Stories are breaking on sites like Fstoppers and Brandsmash about private Boudoir photos that appeared on a creepy voyeur forum. It’s hard to imagine a more humiliating nightmare for a photographer or their clients.
Photos came from several sites, including SmugMug, and we paid extreme attention over the last two days to how it happened. We tried to take some comfort in observing that in every instance, it came down to passwords that were guessable in just a few tries.
The question for us was what could we do that we weren’t already? Over the past year, we’ve done considerable work around this problem, but yesterday we decided to expose some of the alerts our systems generate to our customers.
When our systems see several password attempts on a gallery or folder, they now send an email to the owner of the SmugMug site. It identifies the gallery, gives the first few digits of each password attempt with asterisks for the rest (bou***), and adds info like time of day and geographic location the request may be coming from.
Today our Support Heroes are receiving thank-yous from people whose family members couldn’t get in because they left the caps lock key on or forgot some aspect of the password “it’s a cap O (oh), not a 0 (zero)”.
And we read two help tickets from photographers who discovered that their boudoir galleries had password guessers. Fortunately, they had long passwords that were too hard to guess, but they are still making changes like removing the word Boudoir from the title, and making the gallery Unlisted so only people who obtain the link can know of its existence.
One of the security upgrades that came with New SmugMug is we don’t store passwords in a form that could leak in any way, including a systems breach, a bug, or a disgruntled employee. We use an industrial grade, Cryptographic hash function.
The breaking stories are about Boudoir photos, but we host incredibly sensitive photos (all cloud services do) of unannounced products and even, we remember, photos of an upcoming TIME Person of the Year.
1. Set a good gallery password before uploading photos!
2. Set galleries and folders to Unlisted. Unlisted means means no one can see them unless they have somehow been given a link. They cannot guess the link because it has a random string added to its URL. The combination of strong password + Unlisted is extremely secure.
You can learn more about how to protect your SmugMug galleries here.
We hope this helps, and thanks for being part of the SmugMug family!
Chris & Don MacAskill
No matter what you shoot, we’re pretty sure that all photographers need a little privacy every now and then. So whether you’re looking for a safe photo-home for an exclusive (reclusive) client or just for your mom, look no further than SmugMug. We’ve got a number of safeguards that can be mixed and matched to create the perfect bouquet of privacy.
Your Options, in a Nutshell
1) Unlisted Galleries. Often called “private” galleries by some, these galleries aren’t visible on your website to anyone but logged-in you. The only way fans can see one is if you give them a direct link.
2) Gallery Passwords. Provide a password and nobody can open it until they enter it right. You won’t be asked for it when you’re logged in to your account, because we know it’s you. Unsure? Look for the teeny yellow lock icon next to the gallery’s name.
3) Hello World! and Hello Smuggers! These toggles ensure that your stuff does or does not show up in web searches. ”World” = Google, Bing, etc. ”Smuggers” = SmugMug search. Set this site-wide from your Account Settings, or on a gallery-by-gallery basis via Gallery Settings.
Then, Take It Further With…
4) Hide Photo. Like unlisted galleries, but for individual photos. You can check the box under any image or video in your gallery to hide it, and only you, the gallery owner, will ever know it’s there.
5) Hide Owner. This gallery setting makes your URL generic. It doesn’t mean that your gallery isn’t visible, but it does remove your customizations and your nickname from the link so that viewers can’t trace it back to you. If you want, you can add a gallery password and/or make your gallery unlisted, too, when you use this feature.
6) Sharegroups. Share multiple unlisted galleries with one link using Sharegroups! These are amazingly useful for guiding friends, clients and family to specific galleries from your latest shoot, without having to worry about them being seen by the public eye. And better yet, they won’t get lost. You can put passwords on the galleries in your Sharegroups, if you wish, but you can also set a master password to let your viewers unlock them all at once.
7) Events. These are Sharegroups on steroids, available only on Business-level SmugMug accounts. You create Events with additional flashy features (slideshows, user registration, etc) and add galleries, give special people (e.g. clients) their own unique viewing link, and the ability to tag their favorite photos. Together, it makes browsing and buying photos a breeze.
8) Site-Wide Passwords. Not for the faint of heart! Lock your whole site from the top down. Anybody visiting links to your galleries will have to enter the correct password before they can see a thing. Even your homepage.
The Privacy Ripple Effect
- Lockdown doesn’t mean your images can’t be shared. Anyone who can view the gallery can still click Share or post a link to Facebook. Please think about whether or not you want your friends’ friends passing your links (and potentially viewing passwords) around. Feeling queasy? You can hide the Share button from your viewers by toggling Easy Sharing to “No” in your Gallery Settings.
- Keywords and searchability take a hit. This is a no-brainer to some, but we still sometimes get asked by photographers why their fans can’t find hidden photos via their site’s search box. In short: Only you as the logged-in site owner can search for (and find) images in unlisted and passworded galleries.
- Photos can’t be collected from unlisted and passworded galleries, unless it’s by you. As the logged-in owner you’ll always be able to collect your own photos, but guests won’t see the orange Collect button if the gallery is protected in any way. If the photo is collected from an unlisted gallery then your visitors won’t see a link back to the original. Photos collected from public, passworded galleries will be visible, but fans will need to enter the viewing password when they follow the link to see more.
- Feature a photo to make your locked gallery’s thumbnail pretty. We won’t display any part of the gallery when your gallery is protected with a password, and this includes thumbnails of the images within. But you can always swap the generic thumbnail for any image in that gallery — just use the gallery Tools button > This Photo > Feature.
- Unlisted and Passworded galleries
- Hello World! and Hello Smuggers!
- Everything about your Account Settings
- All about Gallery Settings
- How to hide individual photos
- Sharing multiple unlisted galleries: Sharegroups!
- Events, Favorites and how they work for Pros
- Site-wide passwords, and making your whole website private
- Keywords and searchability on SmugMug
- Collecting Photos, or putting photos in multiple galleries at once
- How to choose the thumbnail for your gallery
Update March 27, 2012:
You spent all weekend at the local soccer match shooting thousands of photos. When you got home you made sure to download, edit and upload them all right away. Parents are expecting photos! So you immediately shared the link, anticipating a slew of gushing order emails. Finally you drift asleep, thinking about the hundreds of successful dollars you’ll see in the morning.
But you get nothing.
If this sounds familiar, today’s your lucky day. We’ll talk about four painful symptoms that may indicate that something’s seriously wrong with your business.
1) No Sales. Zip. Zilch. Nada.
Did you forget to enable buying in your gallery? If you’re hearing crickets from the peanut gallery, this could be the case. When it’s off, your viewers have no way to add items to the shopping cart, even though they’re still able to browse photos. They probably think that you don’t intend to sell your photos at all.
HOW TO FIX IT: Visit your Gallery Settings and be sure that you’ve got Printing enabled. (It’s towards the bottom.) To be extra sure you did it right, take a minute to log out of SmugMug and browse your site like a customer.
2) No Download Sales: You Can’t Sell What You Give Away
Are clients emailing you every 5 minutes for their photos, but once you share them you don’t hear a peep? This could mean you’ve enabled your Originals. Don’t do this if you’re trying to make money! With Originals on, any visitor can easily download a full-res version of the image for free. It’s fab for friends and family. Bad for business.
HOW TO FIX IT: Open up your Gallery Settings and scroll down to “Security & Privacy.” Make sure any size other than Originals are selected there. You can go as small as Medium if you’re feeling saucy, but remember people won’t be able to enjoy screen-filling photo goodness that way – but our data shows going too small will harm your sales. X3Large + Watermarking (see #4) is probably your best bet.
3) No Profits on Print Sales
You’ve received an order, yay! But there’s no profit. Uh oh. This means you haven’t properly set up your pricing and clients are buying your photos at-cost. If you’re reading this post, chances are that’s not exactly what you had in mind.
HOW TO FIX IT: Hit up this tutorial that guides you on setting up your pricing using Pricelists. You can set the amount of profit you earn (recommended) or set your final price that’s shown in the cart. Not sure how much to charge? Just don’t go too low. Here’s why.
4) Surprise! Your Pics Pop Up on Facebook
You’re browsing social sites and to your dismay, you find your photos in your stream being shared by your clients without your credit… or your permission. How did they get there?
HOW TO FIX IT: Make your (water)mark! Look here to see how to turn your logo or name into a transparent image and slap it on your display copies. Any legally-purchased downloads or prints will be clean and clear unless you set a Printmark, too. While you’re at it, enable Right-Click Protection and use the Easy Customizer to type easy buying instructions into the custom pop-up message.
Now we hope that you’re better-prepared to take on the next few gigs and start setting your sales on fire. Stay tuned for even more tips, tricks and best practices to help you have your best year in the biz.
Today we’re kicking off a new series of posts aimed to help you get the most out of your SmugMug account. Whether you’re new to the family or are one of our most loyal fans, we hope you’ll pick up a handy tip or two in this series!
Privacy Controls When You Want Them
Lots of you love to share full-res files with friends and family, but free ‘n easy may not always float your boat. If that sounds like you, check out these awesome image protection features bundled with your account.
- Disable originals - Stop access to seeing and downloading your full-res photos.
- Site-wide password -Lock it down so only certain folks can see your site.
- Gallery privacy – Protect your galleries or hide them from view.
- Disable external linking – Stops your photo from appearing on blogs and forums.
- Stop search engines – Keep your site out of search results.
- Turn off printing – Removes the Buy button from your gallery.
For Power Users:
- All the above features
- Right-click protection – Foil image theft with a customizable popup message.
- All the above features
- Watermarking – Put your name and logo on all your display copies.
Image Protection Strategies
- Remember that Right-Click Protection is just a deterrent and using that alone won’t stop image theft. Instead, we recommend you use a combination of the above features to get the best results. Example: Disable originals, turn on Right-Click Protection and apply a watermark with your link on it.
- If your photos have showed up on sites like Facebook without your permission, this can be a great thing! In case you missed it, check out this recent post from guest blogger Andy Marcus about how image sharing (combined with watermarking) helps his business get ahead. When fans share your watermarked pics, you snag more clients.
- If you’re managing your files with a program such as Lightroom, Aperture or Bridge, it’s a good idea to put your name and copyright information into the metadata so all of your info stays together.
- They can pay for your photos! Pros: Consider creating a default Pricelist so that any sales you make earn you a profit.
- Lastly, if you don’t want folks using the Share feature you can always disable that in your Gallery Settings. As the logged-in owner you’ll always see and be able to use that button, but they won’t. Win-win.
For quick reference, just bookmark this page. It lists the easiest ways to make sure your images are as safe as you want them to be.
Keep your eyes peeled for more tips to help you get the most from your ‘Mug!