DRH Internet Inc.
Website hosting technical support library
Choosing a good password

It is your responsibility to choose a good password to keep your site and our servers secure. Not only does a good password secure your site, if prevents someone from using your account as a spring-board to attack other machines.

An insecure password is one that can be easily guessed. Someone with malicious intent may run a program which will try hundreds of thousands of possible passwords trying to gain access to your account. Your goal is to come up with a password that no one will guess.

Password guessing can be done two ways. First, there are automated programs that do dictionary words (and permutations of dictionary words) and try them against your account. You would be surprised how easy it can be to try every word in the dictionary to open an account. Second, there are automated programs that generate possible passwords based on permutations of personal information such as your street address, names of pets, your username, etc.

Here are some techniques and rules to help you choose a good password:

  • Never choose a password that is a single word, like "sheep".
  • Never choose a password shorter than six characters.
  • Always add some numbers into all of your passwords.
  • Always vary the case of the letters in your passwords.
  • If possible, choose a password without any embedded dictionary words. A way to do this is to make the letters a mnemonic for a phrase that you can easily remember. Or, embed two separate words in your password.
  • Do not use any personal information such as your middle name or a name of a pet in a password.
  • Make your password reasonably long -- the longer the better. Say, eight characters and up.
Here are examples of good passwords which are easy to remember and the reasoning behind them. (DO NOT use any of these as your ACTUAL password!)

  • beorn23BEAR - good because "beorn" (a character from the book The Hobbit) is not likely to be in the dictionary, there are two digits, and one of the words is in uppercase
  • iutlotSHOTL - mnemonic for "i used to live on the second house on the left" which is easy enough to remember. This is not going to be in anyone's dictionary!
  • foolASSOc192iate - notice how this is two words, "fool" and "associate" with two numbers inserted in the middle of a word, and the "asso" in "associate" in uppercase.
Password security

The first and most important tip of password security: never tell your password to anyone. Let me say that again: Never tell your password to anyone.

Okay, now the reasoning.

Social Engineering

The easiest way for someone to gain access to your account is use a technique called "social engineering." Basically, a cracker contacts you claiming to be from our company and needing your password to fix or do something on your account. The simple truth is that we will never need to ask you your password.

You would be shocked how easy "social engineering" is. Crackers have simply called users at Fortune 500 companies and asked them for their passwords, and used their accounts to gain access to other parts of the system.

Don't fall prey: don't give your password to anyone claiming to need to know it.

Password Sharing

When you give someone the password to your web hosting account you are, in effect, giving them the power to access the account even after you change the password. Think about that for a moment. This means that to give someone you password, you need to completely, absolutely and unequivocally trust them.

You may ask "well, if i change my password then they don't have access anymore, right?". Sure, they don't have access by directly logging in with your username and password, but it is reasonably easy for a knowledgeable technical person to install a backdoor in your account to allow them access in the future without a password.

Is giving your password to someone else in your company who needs to work on your website okay? Sure. Is giving your password to a friend on the Internet who is going to help you get some program working for you a good idea? Most likely not.

How to change your password

If you know your password and you need to change it, use one of the two below methods. If you have lost your password, then please contact technical support and we can assign you a new password.

Use the web control panel

You can change your password using the web control panel. This is the recommended way because it is easier that Telnet for most people.

Here is the step by step:

  1. Go to "admin.your-domain-name.com". Of course, replace "your-domain-name.com" with the actual domain name of your account.

  2. Enter your username and password at the "Please enter your username and password" screen to log into the web control panel.

  3. Now that you are logged in, click on the "Change Passwd" link on the left bar in the "Admin" section.

  4. Enter your old password again, enter your new password, then enter your new password again to verify it. Then click on the "OK" button.

  5. Read the resulting screen to verify that your password was really changed. Sometimes the underlying password management layer will return a warning message such as "BAD PASSWORD: it is based on a dictionary word" or "BAD PASSWORD: it's WAY too short". Please take heed of these warnings.

  6. Log out of the web control panel, using the "logout" link on the left side bar under the "exit" heading.
Use the UNIX passwd command through telnet

This method is slightly harder to use because it requires you log into your account using Telnet, which not everyone will know how to do. If you do not know how to do this, use the web control panel method above.

  1. Log into your account using Telnet or SSH.

  2. Run the "passwd" command.

  3. Enter your old password when prompted, then your new password twice when prompted.