Imagine leaving your house every day with the garage door open and the front door unlocked.
“It’s no big deal,” you might say. “I live in a safe enough neighborhood. Besides, I don’t have anything worth enough for a thief to bother trying to steal it.”
If that sounds preposterous, it should. Yet millions of businesses and individuals do this every day, with their online security.
Passwords are the bane of many an office worker. You need a lot of them. Some require mandatory, frequent changes. Most force you to include numbers and unpronounceable symbols, increasing the difficulty of memorizing them.
Ironically, the difficulty of creating and remembering a password is what makes them such a liability when it comes to online security.
“Attackers don’t hack in… they log in,” writes cybersecurity expert Monti Knode at Security Magazine. “In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise.”
Easy as 123456
The hassle of remembering passwords prompts many such lax security practices: password sharing, writing passwords down in plain view, and using incredibly weak, easily-guessed passwords.
Take a look at some of the most-used passwords of 2020, as compiled by NordPass:
- 123456
- password
- 111111
- qwerty
- abc123
- password1
It sounds ridiculous, like setting your luggage lock combination to 12345, but the passwords above will give you unfettered access to millions of accounts worldwide. All you have to do is guess which ones, and literal armies of hackers and their billions of bots are doing that right now, as you read this.
Is anyone in your company using a weak password? The odds are not in your favor. Even complex special character requirements don’t always have the intended effect of enhanced security, because they’re harder to remember.
Data scientist and webcomic artist Randall Munroe illustrates it this way:
Here are three of the most-common password mistakes made by business personnel, as compiled by LastPass:
1. Using the same or similar passwords across multiple accounts
Think of all the different password-protected apps, programs, and portals your company uses every day: logging in to your PC; accessing email; checking financial accounts; utilizing industry-specific software; your website back-end; and so on.
According to a LastPass survey, 44% of respondents admitted using the same password on more than one account, or slight variations of the same password.
This is great news if you’re a hacker, because once you’ve successfully cracked one password, odds are you might be able to access even more accounts with minimal effort.
Solution: mandate unique passwords for all accounts / all staff. If you don’t have enterprise-wide password management, encourage your teams to conduct password self-audits and make changes where needed.
2. Keeping the same password and never changing it
LastPass says more than half (53%) of those surveyed don’t change passwords regularly – even after hearing about a data breach in the news.
Data breaches and leaks are a fact of life in today’s connected society. Whenever a hacker or collective successfully gains access to a list of unencrypted data, that information is quickly sold and distributed on the dark web. It’s a near-certainty that some of your personal information – including passwords – is floating around out there.
Solution: immediately change passwords after a breach, and change all passwords periodically. We can’t emphasize this enough: whenever you receive notice of a data breach by a client, vendor, or service provider, it is essential that you and your staff change all passwords associated with the affected account. Otherwise, you may be making life much easier for online thieves.
3. Assuming hackers won’t target your data
If you run a small business, you might think hackers wouldn’t bother going after you. Surely they have bigger fish to fry, right?
Sadly, this is not the case. Hackers are much less discriminating than you might think!
First of all, there are at least millions – if not tens of millions – of hackers worldwide, with nothing better to do than look for easy money.
If anything, they stand to gain more from a relatively easy attack on a small business than a long and challenging phishing expedition against a major company.
The most obvious target would be your bank account. Beyond that, there’s your customer data, which could lead to more attacks (and perhaps liability on your part).
Perhaps the most vulnerable and public-facing of all your systems is your website, which we’ll safely assume is password-protected on the back end.
If a disgruntled former employee, angry customer, competitor, or bad actor tried to guess your website back-end password, would they succeed?
The possibilities of what can go wrong if the keys to your website fall into the wrong hands are limitless, and all of them could cost you dearly.
Solution: use a password manager for all your accounts, and require staff to do the same. This is an elegant way to address all of the above problems, while increasing security at all levels of your business.
LastPass is a popular choice, as it has a free option as well as robust premium tiers that allow easy shared access to single-user accounts. Many browsers also include built-in password managers. Both LastPass and browser options include a strong password generator, which creates a string of characters that is impossible to guess and highly resistant to brute-force attacks.
With the increased use of two-factor authentication and biometrics, passwords may soon be a thing of the past. Until then, keep password security at the top of your priorities list, and don’t use Shave-and-a-Haircut for the secret knock if you run a speakeasy.