress-guy
