Corporate Offices

Cincinnati, Ohio
455 Delta Avenue, Suite 300
Cincinnati, OH 45226
T 800.448.1475
F 513.321.2780
Austin, Texas
16836 Bee Cave Road, Bldg.III
Austin, TX 78746
T 800.448.1475
F 513.321.2780
Kansas City, Kansas
5750 W. 95th Street, Suite 220
Overland Park, KS 66207
T 800.448.1475
F 513.321.2780
Raleigh, North Carolina
1318 Dale Street, Suite 120
Raleigh, NC 27605
T 800.448.1475
F 513.321.2780


Top Ranked Clubs

We are proud to partner with some of the top ranked clubs in the world. In fact, 50% of BoardRoom Magazine's Distinguished Clubs of the World are Clubessential clients.
See Distinguished Clubs List

Contact Us

View Article
Current Articles
« Back Post Date: Thursday, April 10, 2014, 1:00 PM
Are Your Passwords So Weak Any Intruder Can View Your Private Website?
Electronic communication has transformed the way clubs connect with members. One unfortunate consequence of this shift in communication mediums is the rise in identity thefts, and unsecure passwords are often the weak link. In this video and article, Clubessential CEO, Dr. William D. Ivers, discusses ways that your club and website vendor can protect passwords to minimize exposure to identity theft.

Security Series Issue 2. This is the second of a series of articles on IT security in the club industry that will be published in coming months by Dr. William D. Ivers, CEO of Clubessential. Article 1 covered the importance of securing private club documents.
Avoid Exposing Members to Identity Theft

How many of you re-use the same password, or simple variations of the same password, on many accounts, including your bank accounts? If you do, you are like the vast majority of your members. The significance of this is that the passwords themselves are probably the most valuable information stored on your websites – maybe even more valuable than credit card numbers.

Passwords must be protected. Encrypt them. Don’t let anyone, even club staff members, see the passwords. Ask your website vendor to encrypt your website’s passwords. Your staff will resist at first because they will no longer be able to look up a forgotten password for a member and some members will complain. Tell your staff that if a member forgets, simply reset the member’s password and allow them to make up their own replacement. These are minor inconveniences compared to dealing with a member whose bank account was emptied because your website exposed their password. Check right now: can your staff see members’ passwords? If they can, you risk exposing your members’ bank accounts!

Once you have your passwords encrypted you will have taken a huge step toward improving security because no thief will be able to walk off with your most valuable information: the actual passwords your members use for all kinds of accounts.

Don’t Allow Obvious Passwords

Until recently, Clubessential did not perform any checks to make sure its clients were not using silly passwords like “password” or “admin” that were easy for hackers to guess. Once we were alerted to this problem, we implemented a filtering system to prevent the use of such passwords - had we not used the filter, hundreds of examples of weak passwords would have been used by our clients’ administrators (not just members!). We were astonished. Such passwords are an open invitation for a hacker to use a “dictionary attack” where they attempt to sign in using a whole list of obvious passwords. We were glad we had introduced the filter. Other website vendors can easily do the same thing, so make sure to ask for this security feature.

What's at Stake

You may think it unlikely that some hacker located on the other side of the world would bother to perform a dictionary attack against your little website, but the facts show otherwise. Your membership is an attractive target. We monitor the number of attacks against the 1,000 websites we host and frequently detect attempts to use dictionary attacks. Most attacks do not succeed, but the threat is real. In one case we detected a successful attack where a password was compromised. Our logs showed that the knowledge of this password spread among the hacker community all over the world. Within a couple of minutes people were trying to log in from China and Malaysia!

So now imagine that you have a special account set up for the convenience of your staff that has the username of “admin” and a password of “test.” Suppose some guy from China breaks in (it would take less than a minute for them to break that combination, using dictionary attack programs available on hacker sites for free). What might happen? First, the cracked password would probably be posted on a hacker site just for amusement, and subsequently there would be a whole list of hackers from around the world signing in as administrators to your website. Some might post some malicious content (imagine explaining that to the Board). Others would try to export your roster, including the names and addresses and childrens’ names of a whole list of wealthy Americans (and a list of these wealthy members’ favorite passwords if you have not encrypted them). Others would try to introduce code into your website that would capture credit card or bank account numbers and then post them for sale. If your website is hosted on a local server that also houses your accounting system, they might try to introduce code that could compromise your entire accounting system.

Given these possible scenarios, it is obviously a good idea to protect from dictionary attacks by asking your vendor to install a password filter that blocks the use of vulnerable passwords and also denies access after repeated failed attempts. These steps are easy to take but often overlooked.

Other Password Protection Steps

After you have taken the two most important steps: 1) Encrypting passwords and 2) Preventing dictionary attacks, there are a number of other smaller steps you can take to improve password selection, resulting in better security:

   — Ask administrators to change their passwords every six months or so. Your members won’t be willing to do this, so don’t bother asking them.
   — Make sure you have a procedure to delete old staff accounts – we frequently find accounts for people who have not been on the staff for years – but they can still sign in as administrators!
   — Don’t let anyone replicate their username as their password.
   — Distinguish between upper and lower case.
   — For each password, require at least one number and a length of 7 characters.

Your website vendor can build these or similar rules into their logic so enforcing the rules does not become an administrative burden for your staff.

In Conclusion

Cybercrime can make a poor but bright teenager from any country in the world fabulously rich. It costs little to get started and retribution is a world away. Is it any wonder cybercrime is growing fast? The club industry has been slow to react. This article discusses the basic steps needed to create adequate passwords, and the even more important need to protect the passwords themselves by encrypting them. These steps are easy to take (most of the work is done by the website vendor) and might save a major disaster. I’m reminded of the quote from my favorite author, Benjamin Franklin:

“For the want of a nail the shoe was lost,
For the want of a shoe the horse was lost,
For the want of a horse the rider was lost,
For the want of a rider the battle was lost,
For the want of a battle the kingdom was lost,
And all for the want of a horseshoe-nail.”

Authored by:

Dr. Ivers has over 40 years experience in the software industry, 15 years of which have been in the private club industry.

© 2013 Clubessential, LLC    |    Connect on LinkedIn    Follow Us on Twitter