Website security can be a difficult topic to get clear, actionable information on. It seems like security standards change all the time. Leading one to feel like it’s just up to chance if your data gets compromised. We sat down with security experts Steve Bentley and Alex Merk to give you a comprehensive Q&A session on website security.
Password Security
Q: What makes a password weak vs. strong — and why does it matter?
Steve: Weak passwords are usually short, easy to guess, or reused across different accounts, stuff like “123456” or “yourdog’sname2020.” Strong passwords, on the other hand, are long, random, and totally unique. Think of it like this: a weak password is like using the same key for your house, car, and office, and then leaving that key under the welcome mat.
Q: What are leaked password lists and how can I make sure I’m not on them?
Steve: Leaked password lists are huge collections of usernames and passwords that get stolen in data breaches and then shared or sold online. Hackers use these lists to try logging in to other accounts (because let’s be honest, most people reuse passwords). You can check if your info’s been leaked at haveibeenpwned.com, it’s free and only takes a second. If you’re on there, don’t panic, just change your password and turn on two-factor authentication where you can.
Q: How do password managers work, and which ones are worth trying?
Steve: Password managers are super handy. They keep all your logins in one secure place, so you only need to remember one strong master password. They can even generate strong ones for you and fill them in automatically, no more “forgot password” loops. A few solid ones to check out are Bitwarden (great free option), LastPass, and 1Password. We use them every day and honestly couldn’t go back.
Phishing
Q: How can I spot a phishing attempt?
Alex: Phishing attacks are getting more and more sophisticated. The boom in AI has made phishing a much more accessible attack vector than it was previously; bad actors are able to generate very legitimate seeming messages with little effort. There are ways to identify a phishing attempt:
- Is the message unprompted? For example, if you have not used a service before, it’s unlikely they would reach out to you.
- Are there uncharacteristic spelling mistakes, or grammatical errors?
- Can you reach out to the service and ask them to verify the correspondence? If not, it is probably a phishing attempt.
Q: What should I do if I accidentally click a phishing link?
Alex: If you do happen to click on a phishing link, don’t panic. Phishing attacks are named such because they are fishing for information. If you do click on a phishing link, you can take the following steps:
- Do not enter ANY information on the site. This includes clicking around, typing in text boxes, etc.
- Do not permit any browser services. This could include sharing your location, browsing data, or accepting downloads.
- Close the window/tab.
- Clear your browser stored information, such as cache, cookies, local and session storage, etc.
Q: How can I train myself and my team to avoid phishing?
Alex: Learning to identify phishing attempts is a valuable skill in the era of accessible AI tools. Phishing attacks will become more commonplace and sophisticated, so learning to identify phishing early will help you stay educated for what to look for. By using some of the above strategies for identifying phishing attempts, as well as practicing safe habits if you do click on a phishing link, you will have better digital health.
Below are some extra resources that provide more details about what phishing is, how to spot it, and how to prevent yourself and your team from being a victim.
Steve added that one of his favorite resources for learning to spot phishing is Google’s Phishing Quiz. It gives real world examples and helps you practice recognizing red flags in a safe environment.
General Website Security
Q: What’s one simple thing every business can do to improve website security?
Steve: Keep your website updated. Seriously, it’s one of the easiest, most effective things you can do. Whether it’s your website platform (like WordPress), plugins, or your server software, keeping everything up to date closes the holes hackers love to sneak through. Automatic updates are a great way to do this, set it and forget it. Your future self will thank you.
Q: What’s a common website security myth that needs busting?
Steve: “Small businesses aren’t targeted.”
Totally false. In fact, according to the Small Business Administration small and mid-sized businesses are disproportionately targeted because hackers know they’re less likely to have strong defenses. You don’t need to be a big brand to end up on someone’s hit list. Good security is just smart business, no matter your size.
Q: What’s something you wish more people knew about staying safe online?
Alex: I wish more people practiced better password health. Any account you own is a treasure trove of information. It could contain basic information like your name, address, and contact information; saved billing information for payment processors; or, in more extreme (and increasingly common) circumstances, your health data. Using the above strategies is one of the easiest, and strongest, things you can do to protect yourself online.
We’re here to help make sure your website is as secure as it can be. Our clients receive 24/7 security support.
