A strong password is 8 to 20 (or more) completely meaningless random upper/lower/numeric/punctuation characters. It must not be, and should not even contain, any real word in any human language dictionary.
If you've never seen an example of a strong password, look at GRC's Ultra High Security Password Generator. The third row on that page ("63 random alpha-numeric characters") contains the types of characters that are usually legal for cPanel passwords, although some cPanel versions allow punctuation characters, too. Pick however many consecutive characters you need from that row.
- If you create your own passwords, use a random mixture of upper and lower case letters, and digits. Special characters (punctuation, etc.) make the password even stronger if your cPanel allows them.
- Don't use "clever" leet-speak variations of your name, your website's name, your spouse's name, your pet's name, your favorite sport, song, musical band, or any other real words. No matter how you do it, basing a password on real words makes it less secure than it should be.
- In some old versions of cPanel, only 8 characters are significant. In that case use all 8 because that is barely enough to be secure.
The #1 threat to your website is internet attackers
There are thousands of them, and they will definitely try to damage your website if they get in. That is why you must use strong passwords that are nearly impossible to figure out. The strength of a password must be the first consideration, top priority.
Write down your strong password so you don't forget it
People sometimes avoid strong passwords because they've heard that passwords should never be written down. That rule was for Defense Department workers who had to worry about Soviet spies rummaging through their desks. You don't have to worry about that. You have to worry about internet hackers. They can't ransack your desk, but they are very, very good at cracking bad passwords!
- Writing down your strong password is only a trivial security risk.
- Using a weak password because that's the only kind you can remember is a huge security risk.
Keep your written passwords however safe your particular situation requires.
Give it some thought. If you have mischievous children, don't leave passwords lying around where they can find them. If you have malevolent coworkers, don't leave passwords in your desk drawer at work. If you habitually lose your wallet or purse, don't keep them there, either. Take whatever precautions are reasonable for your situation.
If your environment really does have spies (not necessarily KGB, CIA, or MI6 ones), you can probably write your passwords down in such a way that no one who finds them will know what they are. Make them the first letters of a grocery list, or a personal letter or memo. And if you have a password that you must carry into insecure environments, you probably don't need to remind yourself which account it's for, so don't write that part down.
A Wired article, Secure Passwords Keep You Safer, describes how a dictionary attack on a password works. It's these automated professionally designed dictionary attacks, which are based on real-world password data and psychological studies of how ordinary people create passwords when they aren't using random ones, that you have to outsmart.
Keep your UserID secret, too.
Your UserID is the other piece of information someone needs to log in as you. Keep it as secret as possible, too, and don't post it in forum messages, as some people do.
The passwords you use for cPanel, FTP, password protection of folders, database connections, each of your email accounts, and your helpdesk login at your webhost should all be different. Never use a password in more than one login location.
If hackers can get a password from one location (such as an email account), they will test it to see if it will also work somewhere else (such as cPanel, FTP, and even your bank's website, if they know it). This is because so manypeople use a single password in more than one place. If you use different ones, someone who obtains one of your passwords will only get into one place and will still be locked out of all the others.
Not all your passwords are stored in equally secure locations and formats. Some of them are easier to get than others. Your cPanel password, for example, is normally extremely secure. It is not even stored anywhere in your website files. But if you use the same password for your database connections, it's exposed in plain text in your PHP scripts. If a glitch or misconfiguration on your server causes PHP to stop working, your site could start writing your cPanel password on the pages it sends out. Email account passwords are stored in website files, too. They are encrypted, but someone who gets the files can easily decrypt them offline where it goes much faster. If you use the same password everywhere, it's only as secure as the least secure place where it's stored.
If you give someone password access temporarily, change the password as soon as their work is finished, no matter how much you trust them. Even if they are trustworthy, their PC could get a virus at some later date, and it could steal your password without them even knowing about it.
No comments:
Post a Comment