We encourage you to follow the instructions below as a matter of urgency if you have not already done so, and to incorporate these tasks into a weekly proactive routine of site maintenance to ensure the integrity and security of your site is maintained.
KEEP YOUR SOFTWARE AND SCRIPTS UPDATED TO THEIR LATEST STABLE VERSIONS AT ALL TIMES
Ensure all software and scripts are kept up to date. If you are running any software such as Mambo, Joomla!, phpBB, Simpleboard, PHP-Nuke etc. (indeed <strong>any PHP script at all</strong>) then it is imperative that you proactively take any steps to patch your site to the latest secure version. Over time some of these scripts become vulnerable and open your site to hacking attacks.
Locate the developer website for your software and locate any information regarding updates, and proceed to upgrade your software according to the instructions provided.
Passwords
Use at least eight characters, the more characters the better really, but most people will find anything more than about 15 characters difficult to remember.
Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
Don't use a word found in a dictionary, English or foreign.
Never use the same password twice.
Things to avoid
- Don't just add a single digit or symbol before or after a word. e.g. "apple1"
- Don't double up a single word. e.g. "appleapple"
- Don't simply reverse a word. e.g. "elppa"
- Don't just remove the vowels. e.g. "ppl"
- Key sequences that can easily be repeated. e.g. "qwerty","asdf" etc.
- Don't just garble letters, e.g. converting e to 3, L or i to 1, o to 0. as in "z3r0-10v3"
Tips
Choose a password that you can remember so that you don't need to keep looking it up, this reduces the chance of somebody discovering where you have written it down.
Choose a password that you can type quickly, this reduces the chance of somebody discovering your password by looking over your shoulder.
We encourage you to follow the instructions below as a matter of urgency if you have not already done so, and to incorporate these tasks into a weekly proactive routine of site maintenance to ensure the integrity and security of your site is maintained.
Bad passwords
Don't use passwords based on personal information such as: name, nickname, birthdate, wife's name, pet's name, friends name, home town, phone number, social security number, car registration number, address etc. This includes using just part of your name, or part of your birthdate.
Don't use passwords based on things located near you. Passwords such as "computer", "monitor", "keyboard", "telephone", "printer", etc. are useless.
Don't ever be tempted to use one of those oh so common passwords that are easy to remember but offer no security at all. e.g. "password", "letmein".
Never use a password based on your username, account name, computer name or email address.
Bad examples
"fred8" - Based on the users name, also too short.
"christine" - The name of the users girlfriend, easy to guess
"kciredref" - The users name backwords
"indescribable" - Listed in a dictionary
"iNdesCribaBle" - Just adding random capitalisation doesn't make it safe.
"gandalf" - Listed in word lists
"zeolite" - Listed in a geological dictionary
"qwertyuiop" - Listed in word lists
"merde!" - Listed in a foreign language dictionary
How would a hacker get hold of my password?
There are four main techniques hackers can use to get hold of your password:
Steal it. That means looking over your should when you type it, or finding the paper where you wrote it down. This is probably the most common way passwords are compromised, thus it's very important that if you do write your password down you keep the paper extremely safe. Also remember not to type in your password when somebody could be watching.
Guess it. It's amazing how many people use a password based on information that can easily be guessed. Psychologists say that most men use 4 letter obscenities as passwords and most women use the names of their boyfriends, husbands or children.
A brute force attack. This is where every possible combination of letters, numbers and symbols in an attempt to guess the password. While this is an extremely labour intensive task, with modern fast processors and software tools this method is not to be underestimated. A Pentium 100 PC might typically be able to try 200,000 combinations every second this would mean that a 6 character password containing just upper and lower case characters could be guessed in only 27½ hours.
A dictionary attack. A more intelligent method than the brute force attack described above is the dictionary attack. This is where the combinations tried are first chosen from words available in a dictionary. Software tools are readily available that can try every word in a dictionary or word list or both until your password is found. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.
Further notes
Please note that you may have components or extra modules in your software (e.g. Forums, Shopping Carts etc.) that may also need patching. Please visit the developer website for each individual script and ensure you take steps to patch and update these also.
SIGN UP TO ANNOUNCEMENT LISTS FOR ANY SOFTWARE YOU ARE USING TO BE KEPT UPDATED WITH SECURITY NOTICES
It is imperative that you are kept informed about security updates for your software and can take proactive measures when an update is released.
For example, ensure your register AND subscribe to those that apply from the following:
Zen Cart announcements at http://www.zen-cart.com/forum/forumdisplay.php?f=2
Joomla! announcements at http://forum.joomla.org/index.php?board=8.0
Mambo announcements at http://forum.mamboserver.com/forumdisplay.php?f=13
osCommerce mailing list at http://two.pairlist.net/mailman/listinfo/osc-announce
If you are using any other package then likewise, locate the forum on the website of the devloper of that script, and register and subscribe to the announcements forum.
