One of the things that is still amazing in this day and age, where data security breaches are common knowledge even among the most non-technical people, is what terrible choices people make in choosing passwords. In a survey of the most commonly used passwords of 2015, guess what was #1? If you guessed the word "password," your wrong - that was #2. Number one was 123456.
Most of us know about creating strong passwords. They should be long - more than 8 characters; they should have a combination of upper and lower case characters, special characters and numbers. We know this yet we still get this wrong. In striving to come up with something we can easily remember (so we don't just put the password on a sticky note and post it on our monitor!), we take something we know like our kids names. Being the very clever people we are, we swap the letter O with a zero, and the letter E with the number 3 (no one will ever think of that!). Oh, don't forget! We still need a special character, so we slap an exclamation point on the end and we come up with something like B0bbyB3cky!
The problem with this is that password cracking tools can easily break passwords with common substitutions that people use to make the password easy to remember. If someone is targeting the firm, thanks to social media, it is not hard to find out personal information about employees. This information can be fed into software that will then try all the combinations of the personal information that can be scavenged about them. This makes even the stronger passwords vulnerable to being compromised.
Another common mistake is using the same password repeatedly. Once the bad guys get your password, they now have access to all of your accounts. A study of online users showed that 55% of people used the same password for most, if not all of their accounts. So what is the solution?
One thing to do is to use a password manager. A password manager is a program that can securely store all your passwords. Most have the ability to create unique complex passwords for all the applications and websites you use. You in turn only have to remember the master password. I use a program called LastPass. I find the interface is intuitive and it integrates with most if not all of the applications I use. It now offers two-factor authentication which I will get to in a moment. Other password managers that are available include; RoboForm, DashLane, and 1Password.
A different password strategy is using a passphrase instead of a password. The benefits of a passphrase are that they are much harder to crack and much easier to remember. An example of a passphrase strategy that I like to use is picking a sentence or a quote from a particular book I like at random, for example: Mastering the right people doing the right things right Page #17.
This is the opening sentence from chapter two of the book Mastering the Rockefeller Habits by Verne Harnish, a great read for anyone in business if you aren’t familiar. You might have noticed I also added to the passphrase the page number in the book which gives me my numeric and special character requirements. One of the reasons that a passphrase is more secure then a password, is that in most operating systems, once a password gets beyond 14 characters the system has to split it into two parts to store it. This renders most password cracking tools ineffective. Currently all mainstream operating systems support passphrases.
Finally, if your firm is dealing with highly sensitive data, you might consider two-factor authentication. Two-factor authentication requires the user to have two pieces of information, something they know, their password, and something they have, a security token. The security token will generate a one-time password when activated that is good for approximately 1 minute. The user must enter both values (the two factors) to authenticate. If they only have one they cannot get into the system. With two-factor authentication a hacker would not only need to have your password, but your device that generates the one-time password. The odds of that occurring are pretty slim.
In the past two-factor authentication was usually too complicated and expensive for small businesses. It also would require you to carry a “fob” or device that generated the one-time password. Now they are very affordable options for businesses, and the one-time password can be generated by an application that runs on most smartphones. LastPass which I mentioned earlier, now offers free two-factor authentication with a premium subscription which is only $12.00 per year. It will not protect your internal systems, but it will protect your password database and most web based logins and applications, which to me, is well worth the cost.