Joseph Magnotti

October 26, 2011

We’ve all done it.  Using our favorite pet, our name, birthday or other simple password.  It’s foolish and, if you’re building lots of properties online, downright dangerous.  This is especially true if you share passwords with business partners, employees, or (gulp!) outsourcers.

I’m not going to go into basic password strategy here as it’s a bit outside the scope.  Just as a reminder though, passwords should be at least 10 characters long, not be a common word from the dictionary, or something easy to guess by knowing you (i.e. the sugary syrup treat you love).

They should use a combination of uppercase/lowercase letters, numbers, and special characters (no not the crazy European ones, just the ones over the number keys).  If you’re curious, check this out to find out how long it might take to crack your password!  (Don’t use a similar password to any actual password you use…just in case!)

There are two types of password strategies you can use to keep your passwords secure.  It really depends on the situation you are in.  They can be used in combination to great effectiveness.  Done properly, it will be nearly impossible for a hacker to guess or crack your password.  That means no favorite candies either!

Shared Accounts

OK, I really hate the idea of a shared account but they are sometimes unavoidable.   Especially when you have a crew working on your sites, there are just some resources you have to share.  For instance, your Fiverr account.  Or perhaps Copyscape.  I really do wish services like this would provide for sub accounts, with more limited control, especially since most of their customers are using them not only from multiple systems, but with different people.

Still, feature requests go unanswered and shared accounts are the only way to use these resources.  You can use a simple secure and unsecure password.  Unsecure passwords are for shared accounts and should never be used for banking, personal, or any sensitive information.  Think of your unsecure passwords as a lock many people have a key to, while your secure passwords are for you and you alone!  Never share them with anyone!

Individual Accounts

My preferred method of access is individual accounts, each with there own password.  Take WordPress for instance.  You can create different accounts all with varying levels of access depending on features and functionality users need to access.  However, having one password across multiple sites is dangerous.  I know what you’re thinking — Joe, how can I remember a new password for every site?  The secret, my friends, is in the code.

Yes, you can use a code to have a different password for each site.  A formula, based on the domain name, that allows you to have a unique password for each and every site.  Let me give you an example using AdSenseFlippers.com.

  • First off, vowels can be replaced by special characters or numbers, as in @ds3ns3fl!pp3rs
  • The TLD (or the part of the domain after the dot) can be brought in front of the password and capitalized, as in [email protected]!pp3rs
  • A unique identifier can be used to start off the password based on the end of the domain name, as in [email protected]!pp3rs (in this case I took the last letter of the domain name, “s”, and used it three times to start off the password with it’s number and symbol replacement)
  • Finally the password can be truncated to 10 characters, as in [email protected]

This formula can be varied greatly to fit you needs.  Be creative.  Have some fun with it.  Perhaps you could use a set of your favorite fictional characters (or ex-girlfriends/boyfriends) based on the first letter of the domain. You could also introduce some real randomness to your passwords based on month for passwords you change often.

Now if you share accounts, you could have one unsecure formula you share with others so those sites do not have the same password.  Then you can have one internal formula you use for your own accounts that you do not share.  Should one password be cracked, the formula would be difficult to crack and only one site would be compromised.

This might seem overly complicated, but once you have your own formula it becomes extremely easy to come up with a secure and unique password that you can’t forget.  I highly suggest this method for banking sites and email as those usually contain very sensitive information.

What about you?  How do you secure your sites and passwords?

Editor’s note: Just in case your wondering why you should have an individual secure password for each site, take a look at these password recovery speeds from some real frightening evaluations of how long it takes to crack easy passwords. 


Make a living buying and selling websites
Sign up now to get our best tips, strategies, and case studies
Discussion
Leave a comment
  1. Barton Bright says:

    Ok. I have been guilty of very lazy password security and just as the adsense sites are starting to make some money I’ve been hacked across about a dozen sites including my best earner. Attacks have come from a variety of countries, IP’s and adsense publisher codes.

    I’ve managed to take back control of all the sites except the best earner. I use CTR Theme for most of the sites and in the case of the best earner whenever I put in my codes it just defaults back to the hackers codes. “ca-pub-1450741504046658” I hope you roast in hell whoever you are. I will find you!

    I’ve deleted all previous users and made sure that no usernames are ‘admin’ anymore. I’m using very long randomly generated passwords.

    I’ve put in a plugin called Login Lock that notify’s me of failed login attempts and blocks access to that user for a period of time.

    I was wondering what else you guys do in setting up the wordpress sites to protect yourself?

    Cheers
    Paul

    • We use Login Lockdown on all the sites to protect against brute force attacks.

      Sound like the hacker installed some sort of script. Try exporting the DB and installing on a clean version of WordPress on a new hosting account. That should do the trick.

      • Barton Bright says:

        Thanks. I think I’ll crash and burn that hosting account completely. Thinking about going to a hostgator reseller account so that I can give each WP install it’s own cpanel so outsourcers don’t gain backdoor access to all the sites at once. I found a couple of domains where only one or 2 add blocks had been changed so I was still showing some views and clicks.

        It’s no good building sites to have your profits stolen form you.

  2. Bitriot says:

    It is worth mentioning that a password like TREEHOUSE ZEBRA FORTY SKYSCRAPER

    is a million times more secure than a hard to remember password with lots of numbers and special characters. When people try to break into password secured properties, they use a method that will run through every character. The goal is to have MORE characters, not trick characters.

  3. Casey Dennison says:

    Indeed. I am so guilty of this and I’m glad you guys wrote up a post on it. If I’m going to be getting serious with building niche sites i need to start treating like a business and take the right safety procedures!

    • Don’t beat yourself up too much, we all do it! I still have some legacy accounts with easy passwords. But yes, as you create more and more sites you have to follow a good set of security parameters to ensue safety.

  4. lasspass.com and i use a combination of names and numbers that no one person could know id use!

    However both my ex working wives together could maybe work it out :-) but thats not going to happen :-)

    seriously 3 sets of numbers and 4 sets of words in varaious combinationsif enough for nobody else to be able to work it out.

    I hold them all in lasspass so i dont have to work it out for each site visit.

    regards

    • I think you mean Last Pass, right? Again, great software, but we should all get away from password managers. One password to crack them all? It’s scary especially if you have your email in there. A potential hacker could not only steal your niches, he could become you!

      Plus reset all the passwords associated with that email address. Yikes!

      • Steve Wyman says:

        Hi joe, yes indeed i did ! lastpass.com

        I no issue withyour idea. but by using a very complex password structure for my lastpass login and using automatic random password for site i have a pretty good system to deal with 100+ logins.

        Your ideas are solid and work well.

        regards

        And opps not onlydid i have the wrong name i didnot put my name in the user field.. not intended. apologise

        • No problem Steve. Question though, if you are using random passwords that you do not know and something happens to Last Pass (i.e. they get hack, go out of business, or just have an outage), how will you recover your password without resetting it?

          • SteveWyman says:

            Hi,

            pretty much all sites have a password recover system, so its the same process if you have brain or compter system.

            Its worth saying i use system as i decided as a young person that i did know want to clutter my limited recall ability with to many thoughts :-) I have wa to many as it is.

            on a seperate note are we going to see part two of linkbuilding strategy soon :-)

          • Was just reading through the comments here Joe. I also use LastPass and they have a way to export all your stored passwords as a CV. I do it every week or so so that if anything happened I have everything on my hard drive. That being said, your system is probably a lot more secure.

          • Interesting. Perhaps my system is overkill. I will look into LastPass soon.

          • That should read export as a CSV.

      • Casey Dennison says:

        I have never used a password manager but i was thinking about how someone could easily just hack into those type of websites and gain access to everything. Or what if for some reason they just lost there whole database and then what? Not good..

  5. Chris says:

    I just use 1password. Works on Mac, Win, Dropbox & iPhone

    • Good software, but I am still very leery of password managers as they are inherently NOT secure. If someone cracks your password manager password, they have access to all your sites. What a nightmare!

      • Chris says:

        that might be true. However, for the hundreds of passwords that I create for myself and my clients, I could not think of another option that is more safe while applicable.

        Of course, you should not put your master password into your wallet…

Leave a Reply

Your email address will not be published. Required fields are marked *

Have a site to sell?
Sell Your Site

Click here to find out how much your website is worth