In the course of my 20-year career, the one thing I’ve seen again and again throughout my career – people have terrible passwords.
We often use the same one again and again.
I get it. We are in a hurry, we just want to create the account and move on.
Others keep the same one for years at a time.
Password Security: Too Important to Ignore
It’s so easy to forget the last time you changed a password. With over 100 passwords, I let software remember and change mine.
And yet, managing your passwords needs to be a top priority – especially for small businesses. I put it right up there with another non-sexy business essential: security patches. It’s an important component of your overall data security.
Is it a pain? Yes.
Is it essential? Absolutely.
Most small businesses and nonprofits can’t recover quickly from a data breach or a hack. Businesses usually can’t afford to be down for a few hours, days, or weeks.
Few things are more devastating to a small business than losing its credibility – particularly considering its smaller customer base and limited resources. Nothing breaks customer trust like having to tell your customers their data was passed along to cyber criminals. Or, telling your customers that a hacker wiped everything out and they need to provide their information again.
Data Breaches: A Real Problem
Unfortunately, data breaches are here to stay. So far in 2016, there have been 657 known data breaches exposing over 26.8 million records (Source: ID Theft Center). It’s estimated that every day 30,000 websites are hacked which can threaten not only business data but also customer information.
If your credit card company mysteriously sends you a new card or you receive an email from a company urging you to change your password (e.g., Dropbox), chances are your information is among the millions of records released into the public domain – with or without your knowledge.
For a small business, having your website or domain hacked, losing customer list(s) to a data breach, or a social media hack with forced follows and spam posts present nightmarish scenarios.
Although technology issues may be cleared up in hours, it could take months to recover lost revenues. Almost 0% of businesses close after a data breach.
Although there are many steps to comprehensively protecting your confidential and sensitive information, understanding the importance of password security management is a significant and manageable step every organization can take.
Here are a few proactive things you can do to learn the importance of password security & boost your protection:
#1 Take a look at your passwords
“It takes only 10 minutes to crack a lowercase password that is 6 characters long” Hosting Tribunal.
Make it your goal to frustrate criminals. Every password should be:
- Include upper and lower case letters, numbers, and a special character (e.g., !, #, ?)
- Be at least 10 characters long (preferably 15 characters)
- Not easy to guess (e.g., don’t use your account username, birthday, or address); and
- Changed at least every 6 months
Cybercriminals are looking for the easy mark. A recent survey found 67% of millennials use passwords like “password”, “1234”, or their username or birthday (all big no-no’s).
There are plenty of easy targets out there. Don’t be an easy mark.
Cyber criminals use sophisticated software to crack passwords. If you use the same one for multiple accounts, it’s like leaving your keys on the front porch. Maybe no one will unlock the front door, empty all of your belongings into the back of your car and drive off. … but I’m guessing you don’t leave your keys on the front porch. With passwords, the stakes are higher because your digital front porch is globally accessible.
One of my favorite articles (I can’t believe I just said that out loud) is called How a Password Changed My Life.
It puts a new spin on things. The author created passwords connected to personal goals and mantras that helped him quit smoking and save money for a trip to Thailand. It sounds funny, but some passwords are typed in several times a day and if you’re saying it to yourself as you type it, those goals become your reality. When it’s time to update, you pick a new goal.
Another approach would be if you have a hobby or interest that could generate several unique ideas. For example, a movie buff might know that Samuel L. Jackson has 165 acting credits. Each password could be the name of a film, the year, and a special character. Boom. Done.
Because we all tend to use the same patterns for creating secure passwords, the most secure protection is to use random, long passwords. This is the method I use.
#2 Who has access?
Unfortunately, your small business data is only as strong as its weakest link.
Who has access to your most important assets including finances, customer data, website(s), etc.? There are several possible vulnerabilities to consider:
- Former employees
- Tax preparers
- Web developers
- Shared web hosting – multiple users logging into the same web server
- Social media managers
- Shared folders/files on Google Drive, Microsoft OneDrive, iCloud, Dropbox, etc.
Changing your personal passwords may not be enough. You might find after some careful reflection that a lot of people have access to your small business information. It’s likely that you’ll need to create a plan of action to ensure as few people as possible have access to your sensitive business information.
#3 Managing Your Information: Learn the Importance of Password Security
I’m an example of a provider that has access to small business information and accounts. I create websites that require me to have an administrator role for the websites I support. I also manage client webmaster tools and analytics that are connected to Google and Bing (Microsoft) accounts.
Every client should be asking me how I am protecting their information. You should ask your providers too.
I use a password manager to encrypt, store, and create secure passwords for my clients, my business, and my personal accounts. It costs me about $12/year, syncs on all of my devices, and I’ve enabled two-factor authentication, which means I approve or deny each login into this software.
You aren’t fooling anybody if you have your computer password written on a post-it note hidden under your keyboard.
I’ve seen that “trick” dozens of times. If you have your passwords written down on a piece of paper and “hidden” somewhere, it’s easy to lose (and for others to find).
Password managers are secure databases that hold all of the websites, usernames, passwords, and secure notes in an encrypted format on a secure server. Your password “vault” is unlocked with a master password – which is the only password you will need to remember.
A good password manager not only stores your passwords but also creates reports to review the strength of your passwords, and generates random secure passwords. I use LastPass because it works seamlessly with mobile and desktop applications. LastPass offers a free version. The reporting feature helps you review duplicate/weak/old passwords, potentially compromised accounts, and overall strength.
While you learn the importance of password security, I recommend checking out a couple of the top-rated managers (e.g., LastPass, Dashlane, Sticky Password) – look for ease of use and whether it includes the features you need (e.g., sharing, mobile integration, desktop applications, password strength reports, management for businesses with employees, service providers, etc.). Go with an established, well-respected provider that does not store your master password – you should be the only person with access to it.
I wish I could say there aren’t any bad guys out there that want to steal your information. I hope this post helps you to take action. Ask questions, take control of who has access to your information, and find a method to manage your passwords.
It’s your information – protect it.