Your password is too short. Now it needs to include a number. Don’t forget to add a special character.
Passwords are frustrating to most people on the Internet. Balancing between something strong enough to keep you from getting hacked and easy enough to remember is tough.
Why are strong passwords important, and how can you keep track of them? Let’s look at some best practices to keep your accounts safe.
I’m always surprised how most folks treat access to their email. “So what if they get my email password? It’s just my email.” That’s a phrase I seem to run across every time I discuss password security.
The truth of it is, if someone looking to do damage to you gains access to your email, they own you. Every account you have sends the password reset to your email. So, if a bad guy gains access to your email, they have access to your bank, credit card, and any number of other accounts.
Since your email gets tied to so many other accounts, your email password should be among the strongest you have and should never be reused anywhere else.
Speaking of reusing passwords…
Brute force is one of the more common methods bad actors use when trying to steal credentials. Brute force involves guessing passwords randomly as fast as the system will allow in hopes of guessing correctly.
Most well-built websites will see someone attempting to brute force guess a password and will make efforts to stop them; usually, this is as simple as not letting them try for a short time. But, if you have an account on just one poorly coded website, it might not prevent someone from eventually guessing your password using brute force.
Having one account compromised is bad enough. If you reuse your password, having one compromised account means all your accounts are compromised.
You might think that using a combination of some pseudo-personal information makes your password easy for you to remember. And you would be right. But it also makes your password far easier to guess.
If you are on social media, your birthday, your phone number, and the names of your spouse, children, and pets are trivial to find. However, even if you are not on social media, this information is still relatively easy to find.
Some people even use their social security number as a password, but the truth is, your SSN isn’t nearly as confidential as you think it is. Your social security number has likely already been part of a data breach, but if not, someone guessing your SSN-based password gives them both your password and your social security number.
Whenever there is a data breach that includes passwords, I’m always amazed by how many people use very common passwords.
You might think you’re clever setting your password to ‘qwerty,’ but that’s been one of the top 10 most common passwords since we began using passwords. The same goes if your password is ‘123456,’ ‘password,’ or ‘princess.’
So, if you find your password on a list of most common passwords, it’s time to change it. If you use one of the passwords and someone tries guessing your password, these will be the first ones they try, and it’ll take far less than a second for them to run through the whole list.
If you look at the most commonly used passwords above, you’ll notice that many of them are straight out of the dictionary. With just under half a million words in the English language, you might be left with the impression that an obscure word would make a good password.
But computers are quite fast, and if you give them a list (for instance, the dictionary), they can click through all the words in it pretty quickly. When you start guessing thousands of guesses every second, cranking through the dictionary takes only minutes.
Much like the brute force attack, this is one of the more common ways someone will try to guess your password. It’s (not so creatively) called a Dictionary attack.
A longer password is usually more difficult to guess than a shorter one, even when the shorter one is more complex because the total number of combinations multiplies with every character you add.
If you have a super complex, 6-character password (complete with uppercase, lowercase, numbers, and symbols), someone intent on guessing your password can try every combination in well under a day.
However, a 16-character, lowercase-only password would take several thousand millennia to guess every possible combination.
Even though that 16-character, lowercase-only password is incredibly hard to guess, adding extra complexity to the password makes it virtually impossible.
I say “virtually” because it is still possible that someone gets lucky and guesses your password on the first attempt. But to guess it within a few years would take some winning-the-lottery-multiple-times-in-a-row luck.
If we add uppercase letters, numbers, and symbols to the 16-character password, we go from several thousand millennia to several million millennia to guess every combination.
The best password is one you can’t remember yourself. A genuinely random, 16-character password that includes upper- and lowercase letters, numbers, and special characters is incredibly hard to guess.
Don’t trust yourself to randomly pick your password because we’re all human and will fall into bad habits like selecting predictable patterns. Instead, you’ll be better off using a generator like passwords-generator.org.
They also have a nice feature that will not use similar characters (“Is that a zero or a capital O?”) and ambiguous characters (“What that a curly brace or a square brace?”). This relieves the frustration of figuring out if that character is a “1” or a lowercase “L” and doesn’t make your password significantly easier to guess.
And, while I can almost hear you ask, “If I can’t remember my password, how will I ever remember my password?” The answer is that you should…
So, now you have genuinely random passwords unique to every one of your accounts, and you can’t remember any of them. So, how are you ever going to know your password?
You can use a password manager. There are several outstanding password managers out there. LastPass and DashLane both have “free for personal use” accounts likely to be all you ever need. Another is 1Password, which doesn’t have a free tier but is still competitively priced compared to the other’s non-free versions.
Another option is the good, old-fashioned pen and paper. There’s nothing wrong with keeping all of your passwords in a notebook. (Address books work well, where you can put “Facebook” on the F page where you can easily find it later.) Just be sure to keep your password book in a safe place.
One method to stay away from is storing your passwords in a file on your computer. All it takes is a quick bit of malware, and every one of those once secure passwords are compromised.
Looking to setup your email on your Android phone? This tutorial will walk you through the process.
First thing, if you haven’t already, download K-9 Mail from the Google Play Store.
1) Once K-9 Mail installs, use the icon to open it up, and you should see a screen that looks like this, on which you can select “Next”.
2) On the next screen, enter your full email address and password, and select “Next”.
3) Select “IMAP”.
4) The settings on this screen should fill in automatically, but if they don’t, fill in:
Then select “Next”.
4a) If presented with this screen, select “Accept Key”.
5) The settings on this screen should fill in automatically, but if they don’t, fill in:
Then select “Next”.
5a) If presented with this screen, select “Accept Key”.
6) The settings on the following screen should all be correct, unless you tend to have a lot of email. If that’s the case, you can change the “Number of messages to display” to a higher number.
7) Finally, retype your email address in the first field, and your name in the second field. Note: The name you type in the second field will be used on emails you send.
One of my favorite things about WordPress is how extendable it is. As I’m writing, there are currently 43,739 plugins available in the official directory, and, if you can’t find what you’re looking for there, you can always make it yourself. So, what plugins do we think are must-haves? Here’s our pick of 10 of them.
No self-hosted WordPress installation is complete without Jetpack, which brings all sorts of WordPress.com features to your personal blog or company website. You can build custom contact forms, display your portfolio, keep track of site’s stats, and automatically connect to the most popular social media sites. And that’s just a few of the 35 or so features Jetpack has to offer.
When they say ‘All In One,’ they really mean it. AIOSEOP is the Swiss Army Knife of SEO plugins, and allows you to manage individual posts, pages, and even custom post types. It also lets you verify your site with Google’s Webmaster Tools and Bing’s Webmaster Central, add the Google Analytics code to your header, and even build XML sitemaps for submission to search engines.
So, if you feel confused by all of the options the All In One SEO Pack has to offer, then Yoast SEO is the plugin for you. While the first focuses on those who already have a good grasp of Search Engine Optimization, Yoast is much more friendly to those still learning about SEO, and includes a powerful page analysis tool to help you write better content, and make your site more friendly to search engines.
It isn’t a secret that WordPress is frequently targeted by people wanting to do bad things; that’s what happens when you’re the most widely used content management system. While there are many security plugins out there, Wordfence is our choice, because it’s powerful and, once configured, will take care of most issues before you even get the chance to check on them.
There are almost as many backup plugins as there are opinions on which WordPress backup plugin is the best. Our choice is BackWPUp, because it’s easy to configure (even for those not that technically inclined), and can store your backups on remote FTP servers, Dropbox, have them sent to you via email, and many more.
Another great plugin by the folks that brought you WordPress in the first place. Akismet helps keep your blog spam free by running any new comments through their servers, and automatically marking the spammy ones as spam. It requires an API key, but for personal blogs, it’s free, provided you have fewer than 50,000 comment attempts a month. For a professional account, the cost starts at just $5.
One of the drawbacks of using WordPress is that serving the complicated PHP files takes more time (and more server resources) than a static HTML file. WP Super Cache takes some load off of your server by building a static HTML file for the dynamic PHP pages. Once a period of time of your choosing passes, the static page will be dropped and refreshed. It’s a good compromise between static and dynamic.
It happens to the best of databases: over time, they gather extra lines of information that will never be useful again, causing them to slow down bit by bit. WP-Optimize takes that less-than-perfect database and cleans it back up again, improving performance, reducing space, and keeping WordPress generally happy.
Posts and pages sometimes come and go, leaving search engines guessing as to where to go when it can’t find something. Safe Redirect Manager gives them a bit of direction, in case you move, or completely remove, anything from your website.
OK, WordPress Importer isn’t something we keep installed on all of our WordPress sites, but it’s one of those that, when you need it, you really need it. It allows you to take a WordPress export file, and pull all of the posts, pages, categories, tags, and media files (or basically anything you need) into a new WordPress installation. Great for when you need a sandbox to test out theme or plugin development.
Well, there you have it: our 10 must-have WordPress plugins. What plugins do you find the most useful?
In the world of the Internet, computers don’t really have names. They have IP addresses, like 184.108.40.206 or 2001:4860:4860::8888. The problem with that is, people have a hard time remembering numbers, but we’re really good at remembering names. The solution is the Domain Name System, or DNS. DNS takes a domain name, like 10twebdesign.com, and resolves (translates) it to an IP address, such as 220.127.116.11.
So, what really happens when you type 10twebdesign.com into your web browser and press enter?
First things first, your web browser might already know where 10twebdesign.com is located, because you may have visited it recently. If you have, your browser will cache (remember) the information for a certain period of time, so it doesn’t have to keep looking it up if you visit several different pages in a row. But the first time you visit a 10twebdesign.com page, your web browser has no idea where 10twebdesign.com is, so it starts the processes of trying to find out.
So your web browser tells your operating system, “I need to know where 10twebdesign.com is.” It’s possible that your OS already knows, and will just tell your browser, but chances are, it doesn’t know either. What it does know is the address of a preferred DNS server, which is usually owned by your Internet service provider and assigned automatically. So, your operating system heads out to your DNS server to find out where 10twebdesign.com is located.
Your DNS server handles requests from basically everyone in your area that all use the same Internet Service Provider that you do, so it’s much more likely that they might already know where 10twebdesign.com is, and can answer straightaway. Still, it’s more likely that no one has looked it up recently enough, and the DNS server needs to find out, too.
Your DNS server will now start working backwards; it needs to find out who manages the ‘.com’ domain names. Chances are, it already knows the answer to that, because someone else has recently looked up some other .com domain name, and it would have cached the information, but for the sake of this article, let’s say it doesn’t know and needs to find out.
Your DNS server now resorts to asking a root name server, of which there are only 13 in the world. These servers, named with the letters A – M, are located all over the world and are owned by many different organizations, including NASA, the University of Maryland, and the U.S. Army Research Lab, just to name a couple. Everybody knows where these 13 root servers are, so they can always fall back on them when everything else fails. Your DNS server tells one of the roots, “Hey, I need to know who manages .com addresses,” and the root server responds, “It’s Verisign.”
You DNS server now caches the information from the Verisign server, so that next time someone looks up a .com domain name, your DNS server won’t need to bother the root servers; after all, they are pretty busy, and it would make more sense to just remember and go directly there. It then heads over and asks the Verisign server, “Can you tell me who knows where 10twebdesign.com is?” The Verisign server responds with “They are registered through this domain registrar.”
So, your DNS server now heads over to the domain registrar, and says, “I need to know the name servers (NS) of 10twebdesign.com.” The registrar responds with one of two or more servers that know where 10twebdesign.com is actually located.
At last, we know who to ask. Your DNS server now makes direct contact with one of 10twebdesign.com’s NS servers, and asks, “Where is 10twebdesign.com located?” Our NS server replies, “It is located at 18.104.22.168, and it has a TTL of 14,400 seconds.” Your DNS server takes this information, and caches it so that the next time someone looks up 10twebdesign.com, it can just tell it the answer of 22.214.171.124, and save a whole bunch of work.
The only issue with this is that it’s possible that 10twebdesign.com might move at some time in the future. That’s where the TTL, or Time To Live, comes in. So, for the next 14,400 seconds, or four hours, you can find 10twebdesign.com at 126.96.36.199. After that, it might change. So, when your DNS server caches the information for 10twebdesign.com, it sets it to expire after the number of seconds specified in the TTL; once it expires in your DNS server’s cache, it will have to look up the information again.
Last, but not least, your DNS server returns the address of 10twebdesign.com to your operating system (that caches the information for the same length of time), and your OS passes the information along to your web browser (which also caches the information), so that it can look up the website hosted there.
The most amazing thing is that, if everything happens as quickly as it should, all of this happens in about a tenth of a second. Now that’s fast.
It’s a pretty good day when you see something you created featured in the local news:
The Belmont County Sheriff’s Office is unveiling the county’s ‘Most Wanted’ list.
Sheriff Dave Lucas implemented a new feature on their website – a place where you can easily find who’s most wanted.
“Just go to belmontsheriff.com. Go over to the information tab, and you’ll find the wanted,” Lucas said. “And you’ll see a list of wanted people you’re looking for, and we’ll keep adding to that.”
The Wanted List is powered by a WordPress plug-in created by 10T Web Design specifically for the Belmont County Sheriff’s Office. It allows officers to add pictures and basic information for people on their wanted list directly to their website, without the need to know anything about designing web pages.
It is one of several plug-ins we’ve created for their website, which we also design and help manage. Others allow them to list properties for their monthly Sheriff Sales and help to keep the people of Belmont County aware of the winter road conditions, both of which are managed by members of their staff.
Looking forward to continuing to work with the Belmont County Sheriff’s Office, who have been a client of 10T Web Design almost since we came into being.
Every time a company announces that they are going to stop supporting a piece of software, folks start asking me if they should upgrade. It happened with Windows XP, it happened with Internet Explorer 7, and now it’s happening with Internet Explorer 8-10.
OK, so, every time Microsoft announces they are going to stop supporting a piece of software, folks start asking me if they should upgrade. I’m not trying to be unfair to Microsoft here; at a certain point, you have to stop supporting your software, because continuing to maintain it takes away resources you could be using to create the next product.
Microsoft will stop supporting Internet Explorer versions 8, 9, and 10 on January 12th, 2016, and, let’s face it, if you are still running a web browser that was originally released when Oasis was still together, it’s time for you to upgrade.
Well, the most important reason to upgrade is because Microsoft will longer be releasing updates to the outdated browsers. While that might not sound horrible, any time a security vulnerability or bug is discovered in a program, an upgrade is required to fix it. So, after the software is no longer supported, no one is fixing issues that could allow people with bad intentions to run nefarious code on your computer.
Another important reason to upgrade is that old browsers can make websites difficult or impossible to use. We simply don’t design web pages the same way in 2016 that we did in 2009. Many frameworks (like Foundation) don’t even work in IE8, so you might not even be able to use the website you are trying to use.
Finally, maybe the best reason to upgrade, is that Internet Explorer 11 is a pretty good browser. It isn’t my personal browser of choice, but it’s far better than any other version that Microsoft has ever released. Give it a chance.
It’s what I always hear from folks that say they can’t upgrade their version of Internet Explorer. Because the new version will be incompatible with some web application that they have to use, they are stuck with IE8. Or, (the horror) IE7.
I won’t get into all the reasons that I think this is a awful reason to not upgrade your browser, but I will say that if the web application being used requires a web browser that no longer has security support, then the web application is likely to have security issues as well.
If you find yourself caught in this trap, I highly recommend finding out exactly what applications you are using that require the outdated web browser, and then only using the web browser for those applications. For everything else, give Firefox, Chrome, or any other up-to-date web browser a try. Either of these two are easy to download and setup, and will at least provide you with the updated security that an unsupported version of Internet Explorer won’t.
Beyond “Compatibility Issues,” there would also be the possibility that your computer doesn’t have the recommended resources for running IE 11, but they are fairly low; it’s pretty likely that if your computer doesn’t have the resources that Internet Explorer requires that Windows has ground to a halt already.
Go ahead. Upgrade. Your computer will thank you.
There is a new security vulnerability in the wild: Venom. For those of you that remember Heartbleed, this one is even more frightening:
“Heartbleed lets an adversary look through the window of a house and gather information based on what they see,” said Geffner, using an analogy. “Venom allows a person to break in to a house, but also every other house in the neighborhood as well.”
I have verified that 10T Web Design’s server has already been patched and is no longer vulnerable to Venom, however, this is a wide-spread issue. If you are concerned that your server is vulnerable, just contact me with the name of your hosting company, and I’ll be happy to find out for you at no cost, even if you are not currently a client.
Happy Security Sunday! I found this article the other day on Network World, pointing out studies on the dreaded ‘password strength indicators’ that many websites use to nudge folks into using stronger passwords (and generally annoy most everyone).
“Overall, password strength gateways are inconsistent, with some allowing all letters and others requiring different character sets to gain approval, the researchers found. That sends a mixed message to online users accessing many different websites.”
I agree with the article that the overall intention of the strength indicators are good, but for some the execution falls short, and there are significantly easier ways to keep your passwords secure.
I’ve long been a supporter of password managers such as KeePassX (available for Windows, Mac, and Linux; Free) as one of the best ways to keep your online accounts secure. A 20-character long string of random letters, numbers and symbols is incredibly difficult to break, and password managers allow you generate and keep track of them. In addition:
Easy to install, free, and super secure. If you haven’t, give it a try.
With the folks over at WordPress getting ready to release the latest and greatest version, I’ve been taking it for a test drive to check out some of the new features.
There has been a lot of arguing back and forth about Focus Mode, but, personally, the improvement on ‘Distraction Free Writing’ is my favorite feature in the new release. I love distraction free in WordPress, but find it cumbersome to keep turning on and off. Now, you can set it to activate and deactivate automatically whenever you start typing or move the mouse. No need to turn it on and off.
Another nice new feature is the ‘Visual’ image mode. For new users, one of the least intuitive tasks to complete in WordPress was getting your images aligned the way you wanted them. With Visual Mode, clicking on an image will provide you with a floating menu that allows you to quickly change where the image is positioned in the post. You can also open up an edit dialog to change the image’s size, too. I thought that the previous method of aligning images was fine, and wasn’t initially excited when I heard about this change, but after having tried it out, I have to admit it’s handy.
One of the great things about WordPress is how many different languages it’s been translated into, but it’s always been a pain to install language packs. With WordPress 4.1, language packs can be installed directly from the settings page; all you need is the proper write permissions (which, chances are, you have), and installing a new language is a breeze.
Developers will find some new fun stuff, too, including improvements to the Query classes; the updates allow for nested queries based on date, metadata, or taxonomy. For example, if you had posts with ‘author’ and ‘genre’ metadata assigned to them, the following would grab all Horror by Stephen King and Tragedy by William Shakespeare:
$query = new WPQuery( array( 'metaquery' => array( 'relation' => 'OR', array('relation' => 'AND', array('key' => 'author', 'value' => 'Stephen King'), array('key' => 'genre', 'value' => 'Horror') ), ), array('relation' => 'AND', array('key' => 'author', 'value' => 'William Shakespeare'), array('key' => 'genre', 'value' => 'Tragedy') ) ) ) );
Also worth mentioning is the release of the latest default theme, Twenty Fifteen. It is a blog-first design, featuring Google’s Noto Serif font, which displays nicely with a variety of language and devices. Very nice and clean; screenshots can be found here.
And that’s about it. Overall, a nice release, but no doubt some will find more use for the changes than other. I especially like that there are good improvements for both new users and seasoned developers. The 4.1 release candidate was released on the 11th; WordPress 4.1 is expected to ship on Tuesday, December 16th.
There is one thing I don’t love about Twitter: It is really easy for someone to impersonate you, and there are just way too many accounts for Twitter to self-police.
So what do you do if, like me, you find out that someone is pretending to be your business?
First things first, you have to find out if someone is impersonating you. Use the Twitter search tool to do this:
If your business is the only ‘you’ there, you are in good shape; it doesn’t seem that anyone is impersonating you. If there are multiple ‘yous’ there, make note of their Twitter handles (i.e. @10TWebDesign), as you’ll need them later.
OK, I know what you are thinking: They are pretending to be me, of course there are rules being broken!
Unfortunately, it isn’t that simple.
If the offending account doesn’t fall into these categories, you have a good chance of getting the account deactivated, especially if they are using your profile and header images.
Time to make the Head Twitter-birds aware of the copycat account. Twitter handles all impersonation complaints using this impersonation complaint form on their support pages. Some tips to make sure your complaint gets approved:
Give the good folks at Twitter time to work. Just because you filed the complaint at 8:32 AM doesn’t mean that the offending account will be down before your morning coffee break. Give it a few days, maybe a week. If you still haven’t heard back from them, shoot a tweet over to @Support and (politely) tell them that you had filed an impersonation complaint and ask (politely) if they have an update.
It’s a good idea to check every month or two just to see if anyone is pretending to be you. Hopefully you won’t find anyone. If you do, feel honored that you are being impersonated, follow these instructions, and you should have no problems. If you have any questions, just drop me a line.