Dreamhosts, Passwords and Security

Dreamhost, who do/did host a number of Miva Merchant stores, recently announced that some 3500 FTP passwords were leaked. Ouch!

And speaking of passwords, we get to see a lot of, er, interesting ones. Although many banks and other sites have instituted frustrating login systems, forcing you to change your password frequently, use a mix of numbers, letters and mixed case, remember a bunch of security questions and the like, there is a good middle ground for your own site and store passwords. Don’t use any of the most obvious passwords, your sitename for both the login and password, and, if you’re generating a password for temporary use, don’t use “temp” “support” or, one of the best that I’ve seen–login: “help”, password: “me”. Personally, I don’t like the auto-generated OpenUI passwords either, as they have the same format, only changing a few digits. And, of course, regardless of the quality of your password, you shouldn’t be storing credit card numbers on the server. A defaced site can be fixed, losing your customers’ card numbers cannot.