Passwords let you in to your vital business systems and devices. Like door access panels to your building, they are the keys to your front door. Lose them and you are locked out, unable to serve your customers, losing money.
But how many do you need? How secure are they? Let’s look at why passwords matter so much for your business, and what you can do to better protect them and yourself. Passwords and their management sit right on the front line of cybersecurity.
Let’s start off with the basics. Uniqueness. Be honest, we are all human beings and because nobody can remember a unique password for every different system or device you access, how many reading this have the same password for some or even all their systems and platforms they use everyday? This is very risky behaviour because if say for example you have the same password for Facebook as you do for Google- and your Facebook account gets compromised, the chances are your Google account will also get compromised at the same time. And please don’t write them down on post-it notes either, stuck to your laptop screen. Store them securely – in a password manager.
And definitely never have the same password for your back up email if you use gmail for example or you will find you will get locked out of your own ability to reset your password when any suspicious activity gets reported to you. Our tip…never use the same password twice anywhere because if any one of these systems gets compromised, you won’t need to reset all your online passwords, just the one that may have been compromised or breached.
Now ask yourself – when did you last change your passwords? Again chances are most answers to this question are ‘never’ or ‘hardly ever’ – meaning if you haven’t changed your passwords to any of the systems you use daily such as Twitter, LinkedIn or Facebook say in the past 3 years or so, your credentials – that is your username and passwords – may well already be out there, available to anyone who wishes to purchase confirmed user account details, usually on the dark web. This is big business.
This is because all of these major platforms have had public breaches, (hacks that you hear about in the news). More concerning though are the hacks they don’t know about, that have happened under their noses and then you don’t hear about because they aren’t aware of it themselves. This happens, regularly. And then surfaces later. You must therefore take security responsibility yourself and change your passwords regularly.
IT departments in businesses used to think that forced changes to their users every 30 days was best practice – it isn’t viewed like that anymore. This is because most users would add a sequential number to their password every 30 days or month etc. making it easy to crack. So we think a brand new password every 6-9 months is more relevant and appropriate today.
Finally, let’s look at the actual security of your password. Unbelievably still today, the most common passwords in the world are ‘password’ or ‘admin’ or ‘password1234’ etc. All of these common phrases are well known and broken into easily in seconds using what is known as ‘brute force’ attacks. This means other computers online use your username and likely passwords to force their way into your account. Make yourself more secure by looking at both password length and strength. For example, a 6 character password such as a birthdate can be broken into in seconds as well using raw computing power alone – but a 13 digit password with capitals, special letters and numbers would take the same computing power months or even years to crack. Therefore criminals using cloud based computing power choose to break into the less secure accounts first – they offer a greater return for their investment in computing time. So make yourself harder to crack. Use 3 different words and numbers to make a truly unique password.
But password strength only gets you so far though. What you really need is something called ‘2 factor authentication’ or 2FA for short. 2FA basically says you need 2 things to get into an account – something you know (your username and password) and something you have (a key or unique one time use code, sometimes sent by text to your phone). Our recommendation is activate these and use options on your accounts wherever possible – they are there for your protection. We get that some users don’t necessarily fully understand how these devices work, and people are wary of change. Some of these solutions are free to use such as Google Authenticator and others are small physical devices that you buy and store with your house and car keys, such as Yubico’s Yubikey pictured above. All are designed to protect your passwords better, which means your business is better protected – so use them.
In conclusion, if you think you need any advice on whether you need better password management in your business or want to know how to roll out 2FA in your business, or how to configure and set it up – then get in touch, we’d be happy to help and advise. Call us today on 01978 345247 or email us readytosecure@securityfoundry.co.uk
