Password Protection Best Practices

Save Yourself Headache and Heartbreak

It’s fairly common sense to try to hide your passwords – why else would websites themselves censor them behind those little dots? Every time a company or site has a breach in personal data, everyone scrambles to change their password to ensure the protection of their account. We keep these crucial words hidden and secret, guarded against prying eyes.

Except for when we don’t. Often, people are willing to give up these keys to the kingdom if the right situation presents itself. Maybe a friend or family member needs access to your account. Maybe the person asking is a web developer or a marketing consultant who needs access to your website. It can be all too easy to assume the best and rely on their trustworthiness. It’s faster to just hand the password over. One of our clients learned the dangers of this the hard way…

A Mr. WPress Client’s Story

One of our clients, we’ll call her “Jane” for this story, needed help fixing some bugs and other issues on her website. Before she had even heard of us, she reached out to a different developer for assistance. In order to resolve the issues, the developers said they needed access to her GoDaddy account. Not an unreasonable request from a web developer, and thinking they seemed trustworthy, she gave them access to her own, sole user account.

The work was completed, and Jane paid the developers with a check. They didn’t accept the payment. She tried with a cashier’s check instead. They didn’t accept that payment either. The developers demanded cash, and when Jane said she had already provided payment, the developers suddenly turned on her.

With the access to the site that Jane provided them, the developers changed her password so she couldn’t get back in, and then transferred the domain into their own names. Since they had access to her email accounts through GoDaddy, they were able to see when the transfer request emails came in and approve them. They locked Jane out of all the company email accounts, shut down her site with a message about a “lack of payment,” and when Jane involved the police the developers were able to claim they owned the domain because of the previous transfer of ownership.

GoDaddy has some resources for combatting this type of scenario. But with their new control over the domain, the developers could potentially transfer the domain to another registrar. This would be completely out of GoDaddy’s jurisdiction. Jane came to Mr. WPress, and we’re doing what we can to help resolve the situation, but Jane is in a pretty tough spot when all is said and done.

Update: Unfortunately, GoDaddy didn’t end up helping as much as we’d hoped. Jane eventually go through to a supervisor, who said they wouldn’t be able to address her issue for an estimated 18 days because of their backlog. This is ample time to transfer the stolen domain away from GoDaddy, so by the time the registrar is finally able to help Jane, it will likely be moot. Due to the bad actor’s thoroughness, Jane essentially can’t run her business. Her only recourse is to go to court, which she is pursuing, but this course comes with its own delays and difficulties. We wish Jane the best in getting her domain back, and stand ready to help if she needs to rebuild her online presence.

How to Avoid Disasters

It’s a tricky situation, because the developers likely did need access to Jane’s account to complete their fixes. And if you’re not versed in web security, it can be easy to make a misstep with terrible consequences. At Mr. WPress, we hold ourselves to high-security standards. We take all the steps necessary to avoid taking direct sensitive information. But not all developers are so forthright, or want to take the time to go through these crucial steps.

Familiarize yourself with the options below so you can take the security into your own hands:

• NEVER give unilateral access to your website, hosting account, or domain registrar to ANYBODY. At the barest level of assurance, you can at least create a separate account for the party in question. That account should not have any permissions regarding account access or the management of other user accounts, either. There’s still plenty a bad actor could do with this permission, but at least they won’t be able to lock you out and tie your hands behind your back.
• Use LastPass to share access without providing actual credentials. LastPass’s sharing capabilities allow you to hide the password itself from the recipient, even though they can use it to access an account. Combined with the above item regarding keeping them out of user settings allows you to keep the actual password from them permanently. If something starts going wrong, you can revoke their access through LastPass and render them powerless.
• Have an explicit scope of work, and arrange payment details ahead of time. This can range in formality. You may have saved email threads, or a full-fledged contract signed by both parties. But having something in writing can protect you later down the line if either side starts to deviate from the initial agreement or take any shady actions. Don’t let it come down to your word against theirs.
• Don’t bend these rules! No matter how trustworthy or professional they might seem, you never know what could cause them to turn on you. Even if the party in question themselves don’t betray your trust, you never know if they’re hiring a third party to help them, storing the credentials unsafely, or any other kind of risky behavior that may never come to light except in the worst-case scenario. For every time you send your actual password out into the world, there’s one more chance for disaster.

The Mr. WPress Approach

We do our best to guarantee security, and it’s not based on our own clout or our word. We do it by ensuring we don’t have the chance to compromise your site’s security in the first place. We recommend LastPass to all of our clients, and use it to its full extent in all possible situations. We tend to avoid format contracts, but we keep detailed email logs of all agreements and updates. And we refuse to take unilateral access to any account of any kind that doesn’t belong to us. We don’t just hope for the best when it comes to website security, we prevent the circumstances that tempt disasters from happening in the first place.

Have questions about security, or maybe another web project you need help with? Don’t hesitate to reach out to us for a free quote! We’re always happy to help.