As agencies, we often receive and have our clients’ credentials for all sorts of sites — email-automation application, FTP servers, hosting accounts, social media accounts, and more — but do you provide your client with adequate protection, including how you receive it and how you share it internally? I bet not.
Agencies are rarely able to focus on the solitary task of architecting email campaigns; a good multi-touch campaign will have social media, press announcements, landing pages, web pages, microsites, shopping cart pages, and more. If that is a typical effort, we must gather, store, access, share, update, change, and protect our client user names and passwords for:
Twitter
Facebook
LinkedIn
Email-automation application
Press-syndication application
FTP
Host provider
cPanel
WordPress administration
Plug-in administration
PayPal
Google Analytics
Some of these are extremely sensitive sites representing great potential financial exposure to the client. Yet, it’s common for the client to email their log in credentials with not so much as a second thought.
We need to invest in education — internally and externally.
I asked a client today for their PayPal credentials so we could configure their payment gateway and requested the user name by email and the password by text to my phone. I received both the user name and password in the same email and the password was — I kid you not — her first name. I wrote back and asked her to log in immediately, change the password to something VERY hard, and resend via TEXT. I explained the financial-loss risk associated with emailing passwords to sites such as this, which has direct access to the company’s bank accounts.
She texted me the new password a few minutes later. Her first name followed by 1234. What’s worse, it’s the same password she was using at all of the company and her personal social-media accounts, the company hosting account, and the company main email.
I could only sigh, log in, and change the password myself; which I did, and then texted it to the business owner.
In a conversation about this with my 30-year-old son (yes, a gamer/hacker), he pointed out to me this is an issue of semantics. My client’s understanding of a difficult password and my understanding differed (substantially), and thus when I requested a difficult password, she believed adding 1234 created sufficient security.
Many hackers make no attempt to guess passwords. They go the easy route of grabbing your password during a security breach. Think back to recent news when Adobe servers were hacked and millions of email addresses and matching passwords were stolen. If your client is (or you are) using that same email address and password for accessing other accounts, then the hackers who attacked Adobe may well now have access to your bank account, your credit cards, and so much more.
When we ask our clients for their credentials and do not enable them to provide this to us securely — and compound the problem by forwarding those unsecure emails to our team — we increase the risk to and potential losses of our clients.
Here are some ideas for helping your clients protect themselves:
Texting passwords
As I pointed out earlier, sending the user name via email and the password via text is helpful. As we’ve learned from Target, Adobe, Snapchat, and others, nothing is failsafe, but though you cannot prevent hacking or interception, you can certainly throw in a few roadblocks to make it more difficult. It’s akin to parking your car after dark under the street light.
Pattern and unique-to-site passwords
Many people use the same password simply because it’s so difficult to remember multiple logins. Several years ago I read a great blog for creating passwords; it’s one we still use today, and one we teach our clients. It provides for a different password for every account and website, and gives an extra layer of security, even if someone does manage to hack one of your accounts or access your credentials from an unsecured server. Shared here:
Choose the number of alphanumeric digits you will use for all passwords. Many sites today have a minimum of eight characters, so let’s go a bit higher:
10
Grab the first six letters from the account you are accessing. For this example, we’ll use SpiderTrainers.com:
spidert
Now, choose two letters you will always capitalize. I’ll go with the fourth and sixth:
spidErT
Replace one character with the numeral of your choice. Don’t be obvious such as using numeral 1 for I — be unique. I’ll replace the second character with the numeral 9 for every password from here forward.
s9idErT
Choose two starter characters from the shift-numerals of your keyboard, for instance, %^.
%^s9idErT
Close it with two more characters from the shift-numerals of your keyboard, such as #@
%^s9idErT#@
So, all together we have created a difficult password because it will be different for every account we have, but one that is easy for us to remember after we’ve become accustomed to our pattern.
In the event you run across rules within the site, such as you must start with a letter, have a plan B password and use that.
Create a phrase
Instead of the pattern trick, use the phrase trick and choose letters from the beginning of each word. For instance: I think Amazon.com is a wonderful 1st Rate site!, results in:
ItA.comiaw1strs!
Long passwords
Most sites built today require your password to be at least eight characters, but the longer the better. If you use the pattern trick above, and you’re visiting Q.com, have a plan C. Add a word, such as engine, to any site too short to produce the base six characters.
No names
Don’t use your name, your pet’s name, your child’s name, or your spouse’s name in your password. If you participate in social media, everyone on Facebook knows you have a boxer named Oscar.
Character
Passwords are ideal when you use at least one uppercase letter, lowercase letter, numeral, and symbol, as we did in our pattern password above. Some sites or applications limit your use of special characters, but for the most part you can use: ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /
Lie
Many sites today use two-point verification: a password and a response to a question. If the site is asking you for your mother’s maiden name, lie and use JimmyChoo. Your mother’s maiden name is likely another bit of information pretty easily found on the web. If the site asks for your first pet, say giraffe. Your first car: roller skates.
Store it, if you must
If you must store passwords, for yourself and your clients, store them in documents that are not labeled as or named password and store them separately from the user names.
Change it often
Just about the time you get comfortable with your pattern (assuming you use the tip above), change the pattern and notify the client. By text, of course.
