Simple guide to password security for your business
Digital technology and the use of the Internet have increased efficiencies and revolutionised the way most businesses work. However, this also exposes you to the risk of cyber theft and security breaches every time someone in your business goes online.
The techniques online criminals use advance constantly – keeping pace with technological developments – and include sophisticated programs to work out passwords used to protect company and personal data. To a cyber criminal, a weak password is the cyber equivalent of a cat burglar turning the handle of your front door and finding it unlocked. It’s an invitation to help themselves to your data.
This article explains how to minimise risk to your business by choosing strong passwords and avoiding the common pitfalls of poor password security.
On this page:
- How simple passwords are broken
- Things to avoid
- Choosing strong, easy-to-remember passwords
- Remember to change your passwords often
- Consider a basic password policy for employees
How simple passwords are broken
There are two main ways your passwords can be compromised: through automated ‘dictionary’ or random generator programs, or by unknowingly disclosing the password.
A dictionary program contains lists of words, phrases or number combinations commonly used in passwords like ‘abc123’ or ‘ilovemydog’. Other methods involve using a random word or number generator to try and guess the correct password. By using both methods, cyber criminals are able to scan thousands of potential matches each day.
Unknowingly disclosing a password to attackers is generally the most common way password security is compromised. This involves an individual or group soliciting the password from an unsuspecting user. Often, the attacker will claim to be from your company’s Internet Service Provider (ISP) or IT department. These threats can be minimised by establishing a clear password policy for your workplace.
Things to avoid
Follow these simple suggestions to start minimising risk straight away: Try not to use only letters or numbers in your passwords – rather, use a combination of both. This makes your password more difficult for cyber criminals to guess.
Resist the urge to use names of family members, friends, pets or other options that people might be able to work out from Facebook posts or from chatting to friends. Likewise, using important numbers such as phone numbers or birth dates is risky as any personal information is likely to be used against you in the event the password is cracked. Remember those bot programs? They can also check for number patterns, using standard date of birth formats (DD/MM/YY, for example) to run through every possible combination.
Using the same word as your log-in, or a similar word, for your password is one of the most common ways cyber criminals gain entry to networks – despite being so easy to avoid.
Try not to duplicate passwords – using the same password for multiple sites or networks could be a disaster for your business if it is compromised. You could even try separating your online activities with two sets of email addresses and passwords – one professional, one personal – so you know whatever you do online socially won’t impact you or your employer professionally.
Get into the habit of never disclosing a password over the phone or by email to anyone, regardless of their relationship to you. For example, if someone in your business urgently needs to view a file, try and send it through email or print it off rather than handing over your password.
Choosing strong, easy-to-remember passwords
The best passwords are easy to remember but difficult to guess. Substituting letters for numbers or characters is a common way of making your passwords more secure, such as substituting ‘p@5sw0rd’ for ‘password’. However, number substitution is becoming easier to detect thanks to the growing sophistication of bot programs. For this reason, it is best to mix lower-case and capital letters to make a password more secure.
Until recently, the minimum safe length for a password was estimated to be eight characters but research has pointed to the new minimum being 12 characters. In 2010, researchers from the Georgia Tech Research Institute (GTRI) discovered the power of modern graphics cards could allow a hacker to crack an eight-character password in just two hours, while a 12-character password would potentially take thousands of hours. The perfect password, according to GTRI, would be an entire sentence.
Remember, the best passwords contain lower and uppercase letters as well as characters, numbers or even symbols. Be careful which symbols you use – some might not be available on foreign keyboards if you travel.
It is best practice to use two or three words together instead of single words. The more random these are, the harder the password is to crack.
To help you remember difficult passwords, log in and out a few times to get a feel of where the keys are located. Try to resist keeping a written copy of the password in your wallet, or worse, at your computer. It might sound strange but often passwords are written down and hidden under mouse pads, keyboards or even stuck to monitors.
Consider using password management software if you are dealing with multiple passwords. Password management software stores encrypted passwords either online or on your computer and can securely enter passwords for you. There are multiple password management programs to suit various requirements that you can download for free or for a small cost.
Remember to change your passwords often
Regularly changing passwords can be a pain – especially when juggling multiple passwords – but it is a habit worth getting into. Most software providers recommend changing passwords every 30 to 90 days to prevent any security issues.
Ask your network administrator to set up your business’s computers so that your employees are required to change passwords at set intervals. This is easy to do and develops good habits.
Change passwords immediately if you suspect a password has been compromised or observed by someone else; there is no harm in being cautious.
Don’t re-use a previous password – it is easier to guess. Don’t use easy-to-guess password sequences such as mysecretpassword1, mysecretpassword2, and so on.
Consider a basic password policy for employees
Even if your business has only a handful of computer users, having a clear password policy and providing training and security updates are good ways of keeping IT security top-of-mind with your employees.
Teach your employees how to choose secure passwords and about the importance of password security to minimise your risks. A password policy details the importance of password security to your business and provides some standards for using passwords in the workplace.
Download this free Password policy template to draw up your password policy. Consider making a password policy part of the induction process for new employees or part of a wider policy for computer usage in your business.
This information is provided by Business.govt.nz
