Here’s another reminder for webmasters and server admins that you need to carefully protect your FTP login credentials because people are trying hard to steal them.

Last week SC Magazine wrote about a website containing over 100,000 stolen FTP login credentials.  Network security and management firm Blue Coat discovered the sensitive files, which contained username and password combinations to FTP servers located around the globe.

The really scary part of this story is that most of the compromised passwords were deemed “reasonable strong”, according to Chris Larsen, a security researcher at Blue Coat.   The breach wasn’t the result of weak passwords that were easily hacked or guessed. The credentials were stolen by an attacker who used sophisticated tools to get machine or network access, and then watched for them.

“The discovery, however, does provide an opportunity to remind webmasters that their FTP credentials should be protected and treated with as much care as banking credentials.  Try to only use them from computers that are known to be secure.  The bad guys want your login.”

Here are a few password tips to keep in mind:

  • Always use strong passwords.  Here’s a nice primer on how to create strong passwords.
  • Don’t use the same password for all your online accounts.  Sure, it’s easier, but the flipside is that if your password is hacked for one account, then the password you use for your other accounts is compromised also.
  • Change your password to sensitive accounts at least every couple of months.  That way, even if your account has been compromised, you’ve limited how long it stays that way.
  • Never leave a post-it note with your secret passwords stuck to your wall or on your desk.