Your login information is the key to your hosting account. Much like your car keys, house keys, and ATM pin, you don’t want your login information stolen. We all know that a strong password is a good idea and that we shouldn’t be writing down logins on post-it notes next to our computer. Those topics have been well covered for many years. We’re going to cover a few of the less obvious, although equally important, aspects to keeping your login information secure.
Login information should always be submitted over SSL. This is easily confirmed by looking for “https” in your browser’s URL bar. Extended validation SSL certificates, like the one we use for our main website, portal, and billing system, will even show up green in the web browser as seen below.
If you get a certificate warning when browsing a website (like the one below) you should take careful note of it. This could mean that you are not actually visiting the intended site or that it may have been compromised in some manner.
For email clients you need to make sure to select the SSL enabled option if it isn’t selected by default. Standard FTP over port 21 should not be used. Instead, use SFTP or SCP. Both of these run over the default SSH port 22. Most popular FTP clients have built-in support for both FTP and SFTP, making the switch even easier.
If you use the same password for everything a single compromise could in turn compromise every login that you have. For example, let us assume that you did use the same password everywhere. Perhaps you are a subscriber to a blog and the blog owner hasn’t kept up with their own site’s security as well as they should have. Attackers have now been able to gain access to their user database and obtain your password. They will now also have your email address and since you opted to use the same password everywhere, they can login to your email, and the compromise will continue to go downhill. When at all feasible and practical, unique passwords should be used.
After reading the last section you now may be left wondering how you’re supposed to remember all of those passwords. If you are using unique passwords you can easily end up with 20 or more and memorizing them becomes a hassle at best. This is where you have to come up with a way to securely store them. Post-it notes all over your office are not an option.
The most common solutions involve local storage or remote (cloud) storage. Local storage could be as simple as an encrypted file or spreadsheet. Remote storage would often involve the use of a third party service such as LastPass. In either case, you would then only have to remember one password which would give you access to all of your others. The downside here is that you’ll need to be very careful with that one password because it is now the master key to your online presence. Likewise if you’ve opted to use a third party service you’ve now trusted them with all of your login information. Even LastPass has had issues in the past.
As more people know your login information the chances of it being compromised increase. If you need to grant someone temporary access you should reset the password after their need for such access ends.
Secure Your Environment
Securing your own computer is really a whole different topic and we will be posting another article in the future that goes into a bit more depth on this subject. We’ll also be posting some information on safe web browsing practices that go a step further. Stay safe!