How a Strong Password Stopped a Password Attack

Strong Passwords Block Password Attacks

Prevent a Password AttackA website I run experienced a password attack. This means that someone, either by hand or computer, was repeatedly trying to break into the administrative panel of the site by guessing the password.

Why? Who knows. It may be someone who doesn’t like the company. It may be someone who likes to infect websites with malware. It could be for any number of reasons. But the important thing is that the person or people were  unable to break into the website.  Why? Because I have a very strong password for this website. And for every part of any website I manage. A strong password is a key defense against a straight up password attack.

What is Going On?

As it happens, the attack went on for several days. How do I know this? Because I get an alert every time someone tries and fails, or tries and succeeds to log in to the website. The emails show that someone was trying to log in using both the username “admin” (which does not exist on any site I manage) and the username used to post on the blog. The people trying to break in have been completely unsuccessful. That doesn’t stop them from trying though, and I didn’t wish the attack to continue, so I took additional steps to secure the site.

Failed Login Warning
Email providing failed login information. It includes the username the person tried to use and the IP address of the computer trying to log in. (click to enlarge)

Preventing the Password Attack in the First Place

Fortunately, I had already received permission to move this particular site to cloud proxy for additional protection. This change stopped the password attacks, because with cloud proxy, only people using certain IP addresses may access the site’s login page.  Given this, and the risks of password attacks, if you can afford the 10 bucks a month, add cloud proxy to your site and prevent the attack from even getting started in the first place.

Secure both the Web Host and the Administrative Access Page

Make sure you have a strong password for each and every part of your website control. This includes the web host, registrar and any administrative username through which you access your site. Make sure that usernames for people who are allowed to post on your site are strong as well. No one who is able to log in to your site should have a weak password. If you add cloud proxy, make sure Sucuri has a strong password too.

Picking a Good Password

I have noticed that a lot of law firms will use a portion of the firm’s name along with a couple of numbers as a password. Never do this. Such passwords are easily guessed. Your password should be something that makes absolutely no sense as a word and contains a mixture of letters, numbers and special characters. Those numbers, letters and characters should have nothing to do with anyone at the firm. Don’t use your birthday, children’s birthdays, dog’s birthday, you name it. When you make a password completely random, as well as long enough, it becomes almost impossible to guess.  If you want to see how hard your password is to guess, check out this site I learned about at ABA Tech Show:  I have to admit, I have never used this site to check out my passwords. The idea of typing in a password on some random site on the web freaks me out.

Subscribe to This Blog