how we stop hackers from getting into your municipal site

Preventing Hackers from Logging Into Your Site

In the last several weeks we have had many people call up or send in support requests saying they were locked out of their website. I wanted to address this issue and give you ways in which we’ve improved it. We want to make it a easy for you to login while still preventing hackers and other unauthorized individuals from logging into your website.

First of all, I know it can be frustrating when you try to log into your site and you cannot get access. It slows down the process of you posting an agenda or some other news/notice on your municipal site.

We have several layers of security built into your site to help prevent unauthorized access. One layer of security is tracking the number of attempts that a wrong username or password is used to log into your site. After all, if we did not put a limit on the number of incorrect login attempts, this would open up the door for a “Brute Force” login.

You can watch the video here:

What is a Brute Force Attack?

According to a definition by Techopedia, it is when a trial-and-error method is used to obtain access. Automate software can be used to generate a large number of consecutive guesses for a username and password when attempting to login to a website. This is why it’s so important to have a complex alphanumeric password in order to prevent hackers from logging in. A brute force attack will simply start using a large list of common passwords in order to gain access and them attempt to use words from the dictionary.

How We Help Prevent Successful Brute Force Attacks

Our security rules that were in effect up to mid-March 2018

At Town Web, all TownCMS v5 websites have a security layer which can help prevent a brute force attack from becoming successful. We do this by limiting the number of unsuccessful login attempts. Up until mid-March 2018, we limited the number of unsuccessful login attempts to just three times.

If somebody (authorized or unauthorized) attempted to log into your website three times with the incorrect password, they would be blocked from logging in again for another 60 minutes. This 60 minute “cool down” period was set in order to allow an authorized person from attempting to login again after a set period instead of being permanently blocked. Based on the tickets we received, the 60 minute period was too long of a time period for somebody to wait in order to gain access to their site.

How we’ve changed our policy from mid-March 2018

My team and I had a meeting about what we could do in order to improve the login experience. Our goals was the decrease the number of support tickets that we would get when “good” people were trying to login with “bad” password. We also wanted to make sure that any “bad” people (like hackers), who used “bad” passwords would still be blocked when trying automated brute force attempts to gain access. This is what we came up with:

  1. We increased the number of login attempts from just three to 20. We think that 20 consecutive and unsuccessful login attempts should be more than enough for somebody to try and enter their password correctly.
  2. When somebody does enter their password incorrectly too many times, we decreased the lock-out period from 60 minutes to just five minutes. This way if you forgot your password and tried to log into your website unsuccessfully 20 consecutive times, you will be blocked from logging in again for five minutes before you can attempt another 20 logins.

So far in the last week or so since this change was soft-launched to all TownCMS v5 customers, we’ve seen a dramatic decrease in the number of support tickets from clerks who said they were locked out. We will continue to monitor and make sure that indeed this improves things for all clerks while still maintaining a high level of security to prevent unauthorized logins.

What if you forgot your password?

Click the “Forgot Password?” Link

If you forget your password and if you’re on TownCMS v5, there are two main ways you can login. Firstly, you can just click on the “Forget Password?” link in your login screen. In doing so you’ll be required to enter your email address, which will send you a link for your to reset it to something else.

This method is the most secure method because then only you will know what your password is. Nobody on the Town Web team will even know it, and it won’t be stored anywhere else (like in your email inbox), which could be insecure.

did you forget your password?

Request us to Reset Your Password

You can of course always ask us to reset your password. We don’t actually have a way to view what your old password was, but we can replace it with a new password. We will typically reset your new password to something that is alphanumeric and which has symbols and characters in it to prevent somebody from guessing it easily in a brute force attack.

Creating (and Remembering!) a Secure Password

Here is great article on Buffer about how to create a secure password and remember it in order to prevent hackers from guessing your password. You can also use a password management service that helps you both create secure passwords and log into websites easily. One software that I personally use and pay for is called LastPass.

With LastPass I have a long and complex Master Password, which is set up using 2 Factor Authentication (2FA). This means that I need to have my cell phone with me or a separate dongle in order to double-verify my login whenever I enter my Master Password. And once I’m logged in via the Master Password, I’m able to quickly generate and save complex passwords for new sites I log into and can easily log back into them without needing to remember what the password is.

It works as a Chrome extension on my browser and gives me the convenience I need without the hassle of having to remember dozens (or hundreds!) of different usernames and passwords for all the websites I log into.

This also means that I can easily have different and separate passwords for all websites. If there is ever the case that one website is compromised and all the passwords and usernames are released, it won’t be a username/password combination that could be used, thus preventing hackers from gaining access to any other site.