Web site password security

Password security is one of the primal concerns for a web developer. Either if we're talking about the password of your control panel or your FTP client or even of your database, the golden rule is always one: be paranoid. First of all, on the web there are no good or bad persons, but only attackers and defenders. You play in defense and you have to try to foresee the moves of the attacker. It's like playing chess, more or less.

So do not trust anyone. Anyone, and I mean it. The first person you can't trust is you: don't be too self-confident, saying "Well, surely this is not going to happen". Crack happens. Defacements happen. Nothing is 100% safe. Never. Now let's talk about how to choose a password. There are no good or bad passwords: there are only passwords that take too long to be broken and others that need only a couple of hours. A strong password is a password that discourages an attacker to continue on his/her efforts to break it.

First, don't use words that are present in any dictionary. For "any", I mean every possible language on this planet, present, past and future. Even if you've found a cool word in Hopi or Esperanto, don't use it. Never. Second, don't use anything related to your everyday's life, even your car plate number or your driver license code. Third, use a mix of numbers, letters and non-common special characters. Fourth, the password must be long. Although many hosting providers require a password to be only of 8 or 9 characters at least, use the maximum length available, for example from 16 to 32 characters.

Fifth, always check that your computer and your web server is clean from malware. On the server, if you have full access to the machine and if your server can sustain it, install an IDS (Intrusion Detection System), like Snort. Before doing so, however, make sure that all your configuration and default server files have been removed from web access and, what's more, that you've actually changed the default passwords that every web software have pre-installed. For example, on MySQL you should never leave your database without password or run your database routines always with the sole root user.

Sixth, never save your password on a file but commit it to memory. Just in case, you can write it down only once and then hide the note in a place accessible only to you. On your FTP client, use always a secure connection with SSL. Finally, make sure that your operating system and all the applications (even a CMS) you have on your server are patched and up-to-date.

Waiting for the next move of the attacker.

Leave a Reply

Note: Only a member of this blog may post a comment.