We’ve been discussing many aspects of website security over the past few weeks. Some of the issues have been very technical and the responsibility of dealing with these issues often rest in the hands of the developer. Password protection however, is everybody’s responsibility. This week, we discuss passwords as a security issue.

Most of us have accounts on many different sites – everything from online banking, shopping, social media, email and more. Experts tell us that we should not use the same password for all these accounts for if someone gets the password for one account, it may allow access to many more – and they’re right. However, keeping track of dozens of different passwords is not always practical either. Some users take to keeping a list of passwords somewhere safe, whether it be a paper or electronic version. Good – but if you lose that or someone gets a hold of it, you’re in trouble. This article won’t attempt to tell you what you should or shouldn’t do in that regard, but we will discuss the difference between weak and strong passwords, based on how hackers will try to break in to your accounts.

Password Complexity
Any password you create should have a high degree of complexity. Many sites will enforce password complexity when you set up an account. Typical requirements include password length and the use of uppercase and lowercase letters, numbers and special characters (!,#,& etc…). What advantage do these measures give? Let’s consider this from a hacker’s point of view:

Let’s say the hacker has already obtained your user name – not always that hard, often it’s your email address. By using an automated script, he can now automatically try may passwords until he finds one that works. And they do this – a lot. Now let’s say your password consisted of only 2 lowercase letters. With 26 letters in the alphabet, that makes 676 possible combinations. An automated script would blow through that in seconds.

OK – but now let’s say we have 8 lowercase characters. Well that’s 208,827,064,576 combinations – much better. In fact, even at 1000 combinations per second, it would take more than 8 years to crack. Isn’t that good enough? Well no. Most people don’t use a totally random set of characters for their password. They will usually use something they can remember. Sometimes it may be the name of a pet, a child, a place or a birthday – something that only they would remember. Seems like a good idea, but hackers are really good at what they do. This is where “social engineering” comes in. A lot of this “personal” information is readily available on the web – Facebook comes to mind. If you look at a person’s Facebook page, you can usually find all of the information mentioned above. A hacker targeting you (and yes, it happens) can get that sort of information from Facebook, Twitter and many other online sources. So using a pet name for a password for example, can often be cracked quite easily. If your dog is names Lassie and that is your password, well, the hacker is in.

So this is where letter case, numbers and special characters come in. By mixing in these additional characters, the likelihood of a hacker guessing your password drops dramatically. Something like laSsie!122 all of the sudden becomes very hard to guess, yet may be easy enough for the user to remember. By using these additional characters, you make it much more difficult for hackers to guess your password.

Hacker Attacks
One of the most common approaches that hackers use is to have their netbots troll the internet looking for log in pages. When they find one, their automated scripts try a large set of common usernames and passwords. For example, the username “admin” could be found quite often on a website CMS function. Combine that with a set of hundreds of common passwords and maybe they can break in. If not, they simply move on to the next site they find.

The trick is to avoid the common usernames and passwords – instead of “admin”, how about “admin871″, or “admin!24″. Combined with a complex password, these automated attackers will have little chance of breaking in.

Remember, hackers are always out there. There are thousands of the automated attacker scripts constantly trolling the web looking for an opening. It’s a very real threat and if you’ve ever been hacked, you know how unpleasant it can be. Yet the simple act of adding some additional complexity to your passwords may be all it takes to repel the hackers. If your passwords are too simple, change them now before it’s too late!

Many websites make use of one or more applications. Any code written to provide some particular set of functions can be considered an application. Some applications are custom designed, some are open source (free to the public) and some are commercial (cost money). We will discuss some of the security implications associated with each.

Custom Applications
Many websites make use of custom designed applications to provide some function that may be unique to that website. Even the simplest application can present an opportunity for hackers if proper security measures aren’t taken. Database access and system log in functions can be particularly vulnerable. Hackers have automated tools that can try many combinations of username and passwords looking for “weak” credentials. A good log in system will insist on a minimum complexity for passwords that includes letters, numbers and non-alphanumeric characters.

Databases are vulnerable to different types of attacks including “SQL Injection” attacks. When a hacker has access to a legitimate HTML form that accesses a database (a log in function or contact form for example), they can enter data that if not properly guarded against, can provide the hacker with full access to the database. This is fairly easy to guard against – it’s a matter of not allowing certain characters in a database query – if your developer is aware of the risk.

Generally speaking, the security of a custom application is only as good as the developer’s knowledge of security issues. If you have security concerns with your site, you should probably hire and experienced coder for your application development.

Open Source Applications & Commercial Applications
One of the great things on the internet is open source applications. “Open Source” means that anyone can grab the code for an application and customize however they see fit – for free. Open Source software is usually developed by a community of authors and includes varying levels of help and support. These applications can be huge time savers and what is better than free? Open Source applications include Drupal CMS, WordPress (blogging application), Zen Cart (Shopping cart) and more.

The downside to these Open Source apps is that hackers know that they are used on many websites. If they find a vulnerability in one of these applications, they could gain access to any website that uses it.  With the help of netbots (software that automatically surfs the web), they can surf the web looking for the app and exploit the vulnerability.

Most Open Source applications are quite secure, but there are no guarantees. The only defense is to follow proper installation procedures and to keep up with application updates. Most applications are updated on a regular basis, often for security reasons. Also, if your developer makes any sort of modification to the app, the same concerns would apply as that for Custom Applications.

Commercial Applications share the same concern as Open Source except that your developer typically can’t modify the application. Again, stay up to date  with your application versions. More often than not, the update will contain some security patch.

Website Applications are what bring the web to life and are used on many sites. As a website owner, it is important to understand that there are security issues associated with any application and to discuss these with your developer.

Next Week: Password Security

Hackers have many different ways to break in to your website. In this week’s article, we discuss some basic server security issues and how they may or may not affect your website depending on your hosting configuration.

Website Hosting

There are 3 main hosting options available to website owners: shared, virtual dedicated and dedicated. We will touch on all 3 from a security point of view.

Shared Hosting
This is the most common hosting option for small and medium sized website owners. The idea is that you share a server with several other website owners. You share hard disk space, RAM, processor time and bandwidth into and out of  the server. It’s the most economical approach with monthly costs sometimes under $5. Providers like Go-Daddy, Network Solutions and the like set up servers and typically provide an interface for the site owner to upload files, manage databases, email and more. As a customer, you have very limited access to the server itself. The hosting provider assumes responsibility for the server security. Bigger names like Go Daddy and Network Solutions and most reputable hosting providers put a lot of time and resource into ensuring that their servers are secure.

The issue with Shared Hosting server security is that if a hacker can get access to the server through another website on your server, your site and data could be compromised.  This is one of the inherent risks of shared hosting – your only defense is to make sure your data is backed up on a regular basis. In particular, if your site is database driven (any CMS uses a database), you must ensure that the database gets backed up. Don’t assume the hosting provider does database backups for you – it’s not always the case.

Virtual Dedicated Hosting
Virtual Dedicated Hosting is cross between shared and dedicated hosting. Your share a server wit other customers, but the server is configured to dedicate resources to your account. For example, you get a certain amount of RAM – if you don’t use it, it doesn’t get used.

Virtual Dedicated Hosting has some of the same risks as shared hosting in that another hacked website on the server could spell trouble for your site. What’s more is that the customers have more access to some server functions which could lead to more vulnerabilities. A rigorous backup policy is once again the way to go.

Dedicated Hosting
Dedicated Hosting comes in a couple of different flavors – you have the standalone server and cloud computing. From a users point of view, it all looks the same. The standalone server is just that – a server sitting in a rack somewhere  with your name on it. Lose power and you’re down. Cloud computing provides the same functionality, but uses resources from different servers. Lose power on one server and you just use resources from the others.

Dedicated hosting leaves server management up to the customer. If you know what you’re doing, you can set up your server to be very secure and you don’t run the risk of some other website compromising your security.

The trick is to understand the applications that your are using and what the vulnerabilities are. Also, you want to get very familiar with the log files that the server generates. This gives you some insight into who is accessing your server and what they are trying to do. If you chooses to use a dedicated server, server security becomes your problem and it must be taken seriously. If you are not comfortable with this role, you want to find a server administrator who is.

Next Week: Securing Applications

Most of us like to think of our website as a place that good honest users visit to find the latest information, product or service we are offering. Usually, the biggest questions on our minds are:

• How can I get a better Google ranking?
• How can I make the site more informative and friendly for visitors?
• How can I generate more sales?

These are all perfectly valid questions for a website owner. But there is one more that all website owners should consider:

Is my website secure?

We all know hackers are out there, but many people don’t understand the technology that allows them to flourish. In many ways, hackers have the upper hand – they have more time, resources and technical knowledge as to how the internet works and how to exploit it.

Hackers

Hackers come in many forms – ranging from bored kids on a home computer to purveyors of spam and corporate espionage (really). Some hackers simply leave a calling card on your site indicating they have successfully hacked your site. This is like a kid tagging a street sign – annoying, but not much harm. Others are there to ransack your site – destroy databases and delete important documents. Still others don’t want you to know they are there at all – they use your website server for attacks on other servers or sending spam email.

And they are out there -1000s of them. From all over the world.  A recent study suggested a new website is visited by a hacker on average within 17 minutes of going live. Another suggests hackers visit a site every few minutes! If the thought frightens you – good! Hacking incidents are always on the rise and you must protect yourself.

Still, there is hope. In the next series of articles, I will address various aspects of website security. Knowing what to ask your host and/or developer is a good start in protecting your website assets.

Next week: Server Security