IT Strategies for Your Business: Passwords
Password security is crucial for any small business. Most staff members will often create passwords that mimic their personal logins at home. While that may be helpful to remember logins by keeping things simple and similar, it can often lead to sensitive information being accessed by someone with bad intentions.
In this blog, we will discuss how to make sure your staff uses the proper strategies to make a strong password, the best time to reset a password, multifactor authentication, password managers, and ways to train employees to avoid being manipulated into giving up their passwords to hackers.
Did you know that nearly 3 million people still use the password ‘123456’? This password can be cracked in less than a second and has been exposed nearly 24 million times! It is important to make sure your staff knows the importance of strong passwords. For starters, it is best to avoid using dictionary words, a combination of numbers, or a string of adjacent keyboard combinations (think of passwords like “password”, “qwerty”, or “123456”). Also, please be sure to inform your team that repetitive characters like “AAAA” or “123abc” are not secure enough.
Staff members should know to never reuse passwords across multiple accounts. Ideally, there should be a unique password for each account and these passwords need to be lengthy– anywhere between 12 and 16 characters should do. A secure password should include numbers and symbols, upper and lower-case characters.
Another commonly used method is the Sentence Method. The concept is to think of a random sentence and transform it into a password. For example, a staff member could take the sentence “Woohoo! The Packers won the Super Bowl!” and create the password “WOO!TPwontSB”. This password is at least 12 characters long, while it does not include a number it at least includes a symbol, and is not so complex where a user could not remember it.
At some point, it may be important to enforce a password reset policy. Most network administrators set passwords to expire every 90 days. Be mindful that this may be difficult for some staff members to remember a new password that often. Also, this could cause your team to get a little careless on how secure they make their passwords going forward, especially if they are required to keep changing them. However, if you do not have a network administrator on staff or a team takes longer to adapt to IT-related changes, a consistent password change could be the better option.
In some cases, a strong password may not be enough. The information your staff has may be incredibly sensitive and could need an extra layer of security. This is where multi-factor authentication comes in. In addition to a password, a staff member could need something biometric (fingerprint, eye scan, etc.), a random PIN, or a physical token. So even if a hacker were to gain access to a password, they cannot log in without that second code or fingerprint.
For example, if you were to go with a PIN code, multi-factor authentication is generally free to set up with mobile apps. Staff members can install Microsoft or Google Authenticator (available on iOS and Android) from the app store on their smartphones. If you would prefer not to use a phone, token keys like Yubikey can be used to generate PIN codes. Whatever method you choose, it is highly recommended that multi-factor authentication be used as often as possible.
Maybe you would prefer staff members just use one password to access all their logins. While this may seem unsafe at first, there are a few secure options out there. This is where password managers come in. Rather than having your staff type in a password for each login, they would only need to remember a single “master” password.
A password manager will store all unique passwords in a database, allow a user to organize them in unique folders, and even include a random password generator so the user is guaranteed to use the most secure password possible. Also, team members may need to share passwords to access information. Password managers allow this without having the staff member send the password via text or email.
The most common way a hacker may get a hold of your staff’s passwords is through phishing and social engineering. They could send someone on your staff a phishing email telling them that something is wrong with their company card. It will most likely include a link that will redirect to a phony website. From there, hackers will just sit by and wait until the user logins and grab the card information.
Another example: A hacker may call an employee from Microsoft explaining they found that their account was compromised. They will explain that the only way to fix this issue would give them the login info so they can verify where the “compromise” is.
The best way to deal with these incredibly simple, yet common attacks is to inform your staff about them. They should know to never click on a random link on an email they are unsure of. If they think there is a legitimate issue with their company card, for example, they should log-in to the bank’s website in a separate tab or call the bank directly to verify. Your team should also know that Microsoft, Apple, or any tech support will never call asking for login information if there is a legitimate threat. They should hang up the phone immediately!
When keeping your data secure as possible, please implement a solid password policy with your team, and be sure to reiterate it as often as possible. Make sure the policy has guidelines for password length, letters, numbers, and symbols. If you want to implement a password reset policy, be sure to make the time frame manageable for you and your staff.
If password sharing is crucial to your team, a password manager may be the best way to keep your logins safe when transferring them from staff member to staff member. Use multi-factor authentication as often as you can. Last but most importantly, keep your staff informed on the easy ways hackers try to steal password information out of people. This is the easiest way users get hacked and sensitive data or company funds can be stolen.