Password do’s and dont’s for small businesses

login, MyGovID, password

When it comes to passwords, here are a few do’s, don’ts, and best practice recommendations to keep your information and your business systems secure.

According to Statistica, an eight-character lowercase-letters-only password can be instantly cracked by a computer. An eight-character password containing at least one uppercase letter, plus a number and a symbol will take eight hours to crack by a computer. A password, however, that contains 12 characters, with at least one uppercase letter, plus a number and a symbol will take 34,000 years to crack by a computer. Amazing the difference four extra characters can make when it comes to passwords.

Whilst you may be thinking the longer the password the better, Microsoft advises that extremely long passwords can actually decrease the security of an organisation because users might be more likely to write down their passwords to avoid forgetting them.

The best advice for creating a unique password is to develop a passphrase. What’s a passphrase? A passphrase is a creative and somewhat nonsensical sentence such as “We ate a $98 pie” or “We need >80 roses”, which when put together creates a 14-character password that ticks all the boxes: uppercase, lowercase, symbol and numbers. Think of a phrase that if somebody heard you say out loud would look at you strangely.

If you’re struggling to think of a passphrase, Google’s recommendations are: a lyric from a song or poem; a meaningful quote from a movie or speech; a passage from a book; a series of words that are meaningful to you; or an abbreviation such as making a password from the first letter of each word in a sentence. However, remember to include uppercase and lowercase letters, at least one number and one symbol.

A few things not to do when it comes to passwords are don’t write them down, don’t store them on your computer or phone and don’t share your passwords via email or text message. Even storing or recording passwords in a document, spreadsheet or plain text note on your laptop isn’t secure. These are simple don’ts when it comes to cyber security, however, they’re breaches we see constantly.

When it comes to running a small business, it’s often required to share passwords and give access to multiple contractors or staff members. When this is required, I recommend using a password-sharing platform or access management solution such as Sticky Password or LastPass. Password sharing platforms are useful when you only have a single login or licence to a program or platform. Passwords are stored in the sharing platform and you only share the platform link, not your password. These platforms are also password managers, so you can also use them to store all your different passwords and all you have to do is remember one password to log into the management system.

This brings me to another ‘don’t’ when it comes to passwords. Don’t use the same password for all of your accounts, especially when your email is used to log in as your account name. One of the potential impacts of password reuse is credential stuffing attacks, which is where reused credentials are used to automate login attempts against systems, specifically through the use of known pairs of email addresses used as usernames, and the corresponding passwords.

My final ‘do’ is to implement two-factor authentication (2FA) wherever possible. 2FA helps to verify a user’s identity by requiring multiple methods of authentication. In this case, a user must have another identifier before access to a resource can be given. This identifier could be a one-time code usually from a text message, a time-based code on an app, or a biometric test like a fingerprint or facial recognition.

As hackers are becoming continuously more sophisticated and efficient in their practices, ensure you’re following best practices when it comes to protecting your information and systems.