Email passwords matter

Weak email passwords can punch a big hole in your security.

Ever forget your password for an important website? Maybe even for the WordPress or Drupal site that contains your CRM?

Fortunately, both WordPress and Drupal (and most of ther website platforms) offer a way to recover your password by email.

You just click the “Forgot my password” link, and it will send you an email with a special link you can use to set a new password.

Now you’re back in. Yay!

Can you see a potential security flaw in this design?

It’s this:

• If a slimy criminal can guess your email password, they can log in and read all your emails.

• If they want to get into your CRM, all they need is to click “Forgot my password”, then check your emails, and now they’ve got a link that will let them into your site.

Bada-bing, bada-boom.

Here’s the thing:

You are (hopefully) enforcing some password strength requirements for staff users on the website that contains your CRM.

But are you also insisting that your team members use strong passwords (or 2-factor authentication) on their email accounts?

All the best,
A.

P.S. This flaw is also one reason for the rising use of 2-factor authentication at the website level — something else you should probably also consider