| A customer's e-hwVPS had a compromised user account that was used to send spam around 4AM Pacific time on February 20, 2018. By 5:21AM, a disgruntled recipient attacked their e-hwVPS with a Distributed Denial of Service (DDoS) attack that caused a network outage. The e-hwVPS has been suspended and service restored at 5:30AM. We've asked the customer to move to another hosting company.
They had been educated on the finer details of password security on two prior occasions within the last 60 days. The most recent prior incident was only one week ago. They had been warned on that occasion that further incidents which caused network outages would result in permanent account suspension.
Please, take this as a lesson to exercise good password security. As we preach continuously to several repeat offenders, good password security consists of the following:
- *Do* use at least 10 characters that are a mix of upper case letters, lower case letters, numbers, and symbols. More is better.
- *Don't* use any names or words in any language.
- *Don't* reuse the password with any other account of any kind, anywhere.
- *Do* ensure your computer is free of keyloggers, malware, and viruses. Macs aren't immune. Get an up to date virus/malware scanner from a reputable source such as Microsoft Security Essentials (included in Windows 8 and up), McAfee, or Norton, keep it updated, and use it regularly.
- *Never* enter any password into a link you clicked on in an email or in a form contained directly in the email. Many passwords are stolen in this manner using fake emails referred to as "Phishing".
- *Always* verify that you're using HTTPS indicated by a padlock in the URL bar of your browser when entering a password on a web site.
- *Do* use modern encryption standards for email, ftp, web, and WiFi.
- *Never* use your password over an unencrypted protocol using an unencrypted WiFi connection.
- *Avoid* using hotel WiFi, airport WiFi, other public WiFi hotspots, or mobile hotspot, when possible. If you do have to use any of those, you *must* use modern encrypted protocols for email, ftp, and web access.
- *Do* use password management software such as Dashlane or KeePass. You'll likely never remember a truly secure password, so use software that can remember it for you.
- *Avoid* using your web browser's built in password remember feature. These are frequently targeted by hackers as ready made password lists for them to steal. All it takes is one rogue ad or rogue content syndication on an otherwise legitimate web site run from a browser with a security flaw for this built-in password list to be compromised.
- *Remember*, hackers and spammers don't care about you. They only care about gaining access to as many accounts as possible to do whatever nefarious activity they can using your account. Don't be one of the countless people who unwittingly further the degradation of the Internet's utility by being lazy with your password.
- *Do* ensure your password is unique among billions of other passwords in use on the Internet. One way to avoid duplicating someone else's password is to use more characters. When considering whether a password is unique or not, ask yourself "What is the chance that one of the billions of passwords used on the Internet is just like mine?" Remember, there are billions of people accessing the Internet and more passwords are compromised every day. Each compromised password gets added to lists that hackers use to scan accounts during what are known as "dictionary" attacks using those known passwords and variations on them. With ever increasing network speeds and computing power available, if even one of those compromised passwords or their variants is the same as yours, you're toast even if *you* did everything right. It's like a reverse lottery: if you win this lottery, you lose. Don't be a loser. Use a genuinely unique password.