While it's old news that passwords provide the most important layer of protection for your various business related accounts (emailing, accounting, online banking, PayPal, to name but a few), many small business owners still fail to pay proper attention to crucial details when creating passwords for their confidential accounts.
Working at a privacy company allows me to talk to and gain insight into the privacy practises of small business customers and I'm often shocked to find out how rudimentary mistakes they make when it comes to safeguarding their accounts.
Let the robots do it
When I asked them why they used the weak passwords they did, the most common answer I got was: "Because they're easy to remember!" While this thinking may sound logical, it is neither practical, nor secure!
First of all, modern browsers can save and remember complex passwords for you. You must have come across this feature (and I'm sure you have been using it) anytime you entered a new password, or signed-up for a service. In such scenarios, your browser asks you instantly: "Do you want (browser name) to remember your password for this site?" And then there are the "Remember me", or "Keep me signed-in" features to further enhance your convenience. Let's say you have 30 different accounts across the web, for emailing, finances, shopping, social networking, etc. It'd be humanly impossible to know all those passwords by heart (unless, of course, you use the same password across all accounts!) so browsers can save you from that hassle.
Secondly, password managers can't only remember, but can also create complex, unique and super-secure passwords for each and every account you use. The only password you need to remember (or have it at hand) is the master password, also called access key (which also needs to be very strong, of course) that protects all the other saved passwords. But other than that, login to dozens of sites becomes effortless and secure using a password manager . To increase your protection against keylogger software, password managers often include a virtual keyboard that lets you type in the characters of your passwords by clicking the keys of the virtual keyboard, instead of the physical keyboard.
Old school still rocks
Having said that, it is still important that you note down your passwords as soon as you create them to have a "backup file" should you need it. I recommend you take an ordinary notebook (not a digital one!) and copy your passwords there. Make sure you store that notebook at a secure place. (Bruce Schneier actually suggests to store your password list in your wallet!) You may also store your passwords on your computer, but only if you encrypt them first. Storing your passwords on your computer in plain text format is an invitation to be hacked. Just imagine if your laptop, or tablet gets stolen, or lost: The thief, or the one who finds it can just open your Excel chart called "Account info", or "Passwords" and access your accounts without having to crack your passwords first!
Fighting supercomputers and social media exposure
There are two important reasons why it has become easy for cybercriminals to crack weak passwords.
For one thing, hackers use powerful computers that can process millions of character combinations per minute! This practise is called brute force attack, which basically tries every single combination against your password, based on some preliminary information hackers gain about your password. Since we are talking pure mathematics here, your password strength boils down to two basic features: length and complexity. That's why you need to pay attention to these details when creating passwords.
Secondly, Google and social media services offer cybercriminals more than enough personal details about you to increase their chances for successfully resetting your passwords, pretending they are you. Let's say they look you up on Google, Facebook, Twitter and LinkedIn to gather important data about you. Besides your company, or personal email, they can find out about your DOB, birth place, details about your family members and friends, the list of schools you went to, your favorite movies, cars, bands, info about your hobbies, etc; details you have most probably used as answers to password resetting security questions when signing-up for various services.
With a bit more digging, hackers can also find your alternate email addresses you most probably used as recovery addresses when creating passwords for your accounts. They can then access major email, or financial services on the web, enter your email address and ask the service to reset your password. They'll be taken to a page where they can start playing with the details they know about you: In order to reset your password some services need to be provided your recovery email address, some wants to know your favorite band's name and so on. The point is that these details can easily be found on the web about you by unauthorized parties in this day and age.
There are two important best practises for increasing your privacy in this regard: First, when asked for recovery (alternate) email address during a sign-up process, make sure you give an email address that's not public. This way you can prevent hackers from being able to mine it from the web. Secondly, when asked to provide answers for security questions, go for some really irrelevant, or silly answers (and write them down so that you have them when you need). For instance, if your Facebook page reveals that your favorite band is "The Beatles", make sure the answer you give to the question "What's your favorite band?" is really off topic, for instance, "Pumpkin pie".
And now let's take a look at 5 mistakes you should avoid when creating confidential business passwords.
Make sure your passwords don't have any of the deficiencies listed below!
1 Too short
Simply put, the shorter your password is, the less secure it is. The plain reason for that is that each character you add to your password increases manifold the possibilities to be tried to crack it. Let me give you an example:
If your password were "12345678", it would require the attacker to try 556 possibilities whereas if it were "123456781234" that would increase the number to 165 000.
However, up to 8 characters, computers do a pretty amazing job when it comes to breaking your security string, even if it's fairly complex. That's why it's highly recommended to go for at least 12 characters, but getting into the habit of creating 14-16 characters long passwords is even better. To crack a 14-16 characters long, complex password could take decades even for hackers using supercomputers.
2 Too easy to guess
I think this is the easiest mistake to make when it comes to coming up with passwords. Believe it or not, "password", "123456" and "admin" still make it to the International Top 10 on the list of passwords people use. No doubt, they are easy to remember and require little effort to "create", but please, don't ever use them!
Then there comes the likes of using your name, DOB, company name, spouse's, or child's name, part of your mobile number (or the combinations of the beforementioned) and other similar details hackers can easily associate with you.
Numeric, or common sequences also make bad passwords. Using "qwerty", "abcdefg", or "1234" can quickly open the doors of your accounts to cyber threats.
Dictionary words won't help your privacy either. Hackers can easily check hundreds of thousands of entries in a very short time.
If you would like to avoid this trap, you need to say goodbye to banality and say hello to the advice given in Tip 3.
3 Not complex enough
Even though "127873580283647" doesn't sound like the easiest password to guess, it still doesn't mean it is a secure one. Why? Because it isn't complex at all. It only contains numeric characters which makes it easy for hackers to crack it. Even though the number of possible combinations is a quadrillion, it could be cracked within a day! However, as soon as you throw in just a couple of symbols, the whole picture changes:
The password "12!787358^0283647" would take decades to crack, because it would require the hacker to try 59 quintillion possibilities (59 000 000 000 000 000 000)!
That's why it is recommended that you use a combination of the characters below to achieve strong passwords:
- Lowercase alphabetic characters
- Uppercase alphabetic characters
- Numeric characters
Here is an example of a pretty strong, complex password: 2$tH9o:pn^68*eqV
Many services try to help you with creating a strong password when signing-up by showing how strong the string of characters you enter is on a scale.
4 Already in use
Another common mistake many people make is using the same password across multiple accounts. The real problem with this practise is that if a hacker manages to crack your password, he can access (and will try to access!) all your other accounts where you used the same password. Just imagine: by cracking your Gmail account, he then can access your online banking, social networking, or PayPal account! Therefore, never ever reuse passwords, however tempting it may feel to.
5 Not protected with two-steps authentication
To protect user's confidential accounts with an extra layer of security, many services now offer the option of "2-step verification". It basically involves the use of a second "password", a security code sent to your mobile number. This means that even if a hacker manages to steal your primary password, they won't be able to access your account because it is still locked with the security code. Unless they gain access to that code (which is highly unlikely), they would be granted no access to your account even if they have your primary password.
While it may feel like a bit of a drag to having to enter an extra password at each login, that small inconvenience is really worth it. And actually, you may even ask the service provider not to ask for the security code on a particular computer, only if your account is accessed from another, unrecognized device.
Here is a very useful list of important services that offer you 2-step verification, including Facebook, Google, Amazon, Bank Of America, Dropbox, PayPal, etc.
Ensuring your password privacy is a crucial security step to better safeguarding your business against cyber-criminals, identity thieves and laptop thieves. If you get into the habit of creating 14-16 characters long, complex passwords, following the tips I've shared with you, (avoiding reuse!!) and opt for 2-step verification where possible, your password privacy will significantly increase. And even though the headline of my post suggests that the tips are for creating passwords for accounts you are about to sign-up to, it's never too late to change your already existing, weak passwords.
About the author: Adam Csorghe is the communications manager and a customer adviser at East-Tec, a privacy software company and he enjoys writing about privacy security topics.