Implementing Password Security

June 7, 2013 in Cyber Attacks, Small Business

Seems like every few months another blogger or security maven laments the passing of the password, a security tool that has outlived its usefulness and should now be replaced with something more of the times, more effective, more secure.

And while the password might be on life-support, it’s not quite gone. Which means you still have to take it very seriously, because in most cases it’s the only security you may have.

And you should also learn to accept that if the password is mortally wounded, it might be partly your fault. Because we know, we have hard evidence, that passwords have been weakened by their owners.

And we know this because of another major security problem, data breaches. Thanks to hundreds of data breaches that have exposed millions of personal files and passwords, we now know exactly what kinds of passwords users are using.

For example, a company called SplashData analyzed millions of stolen passwords that were posted online in 2012 by the very hackers who stole them, and the news is as bad as it’s predictable.

So without further ado and no smirks please, here are what security experts have found to be just the Top 5 most common passwords in use today:

1. password

2. 123456

3. 12345678

4. abc123

5. qwerty

That’s right. The most common password in use today is “password.” And the news doesn’t get any better the further down the list you get. For example, coming in at #16 on the list is the unbelievably-hard-to-crack “123123.” And rounding up the top 25 of all the most commonly used passwords is the cryptically genius – wait for it – “password1.”

I ask you. Do we really think hackers are that stupid, or do they think we are? And who’s right? I have a feeling I know the answer but I’ve chastised you enough.

So until you no longer need passwords, here are some essential tips every business owner needs to follow in order to get the best out of them.

  • Before all else, have a password policy. It’s not complex. It just lays out what your password rules are – how they’re created and by whom, how strong and random they are, how they must be protected, how often they should be changed, and what’s the procedure for cancelling an employee or contractor password if that person no longer works for you.
  • Share that policy with every employee or contractor who has access to your computers, networks, bank accounts etc. Make sure they read and understand the policy, and practice it daily, and make sure they understand that there will be consequences if they ignore the policy. Which means you must have already explained the consequences to them and got their agreement.
  • Focus on your most important passwords. It all depends on your business but should include web site access, network and computer access, access to online bank accounts, and even email access. The more important they are, the more complex and random they should be and the more often they should be changed.

And if you or your employees have a tough time remembering all those long and complex passwords, here’s an idea – start thinking about passphrases instead. A passphrase does all the things a good password should do. It can include all the semi-random characters you need, can easily be 12 characters without being hard to remember, and you can create multiple versions without worrying about forgetting them too easily.

Here’s how a passphrase works:

  • First step – think of a phrase that describes something about you and your life, that’s easy for you to remember but that a hacker would have a very hard time knowing or guessing.

– For example, the phrase could be something like “I graduated from Notre Dame University on June 1st 2002.”

  • Step two – pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers.

– That would give you the following password: “IgfNDUoJ1st2002”. That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack.

Unless the hacker knows you personally, it would be nearly impossible to guess or crack such a passphrase. Even if the hacker did know you, they would have little way of knowing the phrase you chose.

And if you have trouble remembering the phrase, you can still write it down and keep it somewhere in your home, because there’s very little risk a hacker would find it in your home and recognize the phrase as a password. You can use similar or themed phrases to protect other accounts, but instead refer to when you graduated high school instead of college, or when your kids graduated, and so on.

In addition to utilizing strong passwords, it is important to utilize a website scanner and web application firewall (WAF) to further protect against cybercrime. SiteLock assists more than 6 million websites with these types of solutions, to find out how more call 855.378.6200.

Latest Articles
Follow SiteLock