While your company may not have to deal with compliance fines like HIPAA if you’re breached, the fact remains that data security is vital knowledge for your employees. The Target and Home Depot breaches cost those large corporations millions of dollars, but even small companies can come shuddering to a halt if they suffer a breach. Some basic training and password security can help you avoid losing access to the data and systems that keep your business running.
Read on to see the biggest password mistakes we see regularly, plus some tips on crafting (and remembering) strong, unique passwords.
Comic from XKCD
Ok, ok—pretty much everyone knows not to use “password” as his or her password (or at least, you’d think they do—studies regularly find that the most common passwords are things like “123456” or “abc123”). But even if you include capital and lowercase letters, plus a number or a special character, chances are your password is easy to crack. Here are some of the biggest password mistakes we see people make regularly.
Using information that is close to your heart
Don’t use the name of a relative or anything else closely related to yourself. If the information is easy to discover, it’s easy to guess. This goes for your security questions, too—you don’t need to tell the truth for them. Chances are a hacker can find out your childhood address or even your first car and use that information to reset your password.
Using a simple word or keyboard order
Don’t simply use a word or type in the order of your keyboard (like “qwerty” or “ghjkl”). These are very easy to crack with a “dictionary attack”—supremely common cracking tools. However, a string of words or even a complete sentence with capitalization, spaces, and punctuation, makes a great password.
Common substitutions for letters are also easy to guess, so just replacing the “a” in Amy123 with @my123 isn’t going to add much security at all.
Reusing the same password
Yeah, it’s a bit of a hassle to remember a dozen passwords, but keeping the same code for your e-mail, bank, and Facebook means that if someone gains access to one account, they gain access to them all.
Writing down your password and keeping it near your computer
You made a complex password—it’s long, it has a mix of upper and lowercase letters, and you threw in some special characters. Great! Now you can’t remember it. So you (understandably) wrote it down, along with your other dozen passwords, and stuck it under the keyboard. Bad move. It’s OK to write it down, but keep it elsewhere, write down hints instead of the actual password, or better yet, try out a password manager tool.
Now that you know what not to do, here’s how can you create a password that is strong but still memorable, plus some other tips for password safety.
Use a password manager
Password managers help you create strong passwords and then encrypt and store your login credentials for various applications and websites, so the only password you need to remember is your login to the password manager itself. Make sure your password manager password is strong.
Make it long without resorting to random characters
Use a minimum of eight characters as well as a mix of character types. While it does create a much stronger password, without a password manager it’s going to be pretty hard to recall 7*wUitNf$AnR! every time you need to login to Outlook. Instead try spelling a phrase creatively, like “tAke_mE2-uR_LeADr”.
Or to make it even easier to remember, just type a sentence! Including spaces, if they are allowed by the website or application, actually increases security. You can also substitute underscores and dashes for the spaces. A sentence or silly nonsensical phrase like “I-fell-asleep-beneath-the-flowers.” or “mountaindewslurpingcats” can actually be harder to crack than a shorter password, even with uppercase letters, numbers, or special characters.
Take advantage of two factor authentication
If it is available, make sure to enable multi-factor or two-factor authentication. Many bank sites include this method, which adds a second step beyond just your password, like a security phrase or image.
If you know other employees, your team mates, your subordinates, or even your relatives are using insecure passwords or storing them in plain sight, go ahead and be a nag about it. You could save them personal trouble, and you could save your company the hassle, expense, and reputation hit of a security breach.
Posted by: Systems Engineer Jim Taylor