Usually when you login to your website to start making updates or changes, you’ll just need a username and a password. This is the most basic form of user authentication. Unfortunately, it’s also the weakest form of authentication, especially if your account has full administrative rights on your website. It’s not hard for bad people to launch an attack against your website’s login page attempting to brute force their way into your site. If you have a simple username and password, there’s a good chance they’ll succeed.
Avoid Obvious Usernames
The first step to avoid being the victim of a brute force attack is to make sure you’re not using an obvious username for the administrator account. The most obvious username of all for the administrator account is “admin”. Almost anything is better than “admin.”
You can use your own name instead of “admin” as the administrator username, but that’s not too hard to figure out if your name exists anywhere on your website.
You can get more creative than that.
How about your email address? That’s usually longer than your name and it has a symbol, the At sign: @. Just adding one symbol to your username makes it significantly more complex. And most attackers won’t know your email address or bother using it in a brute force attack.
However, your email address is still guessable. So why not add another symbol, or switch it slightly from your regular email address? That will make it long and unguessable. Just make sure you remember whatever you set as your username.
Create Strong Passwords
Creating strong passwords is altogether different than picking a username that isn’t obvious. Everybody agrees that strong passwords are better than weak passwords when it comes to good security. And a lot has been written about the need to create strong passwords. So why am I writing about it here?
The reason is simple: we’re still using weak passwords. Why? Because they’re easier for us to remember and type. We’ve got better things to do than pause to think about what our password is for a particular system or application.
What makes a password weak?
- Any default password that came with the system or application and was never changed
- Any word that can be found in a dictionary
- Anything shorter than 8 characters
Unfortunately, using weak passwords makes it easy for an attacker to guess or brute force their way onto your website, so you definitely shouldn’t be using those.
What makes a password strong? The strongest passwords are very long strings of random letters, numbers, and symbols. The drawback of passwords like these is they are extremely hard for the average person to remember.
There are two important factors to consider when creating strong passwords: length and complexity. Length is self-explanatory, and complexity refers to the variety of different letters, numbers, symbols, and special characters you use when creating a password. The longer and more complex your password is, the stronger it is. However, length is the more important factor. Always try to make longer passwords versus super-complex passwords. Longer passwords are much harder to crack, provided that they aren’t composed of dictionary words or simple number sequences.
If you start thinking in terms of sentences instead of single words, that will turn your passwords into passphrases. Throw in some symbols and special characters and you’ll improve your security significantly.
For example, a passphrase with special characters like:
[D1d U t4ke th3 d0g 2 th3 P4RK?]
is much more secure than using your dog’s name as a password.
Whatever password or passphrase you come up with, just make sure you can remember it without writing it down. If you must write it down, keep it in a safe place where no one else will see it or use a password manager.
If you have a password manager, creating extremely strong passwords becomes much easier. You can define the length and complexity of the password you want and with the click of a button, the software will create it for you.
I’ll go into more detail about password managers in my next ebook, “Information Security for Business Leaders.” But don’t let that stop you from researching and trying one now if you don’t use a password manager already.
Implement Two Factor Authentication
Sadly, even after picking a hard-to-guess username and creating a very strong password, this still isn’t the best security for logging in to your website. If someone were to get their hands on your username and password somehow, they’d have full control of your website.
You need a way to improve your site’s authentication process to better ensure that it’s really you who’s logging in.
That’s where two-factor authentication comes in. Two-factor authentication is stronger security than just passwords or passphrases because it includes not just what you know (the password), but also something you have or something you are.
The something you have is often a code you enter from a device you own. This might be a hardware device like an RSA token that has a digital code which changes every 60 seconds. Or it may be an app on your smartphone with a changing digital code.
In some cases, the “something you have” is your phone. The authentication system of your website can send a text to your phone with a numeric code. Since you’re the only person who has the phone (hopefully), you’re the only one who can enter the code into your website when you log in. That prevents someone else from logging into your website with just your username and password.
If your website is built on WordPress, there are many plugins you can install to enable two-factor authentication. One that I use and recommend is Rublon. The Rublon plugin works with a free smartphone app that scans a code created by the plugin.
Once you scan the code with your smartphone (something you have), you can add the computer you scanned the code from to your list of trusted devices in the Rublon plugin. That way, the next time you log in from that same computer with the same browser, you won’t need to scan a code again. In this case, your trusted computer and browser become something you have that no one else does, or that second factor in addition to your password.
Considering that Rublon is free and relatively easy to set up and use, it’s a pretty painless way to significantly improve the security of your website’s authentication process.
If your website isn’t built on WordPress, you can probably find ways to implement two-factor authentication on whatever platform you’re using. For instance, you can find two-factor authentication modules for Drupal here: https://groups.drupal.org/node/235938.
Lock Out Multiple Failed Login Attempts
Another authentication improvement you might want to consider is locking out multiple failed login attempts. This works much the way it sounds: when someone tries logging in to an account (like the “admin” account) many times unsuccessfully, the account can be temporarily locked out to prevent any further attempts. Of course, this can create a problem for you if you’re using the account that someone is trying to brute force and they lock you out. That’s another reason why you want to pick a non-obvious username for the primary administrator account.
There are various WordPress plugins you can install to enable locking out accounts after multiple failed login attempts such as Brute Force Login Protection and BruteProtect.
You probably don’t need to use both two-factor authentication and account lockouts at the same time—that’s overkill considering an attacker can’t login without a trusted device if you’re using two-factor authentication. You can probably just use a two-factor authentication plugin like Rublon without an additional account lockout plugin.
The only exception might be if you’re using JetPack with WordPress which includes a module called Protect, a form of cloud-based brute force protection. Here’s part of the description for the Protect plugin:
Jetpack Protect tracks failed login attempts across all installed users of the plugin. If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed.
When you combine hard-to-guess usernames, strong passwords, and two-factor authentication, you make it almost impossible for an attacker to brute force their way onto your website.
Photo credit: mrdorkesq
