In the last few weeks, I’ve seen a flurry of activity online about weak passwords, the top silly passwords from 2016 and all sorts of advice about how to keep your identity safe online. I recently attended an event focused on “cyber security” and was amazed at the number of small businesses who’d fallen victim to some kind of attack (typically ransomware). In this post, I’ll cover my top 5 password security tips to help you and your business stay protected.
5. Pick a good password
I say good rather than strong because when people think of strong they default to difficult-to-remember and that leads to people doing silly things like writing their password down somewhere. A good password is one that’s easy for you to remember, distinct from other passwords, difficult for attackers to guess and one that you won’t feel the need to write down.
There are some great online guides around that talk about how to make a good password from the BBC’s guide on using your favourite song lyric, to how to generate a super secure passphrase with a simple six-sided dice.
4. Never write your password down
It might seem obvious, but if you need to write your password down you really need to go back to #5 and pick a good password. Offices are littered with sticky notes containing usernames and passwords, Word documents on servers with everyone in the company’s details, etc. It might seem convenient to have them all written down somewhere “just in case”, but it’s a huge security risk and something many auditors pick up on immediately.
You might be thinking that an attacker wouldn’t have access to your desk or the file in your shared drive, so how would they be able to use that information?
Physical access is one thing, but if you have your password stored on your computer and you fall victim to a malware attack or your credentials are phished, etc. those files can be compromised and could lead to your digital assailant getting access to more of your data that they’d otherwise get.
3. Tell nobody. Mum’s the word.
Nobody ever needs to know your password. Not even your best friend. If you’re ever asked for it, alarm bells should ring and you should always decline and ask for more information about why the person is asking.
IT administrators do not need your password to conduct their tasks – they can achieve what they need with the tools they have as administrators. Likewise, service providers such as your bank, favourite online shopping website, or social network never need your password. If you receive any kind of email, phone call, letter or any request to provide details of your PIN or password then always err on the side of caution and say nothing.
If, as a small business, you need to be able to access another colleague’s data (such as their email) then utilise the features of the technology to enable this, rather than sharing usernames and passwords. For example, Microsoft Exchange (or Exchange Online through Office 365) allows you to delegate access and create shared mailboxes so that users can have common access, such as in the case of an assistant managing the mailbox of their director. Also, Microsoft Azure AD allows you to provide access to SaaS applications (such as the company Twitter account) without needing to share passwords. It’s secure, safe, and simple.
2. Turn on multi-factor authentication (where possible)
Many services now support what’s known as “multi factor authentication”, or “two factor authentication”. Simply, this means something in addition to your username and password. It’s usually a code generated by an app on your smartphone, or sent to you by text message to ensure that it’s definitely you accessing your account. The benefit is that even if someone steals your password, the theory is that they won’t be able to sign in as they won’t be able to generate the unique code known only to you to complete any attempt to sign in.
Facebook, Twitter, Microsoft, Google, Apple and many many other service providers support these features and it is highly recommended that you enable them. With the rise of fingerprint readers on smartphones it’s even easier to approve log in requests – you just need to swipe your phone and you’re in!
1. Consign “I forgot my password” to the history books
Often the number one request into IT helpdesks is to reset a forgotten password. Even if the other four points above have been followed, we’re only human and we forget things. Having been the guy responsible for resetting passwords for people in the past, I can tell you that being able to give people the power to reset their own password is like a week of Christmas Days all at once.
Self-service password reset tools, such as those offered by Microsoft’s Azure AD Premium service, allow users to set some challenge questions (such as your mother’s maiden name, city you were born in, etc.) that they can answer at any time in order to regain access to their accounts. There’s no need to phone anyone, or write anything down, and it works any time of the day or night. All you need is access to the Internet through a web browser; and the answers to your questions, of course!