Skip to main content
Home

Main navigation

  • Services
  • Accessibility
  • Partner Program
  • Blog
    • All Blog Posts
    • Ask Freelock
    • Dev Corner
    • Sustainable/Open Business
    • Off Topic
    • Newsletters
  • About
    • About Freelock
    • Meet the Team
    • Portfolio
    • Client Feedback
    • Typical Hosting Options
    • Invoice Payment
    • Advent 2025 - 24 days of accessibility
  • More ...
    • Topics
      • Reach
      • Engagement
      • Delivery
      • Security
      • Performance
      • Usability
    • Analytics
    • Support and Improvements
      • Drupal Development
      • WordPress
      • Migration

Smarter Password Management

The problem with weak passwords

Your dog's name. Your anniversary. Your childrens' initials, birthday, or birth weight. Your favorite hobby, or the name of your boat. Which one do you use for your password? Network Administrators and hackers know that most people choose passwords like these to protect anything from logging into web-based bulletin boards to buying things online.

Why does it matter? Identity theft. Corporate espionage. Loss of your data, or digital photos. Do you want to risk these things? In many cases, a weak password is all that separates your data from any bad guy who chooses to impersonate you online, or worse.

In this edition:

  • Smarter Password Management
    • The problem with weak passwords
    • The problem with strong passwords
    • Do I always need a strong password?
    • Assess your risks
    • More password help
  • Freelock News
  • Open Source News

I don't like to use fear to motivate people, but practicing safe password management is as important as locking your house when you leave. Only whenever you're connected to the Internet, it's like having a house in the worst neighborhood in the biggest city around--if you don't put a good lock on the door, you will get broken into. Even if you're home.

The problem with strong passwords

If you work at a large company, they may not allow you to have a simple password based on any word you can find in a dictionary. E-Commerce sites that have good security require passwords at least 8 characters long. They group the characters you type into four groups: capital letters, lowercase letters, numbers, and symbols, and then require you to have at least three out of the four groups represented in your password. And then they make you change your password every two or three months. This type of password is called a strong password.

The problem is that you soon end up with many more passwords than you can possibly keep track of. You either forget your new password, requiring the administrator to reset it for you, or start writing them down. Far too many people have their current passwords scribbled on a yellow sticky note attached to their monitor where anyone can see it.

With weak passwords, all an attacker needs to do is go through your trash, or engage you in innocent conversation. With strong passwords, all he needs to do is visit your office. In either case, the attacker is engaging in a type of attack called Social Engineering, which is the easiest way to break into a system.

Do I always need a strong password?

No. Strong passwords provide far more protection against different types of attacks, especially those considered Brute Force attacks. An example is something called a Dictionary Attack, where the attacker takes a list of words, sometimes an entire dictionary, and uses a special cracking program to try each one on your account. The dictionary used includes common animal and people names.

Many systems defeat these types of attacks by locking you out after a few failed attempts. But the real consideration is what an attacker can do once they break into any particular system.

Assess your risks

There are low risk, and high risk computer systems. To avoid having 30 different passwords to remember, you can group together systems that have the same level of risk, and reuse your passwords. Many security experts would argue that this approach reduces security, but let's be realistic here--if you don't remember the password for a particular system, and then type in all of your "standard" passwords to try to log into it, you may have just compromised all systems that use any of those passwords.

There are many ways of grouping systems, but here's what I recommend:

  1. Low Risk Systems. If you never give your credit card, drivers license, social security number, or other sensitive information to a web site, you probably don't need to use a strong password. Sites like the New York Times, online bulletin boards, all the myriad of places that ask you to create an account before allowing you to post. Use a throw-away, easy-to-remember password. The worst an attacker could do is impersonate you on a web site, a mild form of harrassment, but nothing more serious than that.

    Recognize that any time you type a password into a system that doesn't immediately take you to an encrypted site, your password could get intercepted by all kinds of unknown people. Look for the lock or key icon in your browser's status bar, and "https" in the web address. If these things don't appear, or there's a warning, don't trust the site. Use a weak password, and consider it public. As long as you trust a site as being legitimate, I consider it fine to reuse the same weak password for all of these types of sites.
  2. Medium Risk Systems. You might not agree, but I consider credit card information to be medium risk. To purchase things using a credit card at all, you have to take some risk--the waiter at the restaurant could copy your card when taking your payment, somebody could eavesdrop on your cordless phone when you give the number to the pizza delivery place, or somebody could look over your shoulder in line at a store.

    Credit Card companies provide you with protection here--you're only liable for the first $50 of any mis-use of your credit card. For many credit cards, the bank takes full risk for online payments. You have to report charges you did not make in writing within 60 days, and these guarantees don't apply to debit cards, but overall loss of your credit card amounts to a bigger hassle but not devastation to your identity. So I recommend grouping all web sites you use a credit card for into a "medium risk" group. If you give a web site a credit card, you're already trusting them to not make bogus charges--you can probably trust them to not try to use your strong password on other sites.

    Some cautions here:
    • Never send a credit card number, or any more sensitive information, through an email system that is not encrypted. If your email system is encrypted, you'll know it--you have to do quite a bit on both the sending and receiving end, so assume your mail is completely insecure, because it is.
    • Always make sure the web site is encrypted before typing in your password. Look for the lock or key icon in your browser window. In Firefox, the address bar (where you type the web address) will turn yellow if it's properly encrypted.
    • Never use a public computer to make web transactions. Even if the web site is encrypted, there could be snooping software installed on the computer that could get your user account and password as you type it. Only conduct sensitive transactions on computers you trust--and get the spyware off first!
    • Just because a web site is encrypted, doesn't mean your data is protected. Many smaller companies have not invested in proper security to protect your password and credit card information. If in doubt, look for a security statement, or ask! If your business would like to properly secure customer data, contact Freelock Computing and let's talk!
  3. High Risk Systems. Any system that contains your social security number, drivers license number, or other financial account numbers should be considered high risk. Systems that contain sensitive business information should be protected with a strong password, and if they're connected to the Internet, that password should be changed frequently.

    For the most part, this means treating your laptop or workstation as a high-risk system--use a different password to log into it than you use for e-commerce or general use.

In most cases, you can get by with three passwords, using them on the appropriate level of system: a weak password for general, low risk systems; a strong password for e-commerce and medium risk systems, and a different strong password for any computer you use that has business or sensitive information on it. In some cases, this isn't enough--if you have critical systems that contain personally identifiable customer data, or administrative access on customer machines, you may need to manage dozens of passwords.

As a general rule, never give your password to anyone, especially not a password you use in other medium- or high-risk systems. If you're getting help from somebody who administers service for you, they will be able to set your password to something else without knowing your password.

More Password Help

Next month we'll take a look at how to come up with strong passwords you can remember, and secure ways of keeping track of passwords, if you need to remember more than three.

Freelock News

Our business is growing in exciting ways at Freelock Computing:

  • We had a day sponsorship for KUOW, a Seattle-area National Public Radio Station, air on November 4.
  • I have accepted a position on the board of directors of Freelance Seattle.
  • I am on a committee to pick a panel of speakers and questions for an Open Source Software dinner program to be held by the MIT Enterprise Forum of the North West next February.
  • We are working on creating a standard menu of technology services for small and growing businesses, to help you lower costs or increase the opportunities you can manage in your business.

Visit us regularly to see our new services!

Topic

  • Authentication - Multi-Factor Auth, Single Sign-on

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.

Drupal Canvas — Block HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href> <p> <br> <ul> <ol> <li>

Drupal Canvas — Inline HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href>

Recent Rants

workshop board of old-school woodworking tools
🕑Jun 12, 2026 🖋John Locke 💬0

Against Inevitability

What Freelock is for, and what we're against
sustainable business icon
Sustainable/Open Business
fragmented data, multiple, coding agents, directory structure, context markers, documentation
🕑Jun 02, 2026 🖋John Locke 💬0

"Argo-nizing" Our Platform for AI Development

How grouping related repos into a single parent directory made AI coding assistants significantly more useful
dev corner icon
Dev Corner
Website management, Drupal, WordPress, security, automation, configuration management.
🕑May 28, 2026 🖋John Locke 💬0

Every Night, Argo Watches

While your site is running, things change. A content editor tweaks a configuration setting. A security vulnerability surfaces in a dependency. A production fix gets applied directly instead of going through the normal release process.

sustainable business icon
Sustainable/Open Business
Website security, data breaches, ransomware attacks, recovery solutions, cybersecurity practices
🕑May 19, 2026 🖋John Locke 💬0

Your Website Will Be Attacked. Here's How We Make Sure You Survive It.

The question used to be whether your website would face a serious security threat. That question has been answered. The question now is whether you'll be ready when it happens — and whether you can recover cleanly when something gets through.
sustainable business icon
Sustainable/Open Business
AI vulnerabilities, security incidents, resilience, Drupal WordPress, cybersecurity
🕑May 18, 2026 🖋John Locke 💬0

The Rules Have Changed: Security in the Age of AI-Assisted Attacks

Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow. The question for every organization with anything online is no longer whether to invest in resilience — it's whether that investment is already in place before the next incident arrives.
dev corner icon
Dev Corner
performance race track wrenches tuning speed obstacles
🕑May 06, 2026 🖋John Locke 💬0

When Your WordPress Site Launches Into a Performance Crisis

A real-world post-mortem on 15 performance issues we fixed in 4 days — and what every WordPress site owner should know before going live.
dev corner icon
Dev Corner
a web page with cards that show a similar theme
🕑Apr 21, 2026 🖋John Locke 💬0

When Views meets Drupal Canvas -- getting dynamic content into your Canvas page

From early days, "views" has been the killer feature of Drupal. Views is a powerful querying tool built into Drupal that allows dynamic lists and displays of content to be created without writing custom code.

dev corner icon
Dev Corner
website security, bot attacks, managed hosting, AI analysis, custom defense, Cloudflare protection
🕑Apr 15, 2026 🖋John Locke 💬0

Ask Freelock: Why Is My Site Still Getting Hammered by Bots — Even on a Major Hosting Platform?

We recently heard from a former client who had moved their site to a major managed hosting platform, hoping for more stability and better protection.

ask freelock icon
Ask Freelock
"Fragile Code House vs Fortress" - Split image: Left side shows a house of cards or glass structure (representing vibe-coded apps), right side shows a stone fortress or brick wall (representing battle-tested open source) - Conveys the contrast bet
🕑Nov 20, 2025 🖋John Locke 💬0

Vibe-coding versus Open Source - Security over the long haul

Vibe-coding is all the rage today. Who needs a developer when you can get an AI to develop an application for you? There are scads of application development tools now that promise to create that app you always wanted -- and surprisingly, these often work!

sustainable business icon
Sustainable/Open Business
Drupal, Flake, NixOS, development, Docker, PHP, environment, testing, local, site, containers
🕑Sep 22, 2025 🖋John Locke 💬0

Use Drupal Flake for PHPUnit testing

Drupal Flake is a new way of doing local Drupal development (running a self-contained Drupal site on your desktop or laptop).

dev corner icon
Dev Corner

Footer

  • Contact
    • +1 206.577.0540
    • Sitemap
  • Freelock Blog
    • Ask Freelock
    • Dev Corner
    • Newsletters
    • Sustainable/Open Business
    • Topics
  • Services
    • Website Maintenance
  • About Us
    • Our Team
    • Client Feedback
    • Portfolio
  • Policies
    • Acceptable Use Policy
    • Copyright Infringement Policy
    • AI Use Policy
    • Privacy Policy
    • Security Statement
    • Standard Contract Terms

Contact

We are located in beautiful Seattle, WA.

 Freelock LLC
 PO Box 9625
 Seattle, WA 98109

User Menu

Social media

  • BlueSky
  • GitHub
  • LinkedIn
  • Mastodon
  • YouTube

1995-2026 Freelock LLC. Neonbyte theme by Dripyard.