Hands up if you love passwords. No? But if you want to keep your business safe, passwords matter. The problem is that it’s hard to remember even just one or two, let alone dozens or more. It’s no surprise therefore that when choosing passwords people tend to pick a sequence of characters that’s easy to come up with and easy to recall. Even if you feel confident your staff are too savvy to pick anything too obvious, you might well be mistaken. Human thought processes can be rather more predictable than we’d like to think.
The result is a problem for business owners and managers, who face a constant battle in keeping data and systems safe. According to the Verizon 2014 Data Breach Investigations Report, two-thirds of breaches exploit weak or stolen passwords. And any vulnerability can pose a threat, whether the password concerned is internal or whether it’s for any one of the hundreds of online accounts your staff may subscribe to.
Here’s our list of 9 common bad password habits that put businesses at risk – followed by tips on what you can do to protect your own business.
1. Using easy-to-guess words.
We see all of these regularly:
Any look familiar?
Note not all hacking comes from anonymous outsiders. What if a member of staff wanted to access files they don’t have authority to see – confidential HR information, perhaps? Passwords containing personal references such as a favourite team or children’s names will be the first thing they try.
2. Telling other people a personal password
It’s very tempting to pass personal passwords to others. The individual concerned will of course trust the person they tell – but passwords can very easily become common knowledge if there’s a culture of sharing. And even when there’s no immediate malicious intent, the more people who know a password, the higher the risk.
3. Writing passwords on post-it notes and sticking them on the PC
Yes, it happens.
4. Using sequential numbers
Sequential numbers are easier to remember and therefore more common – which means hackers look for them. One survey of 10 million passwords found that one in a hundred contained the numbers 123.
5. Using numbers that are easy to think of
The same survey found that after 123, the next most common 3 digit number blocks are 666, 777, 007. The three most common 2-digit blocs are 69, 11, and 12. And even with longer strings, people tend to go for something familiar. Pi – 3141592654 – is a not uncommon choice for ten digit passwords.
6. Using digits relating to recent years
People often go for children’s birth years, or their own. There’s a spike in the use of 1987 – are there more 28 year olds using the internet than any other age?
7. Using no numbers at all
One survey found that 42% of passwords contained no digits at all, making them far easier to hack.
8. Using sequences from the number pad on a keyboard
Sequences such as 8520 are easy to choose – and easy to guess.
9. Using the same password for multiple sign-ins
Despite increasing awareness of the dangers, far too many people still stick to the simple tactic of a single password. Or, perhaps, one password for ‘trivial’ accounts and one for more significant ones where perhaps payment details are included. It’s quite possible you could have staff using the same log-in details for Amazon, Ebay and Facebook as they do to access your business network. Which means if any one of their personal accounts gets compromised, your business could be next.
What can you do?
As long as you’re relying on staff to make up their own passwords or to remember multiple ones, your business won’t be secure. It’s just not possible for people to think up strong, unique passwords for every single account they have and to remember them.
The best solution is to use password management software, so staff no longer have to create and remember multiple passwords. This type of software generates a single strong umbrella password that gives each user access to all the individual password-protected accounts they choose to link to.
If you run a Windows server, a good approach for protecting access to your network is to create a protocol that enforces a configuration of upper and lower case letters, numbers, and special characters – and forces people to change this at set intervals. Using log-in names and previous passwords isn’t allowed.
It’s also important to keep a close eye on how files are organised. Make sure information is accessible only to those who need it, by setting up relevant access privileges for each individual member of staff. This removes both the need and the temptation to share passwords.
If you’d like advice on making your business systems and data safer, give us a call on 0161 359 3689 or email us at [email protected]. We’re always happy to meet up for a no-obligation conversation.