Most browsers display a secure icon (e.g. padlock) in the address bar when they are using a secure connection to a web-site, and the site's address will begin with https rather than http.
Problem
When users log-in to a website using an insecure connection, their username / password can be intercepted by hackers. Modern browsers may warn users when they are about to send a password over an insecure connection.
Hackers will try to guess username / passwords to gain entry to your site. Hackers use automated systems that keep trying until they have gained access; base-camp hosted sites have recorded 35,000 such attempts over a 50 hour period.
Once a hacker has a username / password, they can gain access to the site. Hackers will also try this username / password combination speculatively on other web-sites.
Solution
1. Use a strong and unique password
Strong password are less likely to be guessed by hackers. Include punctuation, numbers, upper-case and lower-case letters. A password such as {1/8/1990@13street] is perfectly acceptable.
Users should not use their site editing password for anything else. Once a hacker obtains a username / password (either by guessing or interception), they will try it on other sites (e.g. banks) and sell the details on to other hackers.
2. Use a secure connection when editing the site
base-camp hosted sites have a security certificate installed. This means users can connect to the site securely, and information passing between the site and the user cannot be intercepted by a hacker.
If necessary, an additional security certificate can be added to any base-camp site. This will cost (not a lot), please ask Richard for details.
Remember, this secure connection only prevents hackers from intercepting a password. Hackers can still gain access to the site if they guess the username / password.
3. Use multi-factor authentication
Multi-factor authentication requires users to have a device and know a password to log-in. If a hacker guesses or intercepts a username / password, they still can not log-in to the site without the second device.
There are a few options available:
- Install Google Authenticator on a smart phone / etc (the phone becomes the required device)
- Purchase a Yubikey (a small USB device)
- Install a passkey on your device (your PC/etc becomes the required device)
Read more about this method of log-in here.
4. Use a passkey instead of a password
Web Authentication (WebAuthn for short) allows a user to securely log into a site without using a password. The passkey is stored on your device. You still need to provide your username. It is extremely resistant to the problems of passwords listed above.
Users are recommended to collect email using the secure server. These are the details described in Email help.