Most browsers display a secure icon (e.g. padlock) in the address bar when they are using a secure connection to a web-site, and the site's address will begin with https rather than http.

Problem

When users log-on to a web-site site using an insecure connection, their username/password can be intercepted by hackers. Modern browsers may warn users when they are about to send a password over an insecure connection.

Hackers will try to guess username/passwords to gain entry to your site. Hackers use automated systems that keep trying until they have gained access; base-camp hosted sites have recorded 35,000 such attempts over a 50 hour period.

Once a hacker has a username/password, they can gain access to the site. Hackers will also try this username/password combination speculatively on other web-sites.

Solution

1. Use a strong and unique password

Strong password are less likely to be guessed by hackers. Include punctuation, numbers, upper-case and lower-case letters. A password such as {1/8/1990@13street] is perfectly acceptable.

Users should ensure they do not use their site editing password for for anything else. Once a hacker obtains a username/password (either by guessing or interception), they will try it on other sites (e.g. banks) and sell the details on to other hackers.

2. Use a secure connection when editing the site

In general, base-camp hosted sites do not have a security certificate. This means users can not connect to the site securely, and information passing between the site and the user can be intercepted by a hacker.

A security certificate can be added to any base-camp site, which will enable users to connect securely to the site. This stops hackers intercepting a user's log-in details. This will cost (not a lot), please ask Richard for details.

Remember, hackers could still gain access to the site if they guess the username/password, even if the site is secure.

3. Use 2 factor authentication

2 factor authentication requires users to have another device as well as a password to log-in. If a hacker guesses or intercepts a username/password, they still can not log-in to the site without the second device.

There are 2 options available:

  1. Install Google Authenticator on a smart phone / etc (the phone becomes the second device)
  2. Purchase a Yubikey (a small USB device)

Read more about this method of log-in here.

Email

Users are recommended to collect email using the secure server. These are the details described in Email help.