April 5, 2017

Top 10 Tips for Secure Website Passwords


Want to hack a password?

It’s easy.

(If the password owner was not careful)

Here are 10 tips how to make a password secure and keep it safe.

Brute force attackers run programs readily available for anyone to download and use. These programs send many combinations of characters to try to break into a site through the front door using existing login information. To avoid this, I’m going to show you how to hide your front door and create passwords that are difficult to hack.

Here’s a list of the ten most popular password cracking tools. You can also use these to see how secure your password is.

Many sites are hacked because the passwords are not secure. This means two things:

  1. The password was created without enough consideration.
  2. The password was used in an insecure way and revealed to someone with malicious intent.

Here are some tips to avoid these two situations:

  1. To Keep Passwords Out of the Hands of Would-Be Hackers, Never Send Passwords Over Unencrypted Channels.

    1. If you are logging into a website, make sure the address begins with https, not http.

      https at the beginning of a web address and an icon of a closed lock indicate that the transmission is encrypted. Unencrypted transmissions are open to the public and allow anyone with the knowledge (or anyone with the appropriate computer program) to “listen,” just like tapping a phone line.

    2. Never send passwords by email.

      E-Mail is the least secure protocol on the Internet. Emails pass through many computers on their way to you and are not encrypted. Many people have access to your email. It amazes me how many times Internet hosting services send passwords by email. It is totally insecure.

    3. Make sure that your technical staff is not using insecure FTP.

      FTP stands for File Transfer Protocol and is the way that many web designers upload images and other files to websites. FTP is not usually encrypted. FTP can be encrypted (usually with TLS encryption). Request your web host to require TLS encryption so that insecure FTP connections are blocked.

    4. Make sure your programmers use SSH, not Telnet.

      Telnet allows you to log into a remote computer (such as a webserver) and turn your computer into a terminal of that remote computer. This is a very convenient way for developers to work on websites as it eliminates the need to constantly download, edit, then reupload files. Telnet is not secure since it is not encrypted. SSH (Secure Shell) is the same as Telnet, except that it is encrypted. As with FTP, ask your web host to block Telnet connections and only allow SSH.

  2. Change the Address of Where You Login.

    • Change the URL of your website login page

      For example, every WordPress site has a default address for logging in:


      Change this.

    • Change the port used for secure logons to your web server

      Every protocol mentioned above has a default port. You can think of a port like a lane on the information super-highway. The same way trucks need to use the upper level of the George Washington Bridge between New Jersey and New York, different types of traffic are restricted to certain ports on the Internet. You should ask your web host to change the default ports for secure connections. This reduces the chance of brute force attacks since they do not know where to knock on your door. For example, if you are using SSH, the default port is 22. You can ask your web server administrator to change it to 122 instead. Then to log in, you just need to specify the port:

      ssh charlie@j-town.com -p122

  3. Never Write Down Your Passwords

    I know it is a pain, but memorize passwords or use a password manager. (Here is a list of recommended free password managers.) You would be suprised how many people hack into sites because they have easy access to them. Keep in mind, today’s trusted confidant may be tomorrow’s disgruntled employee.

  4. Change Your Passwords Often

    You never know who has your passwords or who is trying to get them. The more often you change your passwords, the more likely it is that those who have them, can’t use them without your knowledge and those who are trying to hack them won’t have the time to break your code. The combination of longer passwords changed often is a key to secure passwords since the longer the password is in length, the longer time it takes to crack.

  5. Never Share Usernames

    Every person who logs into your website should have their own username and password. These should not be shared. It is easy to create a new user and even to become that user without knowing their password.

    For example, the WordPress plugin, User Switching, allows admins to become any user. This is very useful for troubleshooting. In my last blog post, I explained how agencies can manage Facebook accounts using Facebook’s Business Manager, keeping their personal and business activities on Facebook separate without needing to be added as an administrator of their clients’ Facebook pages. This is an extension of the same principle: Do Not Share Accounts.

  6. When creating passwords keep in mind the following:

  7. Longer Passwords are More Secure

    The more characters you have in your password, the more difficult it is to crack. It’s a numbers game and the more variables you need to solve, the longer it takes. A password of 15 characters is significantly more secure than a password of 7 characters.

  8. Do Not Use Dictionary Words or Proper Names in Passwords

    Programs used in brute force attacks use common combinations of characters. The more common the combination of characters you use in your password, the more likely it is that your password will be compromised.

  9. Use Non-Alphanumeric Characters in Your Password

    For the same reason you should not use dictionary words or proper names in passwords, the more unusual the characters you use are, the more difficult it is to crack your code. One of my favorite tricks is to use the space character. Adding *** at the end of your password is an easy way to do this. Using any combination of characters like !@#$%^&*()_-+="':;<,>.?/~` are all good practices.

  10. Use Different Charactersets

    Using a combination of charactersets makes it extremely difficult to guess a password, although the rules above still apply since there are programs which account for foreign language words and obviously if someone sees your password (or you give it to them) it does not matter what it is, they have it.
    For example, would you ever guess: Wㅎ(дuրשüן "x9մéф!թتㅛج+

    Another way to use different charactersets is to make words in one characterset, but use the characters of another. For instance, the Hebrew word for peace, “shalom,” is written as שלום. Using the English keyboard, this corresponds to the same keys as akuo. In other words, if you type on a bilingual keyboard, but do not change the language, you have created your own encryption.

    You can have a lot of fun using virtual keyboards in other languages. Give it a try! Type in Korean, Arabic, Russian, Chinese and Sanskrit to make some visually interesting a beautiful passwords!

  11. Use a Password Generator

    You don’t need to break your head trying to come up with secure passwords. The combination of a password generator and a password manager will make your life easy.

Leave a Reply

  • (will not be published)