Password – Target Marketing

As agencies, we often receive and have our clients’ credentials for all sorts of sites—email automation applications, FTP servers, hosting accounts, social media accounts and more—but do you provide your client with adequate protection, including how you receive it and how you share it internally? I bet not.

Agencies are rarely able to focus on the solitary task of architecting email campaigns; a good multitouch campaign will have social media, press announcements, landing pages, web pages, microsites, shopping cart pages and more. If that is a typical effort, we must gather, store, access, share, update, change and protect our client user names and passwords for:

Twitter
Facebook
LinkedIn
Email-automation application
Press-syndication application
FTP
Host provider
cPanel
WordPress administration
Plug-in administration
PayPal
Google Analytics

Some of these are extremely sensitive sites representing great financial exposure to the client. Yet, it’s common for clients to email their log in credentials with not so much as a second thought.

We need to invest in education—internally and externally.

I asked a client today for their PayPal credentials so we could configure their payment gateway and requested the user name by email and the password by text to my phone. I received both the user name and password in the same email and the password was—I kid you not—her first name. I wrote back and asked her to log in immediately, change the password to something VERY hard, and resend via TEXT. I explained the financial risk associated with emailing passwords to sites such as this, which has direct access to the company’s bank accounts.

She texted me the new password a few minutes later. Her first name followed by 1234. What’s worse, it’s the same password she was using at all of the company and her personal social media accounts, the company hosting account and the company’s main email.

I could only sigh, log in and change the password myself; which I did, and then texted it to the business owner.

In a conversation about this with my 30-year-old son (yes, a gamer/hacker), he pointed out to me this is an issue of semantics. My client’s understanding of a difficult password and my understanding differed (substantially). Thus when I requested a difficult password, she believed adding 1234 created sufficient security.

Many hackers make no attempt to guess passwords. They go the easy route of grabbing your password during a security breach. Think back to recent news when Adobe servers were hacked and millions of email addresses and matching passwords were stolen. If your client is (or you are) using that same email address and password for accessing other accounts, then the hackers who attacked Adobe may well now have access to your bank account, your credit cards, and so much more.

When we ask our clients for their credentials and do not enable them to provide this to us securely—and compound the problem by forwarding those unsecure emails to our team—we increase the risk to and potential losses of our clients.

Here are some ideas for helping your clients protect themselves:

Texting Passwords
As I pointed out earlier, sending the user name via email and the password via text is helpful. As we’ve learned from Target, Adobe, Snapchat and others, nothing is failsafe, but though you cannot prevent hacking or interception, you can certainly throw in a few roadblocks to make it more difficult. It’s akin to parking your car after dark under the street light.

Pattern and Unique-to-site Passwords
Many people use the same password simply because it’s so difficult to remember multiple logins. Several years ago, I read a great blog for creating passwords—it’s one we still use today, and one we teach our clients. It provides for a different password for every account and website, and gives an extra layer of security, even if someone does manage to hack one of your accounts or access your credentials from an unsecured server. Shared here:

Choose the number of alphanumeric digits you will use for all passwords. Many sites today have a minimum of eight characters, so let’s go a bit higher: 10.

Grab the first six letters from the account you are accessing. For this example, we’ll use SpiderTrainers.com: spidert.

Now, choose two letters you will always capitalize. I’ll go with the fourth and sixth: spidErT.

Replace one character with the numeral of your choice. Don’t be obvious such as using numeral “1” for “I”—be unique. I’ll replace the second character with the numeral 9 for every password from here forward: s9idErT.

Choose two starter characters from the shift-numerals of your keyboard, for instance, “%^”: %^s9idErT.

Close it with two more characters from the shift-numerals of your keyboard, such as “#@”: %^s9idErT#@.

So, all together we have created a difficult password because it will be different for every account we have, but one that is easy for us to remember after we’ve become accustomed to our own pattern.

In the event you run across rules within the site, such as you must start with a letter, have a plan B password and use that.

Create a Phrase
Instead of the pattern trick, use the phrase trick and choose letters from the beginning of each word. For instance: I think Amazon.com is a wonderful 1st Rate site!, results in: ItA.comiaw1strs!

Long Passwords
Most sites built today require your password to be at least eight characters, but the longer the better. If you use the pattern trick above, and you’re visiting Q.com, have a plan C. Add a word, such as engine, to any site too short to produce the base six characters.

No Names
Don’t use your name, your pet’s name, your child’s name, or your spouse’s name in your password. If you participate in social media, everyone on Facebook knows you have a boxer named Oscar.

Character
Passwords are ideal when you use at least one uppercase letter, lowercase letter, numeral and symbol, as we did in our pattern password above. Some sites or applications limit your use of special characters, but for the most part you can use: ‘ ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] | : ; ” ‘ < > , . ? /.

Lie
Many sites today use two-point verification: a password and a response to a question. If the site is asking you for your mother’s maiden name, lie and use JimmyChoo. Your mother’s maiden name is likely another bit of information pretty easily found on the web. If the site asks for your first pet, say giraffe. Your first car: roller skates.

Store It, If You Must
If you must store passwords, for yourself and your clients, store them in documents that are not labeled as or named “password,” and store them separately from the user names.

Change It Often
Just about the time you get comfortable with your pattern (assuming you use the tip above), change the pattern and notify the client. By text, of course.

Sometime in the last 10 years, we’ve allowed technology folks to make marketing decisions. And, not surprisingly, the fallout has been customer and prospect frustration with the brand.

Take account passwords, for example. How many times have you been:

Forced to register on a website before you can simply “take a look around”?
Required to set up a user name and password, only to receive error message after error message because you didn’t follow the set up protocol (which, by the way, was never revealed to you until after you tried to set up your account)?
Placed items in your cart, completed the check-out process only to get a message that there is already an account with your email address (and been forced to spend an hour trying to find the password or reset the password so you can complete your purchase)?

Marketing in the digital age is hard enough. You need to build a website and then spend a lot of time and money figuring out ways to drive traffic to it—so why are the technology folks making it so damn hard to do business on the site?

You may be reading this thinking that it’s not always the techno geeks fault, and you’d be right. There are plenty of unsophisticated marketing types out there who make bad customer experience decisions, and shame on them too.

But if any of my recent experiences are an indication, the technology folks are equally, if not more, guilty of building sites without consulting the marketing team on many of the key strategic decisions that will affect user experience.

Most recently, I was working with a client on a landing page that was supporting an acquisition email. The B-to-B email effort was designed to drive prospects to download free content. We spent hours pouring over prospect list selection. We spent countless hours discussing whether the content should be “locked” or “unlocked,” carefully weighing the pros and cons of each option. We carefully considered email subject lines, headlines, image selection and the call-to-action. We argued over the most effective title for our content piece, and carefully designed the front cover and rest of the research paper for optimum interest.

When all that work was complete, we turned it over to the technology team to implement: HTML code the email and landing page, and put all the tools in place for a positive user experience.

After we thought we had tested every possible aspect of prospect behavior, we blasted the email and waited … and waited … and waited.

Our email open rate was above the norm—and the click through rate better than we had forecasted. But the take rate (number of prospects downloading the paper) was miniscule. What happened??

It seems nobody gave the business rules to the technology guy building the landing page … and he took it upon himself not to ask. Knowing that the purpose of the campaign was to drive prospects into the sales funnel, he took it upon himself to make sure the site rejected anybody who tried to register and download if their email address was already in the prospecting database. After all, in his mind, we were looking for new prospects … right?

Considering that more than 75 percent of those we were blasting were from our house file of past inquirers, you can easily see the problem.

You could say the communications between marketing and IT were lacking, and you’d be right. But the IT guy knew he needed to make business rules and yet he thought he was in charge of those—and it never occurred to him to ask anyone else—and it never occurred to the marketing manager that she’d need to fill in the IT guy with all the strategies and tactics she was utilizing in her campaign.

And while we’re on the topic, which IT guy decided that user passwords needed to be so damn complicated? Security professionals tell us to create a different password for every site (yeah, right) and the likelihood of my remembering each site password is remote, at best. But honestly, a simple site that does NOT collect my credit card information does NOT need me to create a 16-character password that consists of at least two alphas, three numerics and four symbols! Isn’t it enough for me to use my cat’s name and zip code if I don’t care if someone breaks into my account?

Tag: Password

Who Put the Techno Geeks in Charge?