My new venture (Selldash) lets you do e-commerce and subscription commerce on top of WordPress, using Kubernetes to manage the underlying infrastructure. But WordPress hosting and providing a super-fast website is only half the story. The other side of the coin is security. This includes securing WordPress, securing our cloud infrastructure, managing access to server-side assets, providing fine-grained access to customers, securing passwords, etc.
What is Selldash? Selldash is an e-commerce engine built on top of Kubernetes and WordPress. Sell physical goods, digital assets, or even a content subscription. All you need is a domain and Selldash takes care of the rest. Get started with a FREE trial (no credit card needed).
I will be posting a series of articles on this topic, but let’s first start with password security since that is often the weakest link especially if you are not following best practices. As you might have heard in the news, the Colonial Pipeline ransomware attack is suspected to have been triggered by a single password that was compromised and leaked on the dark web.
Are you storing passwords in plain text?
Often, small businesses (and the IT service providers who support them) find themselves using password storage techniques that seem like the easiest, most effective ways to manage credentials… but are these methods secure?
The short answer is no. More often than not, the password storage techniques used by organizations are not secure. We’ve seen it all: passwords in word documents, passwords in spreadsheets, passwords in business management platforms, and the dreaded passwords stored in browsers. Keeping credentials in these locations can essentially defeat the purpose of having passwords on your accounts, if you’re using passwords alone. It only takes one stolen password or one wrong click for a “bad guy” to find the keys to the kingdom—and then they can steal anything, because there’s nothing standing in their way.
The solution? A secure password manager. Read on below to see our recommendations.
How to evaluate a commercial password manager?
There are many options for password management, so it’s helpful to determine what features are important to your organization when weighing your options. A few key security-related questions to consider are:
- Where is the databased stored? (i.e. in the cloud, locally on the user’s device, or another location)
- How are passwords unlocked / accessed? Is there a master credential to gate access?
- How is the database protected? (i.e. is it encrypted? How is access authenticated?)
- What is the cloud sync security model? Are all channels encrypted end to end?
- If your team is exchanging passwords, what is the security model around that?
A few of the top password managers on the market today include:
This password manager encrypts password databases with AES-256 bit encryption and also offers multi-factor authentication (MFA) as a login option to access the database. LastPass offers a mobile app in addition to the desktop password manager, so passwords can be accessed on the go.
This is a non-commercial password manager that offers robust security, multiple user support, and secure password generation for users free of cost. While it doesn’t offer native device syncing as a feature, it’s possible to store the database file in a shared location or on a removable storage device for access across multiple devices.
This is a modern password manager that offers syncing between devices, autofill passwords, and even customized data breach alerts. The password database is stored in Dashlane’s cloud storage. Basic password management is free for single users, but the premium subscription runs a few dollars per month.
What happens if someone figures out your password? Well, in a case where you have multi-factor authentication (MFA) enabled, it’s not quite game over yet. Your MFA is your last line of defense.
MFA, sometimes referred to as two-factor authentication or 2FA, is an option that requires you to present two pieces of evidence – or credentials – when logging in to an account to prove that you are the account owner. Many websites now offer this option in the format of a 4 or 6-digit code sent to the account owner’s email or mobile number. There are also authenticator apps like Google Authenticator that allow you to scan a QR code when setting up MFA and no longer have to wait to receive a text—the 6-digit codes are all stored in the authenticator app and refresh every minute.
MFA is a great option for added security because it means that if someone knows your password, they still can’t get into the account (as long as they don’t also have access to your phone or your email). While MFA can sometimes seem like a tedious extra step, you should consider enabling it on all business accounts that you can. Remember, what’s easier for you is also easier for the bad guys. MFA is usually an effective solution against a “script kiddie” or novice hacker.
Use an open-source password manager
While the commercial password managers listed above are all viable candidates, at Selldash we are paranoid about security and subscribe to a “zero trust” security model. This means we put greater trust in software we can freely inspect and verify, i.e. open-source software as opposed to closed-source alternatives. Therefore, we recommend BitWarden as our preferred password manager as of June 2021. It is free, open-source, and has a security model that is thoroughly peer-reviewed. You should expect nothing less from your security software.
You can inspect the code for yourself here – BitWarden
Disable cloud-sync of production passwords
Since your passwords should never leave the company-issued laptop, disable cloud sync of any production credentials. This provides an added layer of security since you are no longer dependent on the cloud security model of your preferred password manager. This of course makes it a little inconvenient for your team to share credentials, but that problem is easily solved by using software like Signal – an open-source messaging protocol that is end-to-end encrypted. The slight overhead of exchanging credentials over Signal is fully worth the security benefits of cloud-stored passwords leaking inadvertently, or worse, getting deliberately compromised.
I hope this above information points you in the right direction for password managers and password security. Our preferred combination is BitWarden (with cloud sync disabled) with Signal for credential sharing. We will have a comprehensive article on cloud infrastructure security and WordPress security uploaded soon. But none of that stuff matters if your passwords are hacked or compromised. So pay attention to password security best practices – your business future and customer trust might very well depend on it.