< back

This information may prove more important than you will ever know!!!


Eventually many of you will progress to paying for your own domain name and a decent hosted web site other than a "free" web site. While passwords are used for accessing even free web sites, once you become a webmaster of a truly independent web site security issues become even more of a responsibility.

When creating / changing passwords for what ever reasons dealing with web sites - ie FTP access (uploading files), server controlled password access to private directories, CGI program administrative forms, even your PC e-mail client for accessing your e-mail - there are some very simple rules you should FORCE your self to adhere to.

A) Do NOT use real words
B) use a mix of alphanumeric letters (0-9,a-z)
C) use a mixture of upper and lower case alpha characters (a-z,A-Z)
D) use at least 8 characters

Hackers and other mischief makers (lowlifes) mostly gain access to a web site by chance. That is,
1) they have access to thousands of common words that humans seem to use often.
2) they have ready access to PC programs which in a very short space of time will test thousands of character combinations with above common words.
3) web sites alone often provide clues to some words and combinations they can try - ie your families names, any repeated use of phrases or pet slogans and slang, pet (real) names, family birth dates, pet names of family and possessions like cars etc, words used in email addresses, and so forth.

Much of that mentioned in 3 can often unwittingly be found easily in texts on ones web site!

There are web sites created by high level hackers turned good guys? who make considerable money hired to intentionally attempt a site/server break in, mainly for the corporate world. Their lessons are applicable to all. They often list some extremely stupid passwords used by even so called well trained IT specialists, and most surprising to the layman (sorry, layperson) are some chance overheard clues obtained in bars and clubs which lead them (the hacker) to a path of investigation. Even explicitly described passwords on paper in wallets or handbags have brought a few corporate sites down.

So, the rule is simple, follow the above rules when creating passwords that YOU HAVE TO notarise AND keep secure, NOT ones that are simply easy to remember (and when noting them do not include "such and such password = ????" identifying what for where, at least leave that up to your own memory).

Other Info
There are some more dangerous situations where hackers **play with various forms from a web site or SSI web pages (page names with special extensions where a string of info can be passed to a server side CGI program by the URL) which may indicate a "hole" or weakness in a server side CGI program in the cgi-bin leading to the access of data files and other problems.

**Another issue with CGI forms and an ability to remotely "play" with them...
Some of the forms on this site may cause errors if using so called PC Firewall programs on your PC and have wrongly switched off "referrers" and "agents" as if that protects your highly confidential information - which it doesn't - it has NOTHING to do with it.

Likewise the badly designed use of default set-up "cache" in NS 4 can make a server side CGI program suspicious too.

Doing so the server and or server side CGI program has every right to consider YOU a risk at the very first level of security checking (not 100% infallible same does give some protection against above mentioned "playing" with remote copies of forms).

And, doing so as a web surfer may sound like fun!

Yet as a webmaster it is serious and you should ignore all complaints attempting to get you to "open" the server more than it already may be.

I know of webmasters who should know better now ignoring the checks just to keep a few extra visitors because of these new fangled Firewalls and Netscape 4 - AND ignoring the widespread panic all over the web in the mid '90s because of such a weakness on thousands of sites using particular CGI programs - and that was accidental.

Other hackers write simple "robot" programs which can search, index, and copy every available file on your site!! If any of those found files include passwords or client details or client CCard numbers or any other sensitive info then guess whose integrity and trust go out the window (Search engines are sophisticated "robot" programs BUT with mostly GOOD manners).

The last comments are alone good reason why if obtaining your own domain/real hosted website you should go for the more secure yet cheaper, most popular (over 50% of all), Unix type hosted site. Setup/management of server protected password blocked directories are very efficient (so long as decent passwords are used!) and can block robots too.

A site like dtp-aus.com often attracts such attention and signs of above show in various logs I have access to or create by my own programs. But just because you only have a simple family site to start with don't think you are immune.

Primary concern of hackers is to gain access to / do damage to servers. Your site content may not be of interest but just may be a simple conduit for more sinister purposes.

As a webmaster, especially but not only with a proper hosted domain site on someone elses networked computers, you have responsibilities. You could become a weak link in the network.

< back

Over 120 pages: All major topics divided into Classrooms
Free Backgrounds & Buttons! DTP and HTML "My First Page" HTML lessons
Tutorial Text Search Perl CGI Scripts Typography & Layout
4 pages of Links Visitors Book Perl Scripts Forum n/a
Free Links page Feedback Form Q/A contact Forum

pages Designed & Published - Ron F Woolley
e-mail 1997 '98. Last Revised:  Friday, 31 October 2003 22:04