Most of us have accounts on many different sites – everything from online banking, shopping, social media, email and more. Experts tell us that we should not use the same password for all these accounts for if someone gets the password for one account, it may allow access to many more – and they’re right. However, keeping track of dozens of different passwords is not always practical either. Some users take to keeping a list of passwords somewhere safe, whether it be a paper or electronic version. Good – but if you lose that or someone gets a hold of it, you’re in trouble. This article won’t attempt to tell you what you should or shouldn’t do in that regard, but we will discuss the difference between weak and strong passwords, based on how hackers will try to break in to your accounts.

Password Complexity
Any password you create should have a high degree of complexity. Many sites will enforce password complexity when you set up an account. Typical requirements include password length and the use of uppercase and lowercase letters, numbers and special characters (!,#,& etc…). What advantage do these measures give? Let’s consider this from a hacker’s point of view:

Let’s say the hacker has already obtained your user name – not always that hard, often it’s your email address. By using an automated script, he can now automatically try may passwords until he finds one that works. And they do this – a lot. Now let’s say your password consisted of only 2 lowercase letters. With 26 letters in the alphabet, that makes 676 possible combinations. An automated script would blow through that in seconds.

OK – but now let’s say we have 8 lowercase characters. Well that’s 208,827,064,576 combinations – much better. In fact, even at 1000 combinations per second, it would take more than 8 years to crack. Isn’t that good enough? Well no. Most people don’t use a totally random set of characters for their password. They will usually use something they can remember. Sometimes it may be the name of a pet, a child, a place or a birthday – something that only they would remember. Seems like a good idea, but hackers are really good at what they do. This is where “social engineering” comes in. A lot of this “personal” information is readily available on the web – Facebook comes to mind. If you look at a person’s Facebook page, you can usually find all of the information mentioned above. A hacker targeting you (and yes, it happens) can get that sort of information from Facebook, Twitter and many other online sources. So using a pet name for a password for example, can often be cracked quite easily. If your dog is names Lassie and that is your password, well, the hacker is in.

So this is where letter case, numbers and special characters come in. By mixing in these additional characters, the likelihood of a hacker guessing your password drops dramatically. Something like laSsie!122 all of the sudden becomes very hard to guess, yet may be easy enough for the user to remember. By using these additional characters, you make it much more difficult for hackers to guess your password.

Hacker Attacks
One of the most common approaches that hackers use is to have their netbots troll the internet looking for log in pages. When they find one, their automated scripts try a large set of common usernames and passwords. For example, the username “admin” could be found quite often on a website CMS function. Combine that with a set of hundreds of common passwords and maybe they can break in. If not, they simply move on to the next site they find.

The trick is to avoid the common usernames and passwords – instead of “admin”, how about “admin871″, or “admin!24″. Combined with a complex password, these automated attackers will have little chance of breaking in.

Remember, hackers are always out there. There are thousands of the automated attacker scripts constantly trolling the web looking for an opening. It’s a very real threat and if you’ve ever been hacked, you know how unpleasant it can be. Yet the simple act of adding some additional complexity to your passwords may be all it takes to repel the hackers. If your passwords are too simple, change them now before it’s too late!

Custom Applications
Many websites make use of custom designed applications to provide some function that may be unique to that website. Even the simplest application can present an opportunity for hackers if proper security measures aren’t taken. Database access and system log in functions can be particularly vulnerable. Hackers have automated tools that can try many combinations of username and passwords looking for “weak” credentials. A good log in system will insist on a minimum complexity for passwords that includes letters, numbers and non-alphanumeric characters.

Databases are vulnerable to different types of attacks including “SQL Injection” attacks. When a hacker has access to a legitimate HTML form that accesses a database (a log in function or contact form for example), they can enter data that if not properly guarded against, can provide the hacker with full access to the database. This is fairly easy to guard against – it’s a matter of not allowing certain characters in a database query – if your developer is aware of the risk.

Generally speaking, the security of a custom application is only as good as the developer’s knowledge of security issues. If you have security concerns with your site, you should probably hire and experienced coder for your application development.

Open Source Applications & Commercial Applications
One of the great things on the internet is open source applications. “Open Source” means that anyone can grab the code for an application and customize however they see fit – for free. Open Source software is usually developed by a community of authors and includes varying levels of help and support. These applications can be huge time savers and what is better than free? Open Source applications include Drupal CMS, WordPress (blogging application), Zen Cart (Shopping cart) and more.

The downside to these Open Source apps is that hackers know that they are used on many websites. If they find a vulnerability in one of these applications, they could gain access to any website that uses it.  With the help of netbots (software that automatically surfs the web), they can surf the web looking for the app and exploit the vulnerability.

Most Open Source applications are quite secure, but there are no guarantees. The only defense is to follow proper installation procedures and to keep up with application updates. Most applications are updated on a regular basis, often for security reasons. Also, if your developer makes any sort of modification to the app, the same concerns would apply as that for Custom Applications.

Commercial Applications share the same concern as Open Source except that your developer typically can’t modify the application. Again, stay up to date  with your application versions. More often than not, the update will contain some security patch.

Website Applications are what bring the web to life and are used on many sites. As a website owner, it is important to understand that there are security issues associated with any application and to discuss these with your developer.

Next Week: Password Security

Website Hosting

There are 3 main hosting options available to website owners: shared, virtual dedicated and dedicated. We will touch on all 3 from a security point of view.

Shared Hosting
This is the most common hosting option for small and medium sized website owners. The idea is that you share a server with several other website owners. You share hard disk space, RAM, processor time and bandwidth into and out of  the server. It’s the most economical approach with monthly costs sometimes under $5. Providers like Go-Daddy, Network Solutions and the like set up servers and typically provide an interface for the site owner to upload files, manage databases, email and more. As a customer, you have very limited access to the server itself. The hosting provider assumes responsibility for the server security. Bigger names like Go Daddy and Network Solutions and most reputable hosting providers put a lot of time and resource into ensuring that their servers are secure.

The issue with Shared Hosting server security is that if a hacker can get access to the server through another website on your server, your site and data could be compromised.  This is one of the inherent risks of shared hosting – your only defense is to make sure your data is backed up on a regular basis. In particular, if your site is database driven (any CMS uses a database), you must ensure that the database gets backed up. Don’t assume the hosting provider does database backups for you – it’s not always the case.

Virtual Dedicated Hosting
Virtual Dedicated Hosting is cross between shared and dedicated hosting. Your share a server wit other customers, but the server is configured to dedicate resources to your account. For example, you get a certain amount of RAM – if you don’t use it, it doesn’t get used.

Virtual Dedicated Hosting has some of the same risks as shared hosting in that another hacked website on the server could spell trouble for your site. What’s more is that the customers have more access to some server functions which could lead to more vulnerabilities. A rigorous backup policy is once again the way to go.

Dedicated Hosting
Dedicated Hosting comes in a couple of different flavors – you have the standalone server and cloud computing. From a users point of view, it all looks the same. The standalone server is just that – a server sitting in a rack somewhere  with your name on it. Lose power and you’re down. Cloud computing provides the same functionality, but uses resources from different servers. Lose power on one server and you just use resources from the others.

Dedicated hosting leaves server management up to the customer. If you know what you’re doing, you can set up your server to be very secure and you don’t run the risk of some other website compromising your security.

The trick is to understand the applications that your are using and what the vulnerabilities are. Also, you want to get very familiar with the log files that the server generates. This gives you some insight into who is accessing your server and what they are trying to do. If you chooses to use a dedicated server, server security becomes your problem and it must be taken seriously. If you are not comfortable with this role, you want to find a server administrator who is.

Next Week: Securing Applications

• How can I get a better Google ranking?
• How can I make the site more informative and friendly for visitors?
• How can I generate more sales?

These are all perfectly valid questions for a website owner. But there is one more that all website owners should consider:

Is my website secure?

We all know hackers are out there, but many people don’t understand the technology that allows them to flourish. In many ways, hackers have the upper hand – they have more time, resources and technical knowledge as to how the internet works and how to exploit it.

Hackers

Hackers come in many forms – ranging from bored kids on a home computer to purveyors of spam and corporate espionage (really). Some hackers simply leave a calling card on your site indicating they have successfully hacked your site. This is like a kid tagging a street sign – annoying, but not much harm. Others are there to ransack your site – destroy databases and delete important documents. Still others don’t want you to know they are there at all – they use your website server for attacks on other servers or sending spam email.

And they are out there -1000s of them. From all over the world.  A recent study suggested a new website is visited by a hacker on average within 17 minutes of going live. Another suggests hackers visit a site every few minutes! If the thought frightens you – good! Hacking incidents are always on the rise and you must protect yourself.

Still, there is hope. In the next series of articles, I will address various aspects of website security. Knowing what to ask your host and/or developer is a good start in protecting your website assets.

Next week: Server Security

We are finding more and more clients who are now asking how the web technologies can benefit their business in other ways in the form of Business Process Automation. Consider the flow of your business:

1. A prospect is interested in your product or service
2. You negotiate a fair price for that product or service
3. You provide the product or service to the client
4. Your business is compensated

Simple enough – but any business owner knows there is plenty of administration that goes on behind the scenes. Appointments and scheduling, inventory control, expenses, labor and on and on. Administration of any business uses a great deal of time and resources, sometimes taking away from the core offering of the business. So why not consider automating some of these administration functions? If you already have a website, you have a place to host custom applications that are accessible from anywhere in the world with internet access. Suppose you want to automate the Appointment Management function for your business – you can have clients request an appointment time from the available time slots shown on a calendar on your site. Once the time is selected, a notification can be sent to one of your employees confirming the time of the appointment. Even a simple function such as this could save many days of labor every year resulting in big savings and profitability for the business.

Of course, this is just one simple example. Take a look at how your business is run and ask yourself if there is function or a task that takes up a lot of time and doesn’t add value to the overall business. With affordable custom programming, automating your business may be much easier than you think. Contact Techeffex today to find out how our custom programming and business solutions can help your bottom line!

• look and feel: graphics and layout of a website including colors, fonts, images, animation and so on
• content: text and images intended for the website visitor to look at
• functionality: includes form processing, navigation bar behavior, e-commerce and many other things that require some sort of programming
• useability: refers to the “user friendliness” of the site from a visitors perspective. This is very important and usually involves the 3 items mentioned above.

So what does this have to do with web designer versus web development? Read on…

Website Designer

A website designer tends to specialize in the “look and feel” part of a website creation. They typically have expertise in graphic design and are proficient with tools such as Photoshop or Adobe Illustrator. This part of a website design is important because it goes a long way in conveying a first impression as well as providing a sense of your branding. A good web designer will understand what your product or service is and what you want to convey to your target audience. A lawyer may wish to provide a sense of professionalism whereas a business providing party entertainment will want a theme that conveys more fun.

The website designer will also have an interest in the content of the site. A good web designer can provide a lot of insight into how best to display content including the use of bullet points, images, font types and so on.

Website Developer

A website developer on the other hand, focuses more on the programming parts of a website such as form processing or e-commerce functions. Website programmers typically use languages such as PHP, Javascript, Jquery, MySQL and more. Much of the functionality a web developer provides may not be visible to a site visitor such as form checking, log in verification and so on but these are often very critical functions. Site security is usually a website developer responsibility and should not be overlooked.

The responsibility of site useability is usually shared between the website designer and website developer. There are elements from both areas that go into the user experience.

OK, So Who Should I Hire?

For most websites, the answer to this question is both. Most modern websites have some programming or database requirements and all need a great look and feel to make a good impression on visitors. The objective of most websites is to convey your message effectively and have visitors come back to the site often. Some individuals are expert website designers but may lack programming experience. Some website developers may have awesome programming skills but may not have a good understanding of how best to convey your theme through color and layout.

To get the best results, you want to find someone who can provide both. Either an individual who is strong in both areas, or a website design company that has experts in both areas. Before hiring a contractor or web design company, make sure they have the necessary expertise in both areas.

We strongly recommend to all of our existing clients to replace their Flash animations with either a static graphic or a Javascript based animation. We won’t add Flash on any new sites at all anymore. RIP Flash…

The standards are available online at https://www.pcisecuritystandards.org/security_standards. There is a lot of information to digest, but it can be summarized as follows: if you store credit card data on your site, you must take extreme measures to protect that data. These measures are usually too expensive or cumbersome to implement for most website owners.

So unless you are a huge corporation with a massive IT budget, the solution is to not store credit card data on your site. Most e-commerce sites can achieve this by having a site visitor fill out the payment form on site and submitting the data via an encrypted connection (SSL) to a Payment Gateway that is PCI compliant. This avoids all the rigors of credit card data storage because you are not storing the data on your site. Once the transaction is complete, there is no trace of the users credit card data on your site. However, you’re not quite off the hook. Your site must be secure enough to keep hackers out since a hacker could get on your site and modify how and where credit card data is sent. A good hacker could modify your payment form to send the data directly to them. There are services that will analyze your site for security flaws and it is money well spent. Penalties for non-compliance in the case of a security breach can be steep. Plus it’s bad for your business reputation.

To completely wash your hands of the PCI DSS concerns, you can use a hosted payment service. In this scenario, a site visitor browses your site and when they are ready to make a purchase, they are taken to the hosted payment site where they enter their credit card data and complete the purchase. When the transaction is complete, they are returned to your site, usually to a “Thank You” page or the like. The down side to this approach is that it tends to cost more and often the hosted pages don’t fit well with your website’s look and feel. Paypal is great example of this – you know when you are on a Paypal payment page. Still, as consumers learn about these security issues, they may come to appreciate being on a secure site when submitting their payment information.

Whatever your situation, the one thing you can’t do is ignore the PCI Standards. It’s bad for business and could cost you thousands of dollars if your site is breached.

A shared server means your website competes with other websites loaded on your server for bandwidth and processor time. Virtual dedicated servers also have many websites on a single server, but each user is guaranteed a certain amount of bandwidth and processor time.

Dedicated hosting refers to a hosting service where the customer leases a server, “dedicated” to their needs. There are no other users on the server so your website (or multiple websites) get full access to all the bandwidth and processor time.

Here are some reasons to consider a dedicated hosting solution:

High Traffic Volume
Although there are many shared hosting offerings that offer unlimited monthly bandwidth, you are still limited by the connection to the server and the number of websites sharing it. A dedicated server gives your site access to all the bandwidth available to that server.

Performance
If your website has high performance requirements, having a dedicated processor for your site might be the way to go.

Remote Storage
In addition to the performance advantages, you get full access to a remote server that can be used as a file server and/or mail server. You can store backup data on the server and run any applications you like.

If you need more than a clunky old shared server solution, consider upgrading to a Dedicated Hosting solution.

When I want information about a company, their products or their services, I go to the company website. The website typically has more information and in some cases, much more information. So what does Facebook offer me to help promote my business? For those who have the time and inclination, you can post news and information on a regular basis to your Facebook site which in turn pops up on  all your “fans” Facebook newsfeeds. Just make sure your postings are interesting or it will backfire – your fans may block your postings or even get a negative impression of your company. If you don’t post on a regular basis, the Facebook page will have little benefit for your business.

So a Facebook page can be a useful component in a larger online marketing strategy, but I’m yet to hear of any great results from anyone I’ve talked to.  I think the good ol’ fashioned website (can’t believe I said that) is still your number one marketing platform.