Top 5 Web Security Tips

Did you know it takes hackers a mere 28 seconds to crack a simple 8-character password? Yikes! Evaluate the chart below to see just how long and unique your password should be to avoid being a hacker’s victim.

Hacker's Victim

It is critical to you and your company that you protect your passwords. The bad guys count on us being lax in protecting our valuable information. 

“What is website security?” is a common question, and this blog will show that it is much more than having long passwords. It will also provide the best practices for protecting your business and customers.

1: Two-Factor Authentication & Multi-Factor Authentication

Two-factor authentication (2FA) and multi-factor authentication (MFA) are effective methods to secure yourself online. Factor authentication allows the user to prove their identity. The process uses “factors” to confirm the correct users are accessing valuable information.

So, in a two-factor authentication process, the user must verify using two methods–or factors–that they are authentic. Factors can vary from an initial password to a security question, a secondary device like a phone or laptop, or biometric information like a face scan or fingerprint. 

MFA utilizes several methods before allowing access to the desired information, such as a vault of passwords, a document, or a private account.

Setting up 2FA and MFA is often relatively easy. Both Google and Microsoft offer MFA through text messages, push notifications via the app, and emails. 

The pros of 2FA/MFA are instantly recognizable. It is easy to set up, convenient for the user, grants instantaneous access, and does not require another set of passwords to remember. 

Factor Authentication

Factor authentication has proven most successful when using hardware security keys. These physical devices store passkeys on your person, so they are more protected against digital malware attacks. 

Unlike a code sent to your phone or email, these devices generate passkeys locally, meaning they do not provide sensitive information – like the one-time passcodes we have all received on our phones – over the Internet. Receiving information over the Internet introduces the risk of interception by criminals.

These devices are easy to use. They plug directly into the USB port of your computer, and once you have generated a code, you can unplug it and return it to safe storage in your home or office. 

The most common issue with these hardware devices is that they can be easily misplaced or lost due to their small size.

In general, 2FA and MFA are not immune to problems. When using 2FA with your phone as a second device, hackers can duplicate your SIM card and use their device to pretend you are logging in, giving them access to your information. Phishing sites–or websites designed to trick users into providing sensitive information–can also put protected information into the wrong hands. An example of this could be a message that pretends to be from a trusted source asking for the authentication code for your email account or business passwords.

Always allow notifications of attempted authentication attempts to ensure your website is secure. Most apps will notify you by default, but double-check when you create an account. 

Using push notifications can be effective. You may be familiar with the Google notification from Gmail or YouTube that a device nearby has requested access to your account; this is an example of a 2FA push notification. These notifications are more convenient and are less easily missed than emails that could be sent to spam.

Notifications allow you to track who is attempting to access your information, which can be helpful if you manage a small business with several employees. 2FA and MFA notifications make security accessible without being overwhelming.

2FA and MFA are essential for protecting your website. If all employees are instructed to use MFA to access business-related content, the website is safer from data breaches and hacks.

2: Password Storing Services

Password storing services, or password managers, are websites that encrypt and protect passwords. These services are essential to securing your website and its information. 1Password is a leading provider in this space. Managers like 1Password have several layers of protection. They first require two passkeys: your chosen password and a computer-generated key. The password vault can be accessed with both of these pieces of information.

1Password also allows you to access passwords remotely. By providing this directly, users can eliminate the problem discussed earlier with MFA by transmitting their one-time passcode over text or email.

Remotely accessing your passwords means they avoid transmitting over any network, so they cannot be “read” by hackers. Password managers can also label specific vaults to organize them into what can be accessed by all employees and what is available only to administrators.

Most password storage services offer some form of 1Password’s Watchtower service. These websites will flag passwords that are reused or weak, including those that have shown up in recent data breaches.

Password managers make it easy for coworkers to share passwords securely. All users need a master key and a one-time computer-generated code to get in, so unwanted access is nearly impossible.

Most managers charge for their services. However, Bitwarden is free and provides similar services without the bells and whistles of the paid managers. 

Also, collaboration within a business can be tricky because it goes against the service’s purpose, which is to protect your passwords. As a result, the login process can be lengthy and require another user (like the administrator) to verify others’ access. These are the necessary costs of website protection.

3: Make Complex Passwords

Passwords are the most known form of website security, but you may need to learn how to secure your website and its contents with a strong password. Passwords with unique characters and symbols are typically considered strong, but this is complicated because computer-generated passwords are often gibberish. 

Despite being unguessable, they are also seemingly impossible to remember. Using a password manager can solve this problem, but the master password must be memorable. Here are 3 tricks to make solid master passwords: 

1) Take the first letter of your favorite movie line, piece of poetry, or book title. For example, from The Wizard of Oz (1939): “Toto, I have a feeling we are not in Kansas anymore” could be turned into a password: T,IhafwaniKa(1939). This password would be completely unguessable but incredibly easy to recall if you were a fan of the film. The parentheses and the date of the movie at the end increase the password’s security.

2) Generate random words using memorable passphrases. To do this, create a string of unrelated words to make a longer passkey. Some websites can even create random word threads for you. Taking words from each randomly generated set can help make your password even more secure. I used the word “FORT” as a mnemonic because I want my information protected like a fortress. Using this word, I created four random words and a number to make up my password, separated by dashes: Frog-Ordinance-Ring-Toast-13. According to a free password strength checker, this passkey would take trillions of years to crack, yet it is not too difficult to memorize.

Password Strength

3) Passwords are more challenging to guess as they increase in length. For example, if 4 is your lucky number, end your password with 4 of the same symbol, like a period or an apostrophe. Avoid exclamation points, as they are often the most-used ending to a password.

4: Never Share Passwords Over Email or Text

After tips 1-3, it is clear why this would be dangerous. Sending sensitive information over the Internet exposes it to people who can steal your data. If you exposed your master password to your password manager, somebody could access your accounts. 

Similarly, if you leave your passwords in texts and emails, a data breach of that information could allow your passwords to be shared for profit. Data can be leaked and shared without your knowledge, which is another reason to have a password manager to oversee your passwords.

Only use a password-storing utility to share passwords. If you are sharing with coworkers, do it in person or through a password manager. Do not put sensitive or valuable information in email, Slack, or any other communication platform. These messages are unencrypted and can be stored on third-party servers indefinitely.

When in the office or at home, make sure you have a private Wi-Fi connection. Public Wi-Fi connections can be accessed by bad actors, and sending passwords over public Wi-Fi is dangerous. When conducting business in an airport, coffee shop, or hotel, use a private connection or a virtual private network (VPN).

It is possible to set up fake wifi domains that appear to be authentic. Do not trust a wifi name just because it is the name of the cafe you are sitting in. These names can be faked, allowing someone to scan your device for stored passwords.

As mentioned earlier, SIM cards can be duplicated to read others’ text messages. It is recommended to avoid texting passwords. Instead, call the person or meet them in person if possible.

5: Do Not Open Suspicious or Unwarranted Files

Harmful files are becoming harder to detect because they can come in an email, a text, or even on a website you believe is legitimate. If a file is unexpected, do not open it. 

Scam email

The first sign of a suspicious file is its generic nature. If the email does not directly address you, it likely is not from a trusted source. If a message uses your name but does not elaborate on its connection to you, it could be pulling your information from another source–like a college alumni database.

To avoid malware attacks, use a free antivirus tool to automatically scan documents before opening them. These tools will scan any downloaded document before opening it to ensure it has no malware. Antivirus extensions on your computer can also aid against data breaches.

It is important to acknowledge that viruses exist that, if accessed, can release damaging files to all your contacts with you as the sender. Nothing would be worse for a businessperson’s reputation than an email from them containing a computer virus. Keep you and your business partners safe by using an antivirus tool to scan documents before opening them.

Never rely solely on the domain (i.e., the part after the ‘@’ symbol) in an email address. Email addresses can be faked to give senders improper credibility. Even addresses from your own company, university, or local government can be spoofed. Unless you know the sender directly or have verified their identity, be cautious opening their files or providing sensitive information online.

Time to Keep Your Website Safe!

So, how do you secure a website? It starts with diligence and precaution. Security for your website starts with safeguarding your account using 2FA and MFA. After that, you must secure your passwords. Make them both unguessable yet memorable. 

Designing mnemonics or other tools to remember more complex passwords is helpful. Complex does not have to mean impossible to remember. The previous example of FORT as a way to remember “Frog-Ordinance-Ring-Toast-13” sticks in the mind after only reading it a few times.

Finally, be diligent when accessing files on the Internet. Sources can mask their true identity, but we at Proof Digital hope this blog highlighted the common threats online and how people give them valuable information.

Though external website security is crucial, it does not have to be complicated. Protecting your website requires only a few steps and some daily mindfulness when operating online.

These web security tips help protect your information, your business, and its clients.

When it comes to our personal information, we must value it as much as the bad guys do, which starts with taking the steps outlined in this blog. It is not impossible to decrease your website’s vulnerability. With these steps, you can secure your website better than ever!

Reach out to Proof Digital to learn more about keeping your website safe. We can give you one less thing to worry about in this ever-advancing world of technology.

Related Articles