It may be hard to believe, but even in 2016, brute force attacks remain one of the most common attack vectors on the web.
While it’s impossible to guarantee 100% security against brute force attempts, you can get pretty close by using strong passwords, using HTTPS on login pages (also using stronger encryption algorithms), using two-factor authentication, limiting failed login attempts (and banning those IPs with failed login attempts), adding a CAPTCHA field to login pages, using a firewall to filter malicious traffic, etc.
We all know how important strong passwords are. As part of an experiment, Ars Technica reported that a team of hackers was able to crack 90% of a 16,449 password list — all of which were 16-character, cryptographically hashed passwords. In less than one hour. But security experts are adamant that site owners regularly change passwords as well. Not long ago I believed this was unnecessary, but the recent data breach of Dropbox has changed my mind.
No amount of planning can prepare you for the first time your site goes down. Whether it gets hacked, or a server crashes, or you just get a blank white screen and have no idea why – your first website disaster will send you into panic mode. Guaranteed. This is when you appreciate having disaster protocol in place, or a web company that’ll help you get back up and running.
There are a million ways a site can break, but there are solutions to all of them. (Or most of them.) Salty Key uses rigorous security measures and real-time backups to counter any disasters that may happen. While we can’t defend against everything, we have a fallback plan in case everything else fails.
We’re also very strict with who gets login access to our site, which leads us to our security tip of the day: limiting access to your site can be the difference in avoiding disaster. It sounds obvious, but consider this finding from PricewaterhouseCoopers (now PwC):