While browsing my RSS reader today, I came across the story of PC Pro editor Barry Collins’ rather unfortunate experiment with Hotmail. Long story short, he attempted to revert to Hotmail after six years of Gmail. And although he was initially impressed, his Hotmail account was compromised and used to send spam. While the article doesn’t directly explain or speculate about how his account was compromised, the final paragraph tells you all you need to know:
He used a seven-character password. All letters, all lowercase. Because it wasn’t random (“part acronym, part proper noun”), it probably wasn’t too difficult to nail with an educated guess. And even if it was completely random, a 7-character password can fall pretty quickly to a brute-force attack — especially if the same password is used on other sites as well.
There are a lot of misconceptions out there about passwords. The simple truth is that size matters. Without getting into statistical analysis, rainbow tables, and dictionary attacks, common sense (and XKCD) dictates that a long password is harder to crack and less likely to be guessed. To that end, nothing beats a long string of completely randomized characters.
Unfortunately, such strings are incredibly difficult to remember. Fortunately, there are quite a few password management systems out there that can really help. And LastPass is our favorite.
LastPass (which is free, by the way) works by capturing and storing your logon credentials in a secure online database. With versions available for all major browsers and platforms (including Windows, Linux, MacOS, iOS, and Android), your passwords can be easily synchronized between devices. You only need to remember one password for LastPass, and it takes care of the rest. The end result? Your online banking password can be “PRe?OEjla-!aCh7e*P” while your Facebook password is “_I-_lAtroe;ou8oe6i”.
And all you need to remember is your LastPass password. An easily-memorable password will do just fine, even if it’s not random. Something like “Queen=Linda.2012DowntownNightlife?Coffee!” would be incredibly effective. Even though it’s made up of dictionary words, their arrangement combined with the punctuation and numbers makes a successful dictionary-based attack unlikely.
So how does this apply to web hosting? Glad you asked!
Even though we take a lot of steps to mitigate security threats, one of the best defenses against password-based attacks is a long, unique password. A password manager like LastPass will allow you to have one password for our billing system, a different password for cPanel, a different password for each of your webmail accounts, a different password for your CMS (such as WordPress) login, and so on — all of which will be completely different from all of your other passwords. Best of all, you won’t have to remember any of them.
All you need to do is remember one password.
LastPass isn’t the only password manager out there. Keepass is a popular choice, as are RoboForm and PasswordSafe. The choice is yours. While no service (including LastPass) is 100% secure, they’re arguably a lot more secure than using a seven-character non-random lowercase password.