Free Range Passwords: Bad Idea

keyringWe all know the recommendations about your online passwords -- the crazier and more full of random numbers and uppercase letters, the better. We hear all the time about the best ways to choose a password -- and if we're not feeling up to the task of creating a good one, there are even web sites out there to help us:

Now, once we have this fabulous, super-secure password, we feel pretty good about the safety of whatever we're protecting. Who would ever figure out that the password for the administrative back end of our web site is Hjj2b65Q?

Can anyone else see the problem with that last question? I'll give you a hint: the problem word is between the words "that" and "password." It's the word "the." There should never be just one password for your web site -- or, if you can help it, for anything associated with your business. Today, I'd like to talk about password best practices for passwords on your web site content management system. Many of them can apply to other office systems like your voicemail, customer management, accounting, etc.

 Be the Big Boss of Your Web Site

bigbossEven if you never intend to be the person to make daily changes to your web site, you should have the highest level administrative access to your site. That means that when your web developer sets up your site at first, take the time to learn how to log in and create, edit, and delete other users accounts using a login and password that you never intend to share with anyone else.

Never. Really, absolutely never.

You want there to be an account there that no one besides you can ever see. Here is the nightmare scenario that keeps me up at night on my clients' behalf:

Joanna the administrative assistant has been adding new articles to the web site for a year. She's done a great job, but she hasn't shown up to work for three days, leaving my client in the lurch. My client calls to find out what's going on, and Joanna is unapologetic. My client immediately fires her. 

Several hours later, I open my web browser to find my client's site covered with digital grafiti. The home page has a photo of my client holding a bottle of cheap wine and standing on a table at last year's holiday dinner, and the caption is -- how do we say this? -- even more unflattering. This needs fixing right away. Now what?

Here are the password setups you could have for your web site, in order from best to least desirable to resolve that scenario above.

Your password security level

Your staff's password security level

What you can do in the scenario above

Highest, with the most privileges No one has as many privileges as you In the course of five minutes, delete your staff's password and login entirely, undo the changes she made, and change the passwords of all remaining staff until your next staff meeting and discussion.
Highest, with the most privileges The same level of privilege as you. If Joanna is shrewd and vindictive, she may have logged in with her high security privileges and changed your password and/or the passwords of the rest of the staff. Now you can't log in, and you can't disable her login. Now you can begin the arduous process of calling your web hosting company, proving that you are the site owner, and seeing if they can change the logins for you. If they can't, you'll have to have them take down the site entirely until you can get something less damaging up. You'll need to call your web developer and get him or her working on undoing all this damage -- all of this taking place while your site is down.

If Joanna isn't vindictive, then you can follow the steps in the first row above.
Medium or low, just enough privileges to make minor changes -- you never have to work on the site anyway. Higher than yours Panic. You'll have to make phone calls frantically -- to your hosting company to shut down the site, to your web developer to get started recreating it, and maybe to your insurance company if this creates a loss of business, and to your attorney, and, if you're really flipping out, to your spiritual advisor.

 Maintain Control of Your Online Data

panic sign from me make it as clear as possible: the password to your web site's back end is exactly like the keys to your storefront. You would never give an employee keys to places for which you don't have keys, and you would certainly never give that employee the only set of keys you have. Even if your employee is the person who opens and closes the store, and you only ever come at 10am, you still want to have the ability to be there whenever you want. You shouldn't be any more relaxed about access to your web site. Part of the procedure that you go through whenever an employee leaves is to get his/her keys and company property like laptops & cell phones. Included in that process should be changing the passwords to any of the online systems to which that employee had access. This includes:

  • Your web site
  • Your social media accounts -- Facebook, Twitter, Pinterest, etc.
  • Your general email inboxes (This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , etc.)
  • Your online purchasing accounts (Amazon, UPS, etc.)
  • Your professional association memberships with online subscriptions

In all likelihood, you don't have a "Joanna" who is going to wreak havoc on your site if you fire her, but what if you do? Or what if your amazing assistant is trapped out of town, or seriously ill, or otherwise unavailable/disinclined to help? Having the keys and passwords is good business practice.

Don't let Joanna keep you -- or me! -- up at night. Come up with some good practices to keep your online security tidy. If you're not sure what the security levels on your web site are, or who has what access, This email address is being protected from spambots. You need JavaScript enabled to view it. . I can help you look at what you have and see if your setup keeps you protected. Do you have a good set of procedures around this in your office? Shout out to us about it on Facebook or Twitter -- we'd love to hear how you're handling it.

tell someone about this:
FaceBook  Twitter