Posts Tagged Yahoo

Why good password practices are no longer optional — Part 1

This is the first part in a two-part series in password security practices and storage. Be sure to click here to read part two if you haven’t already!

If you — like many people — are in the habit of using simple passwords, or even the same password over multiple sites, you’re setting yourself up for disaster.

Let me briefly explain: If you’re using a simple password it becomes much easier for a hacker to brute-force your password and gain access to your account. You should always use the strongest password — lower- and upper-case letters, numbers, and special characters — that any particular website supports.

If you’re already using strong passwords, good for you. However, if you’re using that same password — or a variation of it — on multiple sites, you’re undercutting the security of it. If one website that you use it on becomes compromised and that password is revealed or released, any other website that you use it on has also become compromised.

One example of this disaster is the RockYou hack. In  January of 2010, Imperva released data regarding passwords exposed in the RockYou.com breach. In this attack, 32 million accounts were compromised and led to the disclosure of the top ten most used passwords, which potentially led to countless more accounts being compromised which used passwords that were on that list. This list was later updated to the 25 most often used passwords, as listed on Yahoo Finance.

Another example of this disaster waiting to happen is a phishing attack. This type of social engineering attack starts with a convincing-looking email that leads you to a website where you will “log in” or provide some other account details. The site that you’re directed to — while looking like the real site — is often a fake, designed to get you to provide your account information. Once the site has it, your account information can be used to log in to the real site. From there, a hacker can seize control of your account (changing the email address, password, and security questions), and attempting to use that information to log into other sites. Again, if you’re using the same password on multiple sites, the hacker now has access to all of those other sites.

Think you can identify a phishing email? Take a few minutes and take the SONICwall Phishing IQ Test now. I got 100% on this test, feel free to post your score in the comments below! You can also try the OpenDNS phishing quiz. I scored 14 out of 14 on the OpenDNS quiz. Feel free to post your scores and feedback in the comments below.

The implications of this are almost limitless if an attacker manages to take control of your email account. Once that happens they can start issuing password reset requests on other sites, and start taking control of them as well. For that reason, protecting the security of your email account should always been first and foremost. Google for one agrees, and offers users the option of 2-factor authentication, which provides a very strong level of security. If you have a Google (Gmail) or Google Apps account, I recommend you go and set this up immediately. It only takes about 15 minutes.

Do you have any other password security practices that you would recommend? Do you have a story to share about an account being compromised? Do you have anything to share that I didn’t cover above? Please feel free to share in the comments below! Also — check back for part two of this article, coming soon!

, , , , ,

Leave a comment

Bad robots

As part of being on a VPS, bandwidth is limited. One of the things you have to watch for is bots, crawlers, and scrapers coming and stealing your content and bandwidth.

Some of these bots are good and helpful, like the Google, Yahoo, and Bing crawlers. They index your site so it will appear in the search engines. Others, like the Yandex bot, crawl and index your pages for a Russian search engine. If you have an English-only site targeting US visitors, you might want to consider blocking the Yandex bot.

In my searches I also came across the Dotbot, which seems to crawl your pages just to get your response codes. I’m not sure what they do with the data, but in my opinion it’s better to block them.

So how does one block these bots? The Robots Exclusion Protocol states that a file, called robots.txt, can be put in your DocumentRoot with directives for bots to follow. For example, if your domain is example.com, your robots.txt should be at the following URL:

http://example.com/robots.txt

The robots.txt directives can tell bots which files they are allowed to index and which they are not. Well-behaved web robots will look at this file before attempting to crawl your site, and obey the directives within. The directives are based on the bots UserAgent string. A couple of examples:

Block the Dotbot robot from crawling any pages:

UserAgent: dotbot
Disallow: /

Block all robots from crawling anything under the /foo/ directory:

UserAgent: *
Disallow: /foo/

The Google Webmaster Tools has an excellent tool for checking your robots.txt file. You can find instructions on how to access it here. Google account required.

However, not all bots obey (or even look at) the robots.txt file. Those that don’t need special treatment in the .htaccess file, which I’ll describe in another post.

, , ,

Leave a comment

Ten things to do first when creating a new website

Alright, so you’ve got your CMS (website software) installed and set up, and you’re looking at your new front page.

Now what?

Here’s my suggestions for the first ten things to do to get your website “off the ground” as it were. It’s recommended that they be done in some kind of order, as you will get the best results with one after having done the others before it.

1. Edit your front page

This should go without saying. Change the default content to something a little personal talking about you and your new site. State what it’s about, but don’t go overboard with the keywords or ads. A new site is a new site, but a new site rife with “keywords” and ads will scream “stay away!”

Don’t worry about themes at this point, unless you have something specific in mind. The search engines won’t care what kind of theme you use and they’ll re-index as things change. There will be plenty of time for theming later.

2. Get an XML Sitemap plugin

XML sitemaps are sitemaps specifically designed for search engines to use to crawl your site quickly and effectively. They contain a list of every page regardless of whether or not it’s linked from another page, and the page’s last update. Even better, most XML Sitemap plugins will automatically “ping” (or notify) the search engines when you create a new page or update a page. A must have for fast indexing.

3. Get your webmaster accounts

Google, Yahoo, and Bing offer webmaster tools for site owners to submit, verify, and specify XML sitemaps for their sites. Once you complete this step, search engines will usually begin crawling your site within a day.

Make sure to complete the verification steps at each site.

Here are the direct links: Google Webmaster Tools, Yahoo Site Explorer, Bing Webmaster Center

4. Get a good stats system

Server logs aren’t a good indicator of site traffic unless you’re getting less than a handful of hits each day. Even then, once you start getting some traffic, you’re going to want to see specifically what pages are popular and with what visitors. Even inbound searches will show you what you’re doing right so you can keep focusing on the important stuff.

I recommend Clicky. The stats are real-time and it’s free for one site.

5. Get some inbound links

Chances are you have at least one friend with a website. Ask them to put up a link to yours. This is good for two things, traffic and search engine ranking.

Visitors to the other site may see a link to yours and click on it, and search engines will see the link from the other site to yours and “follow” it to yours, helping your search ranking.

Of course, it helps if the sites are on the same topic as yours.

6. Make it your own

Start playing with the theme, layout, and color options. Make it your space and your style. Darker themes are more suitable for personal sites, lighter themes for more professional. Use colorful backgrounds that show off your skills if you are an artist (painted or drawn art, music, etc. If you create something, show some style).

7. Start adding real content

Nothing is going to turn away visitors faster than the words “Coming Soon” or “Under  Construction.” Post something up, if only a few paragraphs. Talk about yourself, the reason and aim for your site, and what you’re working on. Link to your user profile on some social networking sites, put up pictures. Above all, make sure it’s original content! Users know when you steal from other websites, and it will immediately discredit you.

8. Make yourself available

Add a contact form, your email address, a Skype or Google Voice button if you have them. If a viewer wants to get in touch with you, they should be able to. If you’re a business, your address and/or telephone number are also a must.

9. Add interaction

Add a comment box or guestbook. Let visitors comment (even if it’s negative). You may learn something. Respond to the comments to show you are involved and that you care.

10. Update often!

A web site is not a set-it-and-forget-it kind of thing. Look at your site regularly and add new content, update out-of-date content, and play around with the layout. Out-of-date content is a turn-off for most web visitors. No one wants to spend time reading a post that is obsolete or out-of-date. Keep it fresh and keep it coming.

Have experience launching a website or any advice to share? Did you try these tips? Did they work for you? Have something to add? Please share it in the comments!

, , , ,

Leave a comment