How to Protect Your Business From Password Hacking
The keys to your confidential business data shouldn’t be left to chance
7 July 2016 | Risk Management
Password hacking is often overlooked by small businesses, yet the risks are real, and potential damage to the business could be catastrophic. Setting a few rules and procedures in place can reduce risks considerably, for little effort.
Data breaches of well-known internet or retail brands seem to occur with monotonous regularity, and give rise to most of the news headlines about password security. Security specialists give two main messages at these times. (1) no system is absolutely safe from hacking, and (2) a lot of people have weak passwords like “password”, “12345”, and “batman”. Research has shown that work passwords tend to be just as poor as personal ones, and often worse.
Just like the weather, security of external services is beyond your control. You can’t change the likelihood of a data breach, but you can and should plan for it accordingly. It is sensible to assume that every online service, or indeed the systems of any other supplier or customer, are at risk of hacking.
In contrast, the security of user passwords is within control of users. On the whole, a large number of us simply do not do enough to reduce the risk of password breaches. A recent prominent example was that of Facebook chief Mark Zuckerberg, who had several social media accounts hacked as he had used the same weak password for each – ‘dadada’ – and not changed it in several years.
Small businesses – password best practices
Small businesses are particularly vulnerable to password hacking as they are a potential target for deliberate commercial fraud. The business impact of a security breach can be quite devastating, yet unlike larger companies, small businesses do not have the benefit of an IT department to impose systems security on the organisation. This usually falls to the owner to manage.
So, what should small businesses do about security of online business services?
Simply put, elevate the importance of password controls in your business, and aim for best practice. Security industry advice on good password practices is well documented. The key recommendations are:
- Use strong passwords. Avoid dictionary words, personal details (family or pet names, birthdates), your username, adjacent characters on your keyboard (qwerty, 123456). Strings of random letters, numbers, and characters are more secure.
- Bigger is better. Longer passwords are harder to crack as the combinations increase exponentially for every extra character. Phrases or sentences (referred to as ‘passphrases’) are very useful for creating lengthy passwords.
- Never use the same password on different services. A breach on one site could reveal your password, which is then used in a matter minutes to access other services. An exception may be sites which don’t matter, such as news services. Best practice in your business is to stick with, well, best practice.
- Change passwords periodically, and don’t re-use old ones. Some services require this, but many don’t. Even annual changes will reduce risks (Mark Zuckerberg’s password was taken from a breach that occurred three years earlier).
- Don’t keep digital lists of passwords. Spreadsheets and text files are very easy to crack, whether accessed remotely or locally. If you must record login details, use password hints only, not the passwords themselves.
- Use two-factor authentication (where available). Also referred to as multi-factor authentication, MFA, or 2FA, This is routinely used by banks, and is increasingly offered by other online services. 2FA usually requires a combination of a password, together with a temporary number generated on a mobile phone, USB stick, or other device issued by the provider.
Passwords for teams
Where staff have access to online services of any kind (including business email) this opens up more scope for human error or worse. Some additional precautions are advised to mitigate these risks:
- Establish a formal written policy for passwords. Discuss the procedures and reasons for them with new starters and existing staff. Remind your team from time-to-time to stop standards from slipping.
- Set up password access for all portable devices. These include mobile phones, tablets, and laptops issued by the business, as well as privately owned devices used for work.
- Each user should have their own login credentials where possible. Separate user accounts should be set up to access services, and not share an account with other staff.
- Shared computers should have separate user accounts. This extends to other shared devices – shared accounts can inadvertently allow login and password sharing.
- Have a leaver procedure. When staff leave, it is essential to close or lock business online accounts which they were using. If a staff member leaves suddenly this can be made more difficult. Where a notice period is available, digital account management should be an important part of the hand over procedure.
- Use a central password management system. This is a feature of some Password Manager services, and strengthen security policies, simplify starter/leaver management, and help deal swiftly with any digital security issues.
How to remember 2M!z4n*gVpD34ngf$;4S
If random strings of characters, regular password changes, and no recording allowed seems an impossibility, you are not alone. Having robust password practices requires good management and the right tools. Fortunately some excellent tools have been developed to help you with this digital burden.
- Online Password Managers. These cloud-based services will securely store passwords as well as notes and other information, in an encrypted form. They also will generate random passwords for you, automatically log you in to services, and help with form-filling. Some services will also bulk-change your passwords for you, making periodic changes much easier. These services use a master password which is not stored anywhere, so it is essential that you set one you will remember.
- Browser-based password storage. Most web browsers have integrated password tools. Whilst these are convenient (and free!), they have definite drawbacks. The passwords are stored in an unencrypted form for starters. This means a hacker could potentially access any passwords stored there. Firefox has an additional level of security with a master password, but lacks many features of Password Manager services. Like all browser password tools, it is only useful when using that browser (often on a specific machine). Apple keychain has similar limitations, and is designed for 100% Apple device users.
- Password desktop software. Similar to Password Manager services, but stored on your local machine or device. These services are less flexible than Password Managers as they work only on the machine or device that they are installed on. They use encryption and a master password so are more secure than browser-based password tools.
- Paper lists. Spreadsheets and text files are definite no-no’s, but an external hacker has no way of accessing a handwritten password list. The experts recommend recording password clues, not passwords themselves, and keeping your list/notebook/sticky note out of sight at all times.
Supplier data breach! What to do?
If an online service reports that they have been hacked (or you read about it in the media), log in and change your passwords immediately. For good measure, apply a belts-and-braces approach and update passwords to all critical services. If you are using an online Password Manager service, use the bulk password changing feature if this is available. This will generate strong passwords and record the new details for you automatically.
Remember that passwords are the keys to some of your businesses most valuable assets. Treat them with the respect they deserve.
Click to view our selection of the best online password manager software for UK startups and small businesses.