One of my most common debates with clients is “Do I really need a password that complicated?”
In a way I get it. When you’re unfamiliar with hacking and you might wonder why anyone would actively go out of their way to hack your website, it seems like a silly thing to focus on. One thing I’ve always been very strict about with every website I work with is the enforcement passwords that resemble a cat walking across a keyboard. Conversely, I also get why people who work in IT or cybersecurity hear this and want to smack themselves with a keyboard until there are key imprints on their foreheads.
A lot of people still put convenience over downloading a password manager. That’s fair enough. It seems like one more thing to deal with in an endless list of things to deal with a business owner, manager or whatever your role is. Especially if you haven’t had any problems thus far that you’re aware of. Emphasis on that last part; hacks certainly don’t need to be as visible as the one we’re talking about for the purposes of this article. If anything, a backdoor into your system can be even more insidious as data is quietly stolen, but that’s a conversation for another time.
Business and media news outlet Fast Company was the victim of a targeted cyberattack on September 25. This wasn’t a botnet crawling thousands of websites looking for weak points or an outdated WordPress installation; this was an active hacker. The initial attack breached the content management system and defaced Fast Company’s website with obscene messages. Similar profane messages were sent to Apple News followers. As a result, Fast Company made what was undoubtedly the difficult decision to take the entire website offline, and offline it would remain for eight days.
During that eight days I can’t even imagine the amount of revenue that was lost, not to mention traffic or just overall brand visibility. Most business owners don’t have a website on the scale or scope of Fast Company but even if having your website down for eight days doesn’t directly affect your bottom line, it costs leads, phone calls and E-mail inquiries.
More importantly, the method allegedly used to breach Fast Company could happen to any small business because nobody is immune to human error.
According to BleepingComputer, the hacker who claimed credit for the breach cited weak passwords as the vulnerability:
The threat actor claims they were able to breach Fast Company after they discovered a WordPress instance used by the company for their website.
This WordPress instance was allegedly secured using HTTP basic authentication that was bypassed. The threat actor then say they gained access to the WordPress CMS using a very easy default password that was used on “dozens” of accounts.
BleepingComputer emphasizes that they have no way to verify this independently, but it would not be unusual for FastCompany to use WordPress. Many major media organizations use WordPress including TechCrunch, The Next Web, Time Magazine, and Wired.
Furthermore, there’s a lot of precedent for this being the cause of an attack. In 2021 alone Ticketmaster, GoDaddy, Microsoft and the Law Department of New York City were all hacked with weak passwords. The NYC Law Department in particular had massive amounts of confidential data compromised all because of a single employee’s stolen E-mail account password.
In case I haven’t made my point clear enough, this should be more than enough evidence that despite any perceived inconvenience it might have, password managers will save you both headaches and very real money. If nothing else, you won’t have to worry about hunt-and-pecking on a keyboard for that ridiculous password your IT person wisely generated for you. Just remember that the complicated password has a purpose. It’s meant to protect you – it’s not deliberately designed to annoy you. Plus with a password manager you’ll be able to use that complex password and never have to worry about constantly re-entering it.
Cybersecurity is not a new phenomenon anymore and any of these password-guessing breaches can absolutely happen to any site with a weak password. So download a manager and put the issue to rest.