When it comes to IT security, small businesses is in a tight spot.
They’re almost always heavily dependent on computers but they are not large enough to have dedicated IT staff; everyone is busy doing their day job (and probably a few other jobs as well) and the responsibility is simply handed to the least non-technical person.
In those circumstances, knowing what to do, what’s important and where to start with computer security can be very difficult and the first casualty is usually the company’s passwords.
Despite the rise of biometrics and two-factor authentication, almost everything we do on our computers is still secured using passwords, so getting them right is vitally important.
I’ve compiled a list of four common password mistakes that I see when working with small companies. If you can avoid them then you’ll have put your security on a stronger footing.
Anti-virus – you need it but it’s not enough
OK, I just said this article is about passwords but I think it’s important to start with a word about anti-virus.
Whatever the state of security awareness in a very small business the chances are that there’s one thing everybody will agree on; that they need to run anti-virus. That consensus can have a chilling effect on other aspects of computer security, because to a lot of people anti-virus is computer security and once it’s installed, security is complete..
Unfortunately installing anti-virus is the second step, not the last.
The first step is which anti-virus. There are many on the market but there are probably only three or four worth having, ESET, Kaspersky, Trend and Sophos, if you want to know why, then search our blog for “I know I am safe, because I haven’t been told I’m not”
You need to ensure that all of your devices; PCs, Macs, tablets, Microsoft Servers, Linux servers and phones are using anti-virus and that they are updating successfully.
And then you need to read on…
Fear of forgetting leads to awful passwords
One of the reasons people use weak passwords, and then weaken them further by sharing them and using them over and over, is because they’re afraid of forgetting them. (I once had a customer who wrote his Windows password on his computer monitor because he was afraid he’d forget it. His password consisted of two letters; his initials).
To overcome the fear of forgetting your passwords you’ll need a place you can keep them safe and always find them. It doesn’t matter much where it is – it might be an application on your computer such as keypass, a website like LastPass, a leather bound book or even your own memory – what matters is:
- You know where it is
- You can control who has access to it
- It is the only place your passwords are kept
- It can store hundreds of unique, strong passwords
Once you have decided how you are going to store your passwords put the ones you can remember into your safe place. Gather up any notes, files and post-its where you’ve written your passwords down and copy them over too.
When all of your passwords have been transferred to your safe place remove all traces of them from anywhere other than your secure location. Clean your passwords off whiteboards (or computer monitors), delete them from computer files and shred or burn any pages or post-its where you wrote them down.
By creating a safe place to store your passwords you’ll free yourself to choose complex passwords that you couldn’t otherwise remember.
Which is what we’ll do next…
Passwords are easier to crack than you think
When we talk about strong passwords we mean passwords that a powerful computer will have difficulty guessing. This isn’t the movies and we’re not defending ourselves against elite hackers whose second guess is always supernaturally lucky. Your passwords are at risk from computer programs that can guess thousands of passwords a second and are able to understand some of the tricks you use to make passwords more obscure.
A short while ago we were given some old computers by a small business. As an experiment, and with the previous owner’s permission, we booted one of the computers using a password auditing tool. Running on the defunct company’s own old hardware, the software guessed the admin password for the first machine in under ten seconds.
The password was an eight letter word (the company name) with a zero in place of an ‘o’ to make it difficult to crack.
The computer, it turns out, was the machine holding the company accounts. Using dictionary words and paying lip service to security with a few numbers or odd characters where there should be letters simply isn’t enough.
Use 14 characters or more and switch as arbitrarily as you can between UPPER, lower, d1g1t5 and //@ckies.
If you’re wondering how you’d ever create a password like that I suggest you use a random password generator. Now you control access to your passwords and you’ve made sure they’re all good and strong it’s time to stop sharing them.
Your password isn’t secure if you give it away
When I work with a small business they have to give me access to one or more of their systems.
I am staggered at how often I’m simply handed a long list of admin passwords (often for systems I don’t even need access to) that are shared by everyone at the company.
Account sharing like this is a really bad idea, not least because:
- If something bad happens you can’t tell who did it.
- It makes your more vulnerable to social engineering.
- It makes changing passwords too painful to bother with.
- Everyone with a password can cause maximum damage.
- You don’t know who else has your passwords.
One of the reasons that people in organisations share passwords amongst themselves and with outsiders is because it’s incredibly convenient. Keeping usernames and passwords secret is a bit like taking daily backups – it’s a small inconvenience that will save you a big inconvenience some time in the future.
Unfortunately you’ll just have to bite the bullet, there is no real alternative. Yes, it’s a little bit more inconvenient to make sure everyone has their own username but it’s no different than limiting access to your front door keys. Every person who needs access to a particular system should have their own account with a unique password and the lowest workable access level.
Whats the risk?
How do you feel when you are told that the bank, credit card or online retailer has given away your details? Now these guys spend £millions making sure they are secure but people cleverer than them break their systems. Now you are smaller, probably have no real security. Now it may be that you will only have a few credit card details unknowingly held on your computers so the reward is much lower but breaking in is so much easier. JUST THINK ABOUT IT, AS THE BIG COMPANIES GET HARDER THEN YOU WILL BE THE NEXT EASY TARGET. It’s time to get smarter before you become poorer as the card companies are already refusing to pay when the password was easy.