It seems you can hardly listen to the news without hearing about a new hacking attack that has damaged a major business, hurt their customers, and disrupted life for all involved.  Target, Neiman Marcus, The UPS store, Sony, and eBay are just a few of the high profile business that have been hit by devastating hacking attacks in the last year.  Lest you think that only large businesses are in danger from this type of crime, it was recently reported by the NY Times that a group of Russian hackers had stolen the login credentials of over two billion (yes, billion) users from business websites of all sizes.  These attacks take a punishing toll on the businesses who suffer them.  Target’s sales dropped 46% compared to the same time the prior year once news of the hacking attack became public.

With this in mind Smartflex will be launching a monthly column called “Security for Small Business.” to help our clients make sense of what is going on.  More importantly we will give practical, useable steps you can take to keep yourself, your businesses and your clients safe.  We will be handling one topic per month, without jargon and with straightforward measures that can be taken to keep your business from becoming the next victim.

This month’s topic:  8 steps to improve Password Security

Think of online security as a chain, with each security measure such as a firewall or anti-virus software as a link in that chain. When one link fails the entire chain is broken and the users who were being protected are left vulnerable. Often the weakest link is one that is most within our control, our passwords.  Passwords are our keys to the digital doors we lock to protect things in the electronic world; they have become our first line of defense in the digital age.  If our passwords are weak or someone else gets them, our defense is gone.

Here are the eight key steps to follow with your passwords and why they’re important. If you have the time, keep reading because we’ll explain why each point is important.  At the end of this article we will discuss ways to make sticking to good password hygiene easier.

 

1. Never use the same password for more than one site or application
2. Never share your password with anyone.  If someone else needs access to one of your accounts, find out how to set them up with their own login credentials.
3. If someone asks for your password, do not give it to them, ever.  Even if they state they are from a technical support group.
4. Passwords should be a minimum of eight characters, longer is better
5. Using multiple character sets (Uppercase, Lowercase, Numbers, Symbols) is better than only using one character set
6. Do not use details that are easily linked to you in your passwords such as birth date, or children’s or pets’ names
7. If you ever suspect one of your passwords has been compromised, change it immediately
8. Change all your passwords on a regular basis.  Yearly at a minimum, more often for highly sensitive and frequently used passwords.

 

If you follow the above advice, you’ve already reduced over ninety percent of the likelihood one of your accounts will be hacked.  Moreover if one acount is hacked, you have minimized the damage a hacker can do to you and your business.  In a corporate environment these guidelines would be enforced by the IT department.  Since small business owners have to be their own IT departments, it’s worth understanding why each of these is so important, so with that, on to the why.  If you don’t have time, feel free to read the following section later, or skip it entirely.  The steps above work whether you understand them or not, so long as you follow them.

 

Never use the same password for more than one site or application.  We list this step first because it may be the single most important thing you can do to protect yourself.  The danger posed by the Russian hacking ring mentioned in the beginning of this article isn’t just that they have the passwords to specific sites, but rather the danger created by people’s tendency to recycle passwords.  If, for example, the hackers stole the login credentials for someone who was using a message board, and that person used the same credentials for their online banking, or to manage their e commerce site, you can see how dangerous the situation becomes.  If every site you use has a unique, strong password the amount of damage a hacker can do is contained to that one site.

Of course, remembering a raft of passwords is more work than most people want to go through, particularly if those passwords change on a regular basis!  There are a number of things that can be done to make this easier that we will discuss later in this article.  The plain fact is however, to keep yourself and your business safe, you will need to put in some extra effort.  Then again, if your business was managing apartment buildings, you would expect (and be expected) to change the locks on an apartment door after a tenant moves out to ensure the safety and security of the next tenant.  This wouldn’t be an extra burden, it would simply be a cost of doing business.  Similarly, in the modern world, password security is just a cost of doing business.

 

Never share your password with anyone.  This might seem self evident, but it is one of the most commonly ignored rules for password security.  To whit, Edward Snowden was able to “hack” the National Security Agency from the inside and is now releasing classified documents only because a very large number of people within the NSA simply gave him their login credentials when he asked for them.  Regardless of what you think of Snowden, the point is clear, no one is immune from making such an easily avoided security blunder.

If an employee needs access to a certain website or application, set them up with their own login credentials.  If you are unsure how to do this, check the FAQ on the website or the documentation of the application you are using.  In the modern world, it is rare you will have no choice other than to give someone else your own login credentials.  If all else fails, Google “how to setup multiple users in X,”  where X is the site or application you are using.  You may also be able to contact the tech support of the company you are trying to set the user up for.  You may spend a little time learning how to do this the first time you try it, so bookmark the web page that showed you how for easy reference in the future.

 

If someone asks for your password, do not give it to them.  A corollary to the last rule is if you wouldn’t give your password to a trusted employee, do not give it to a total stranger either.  Currently, one of the fastest growing scams is fraud artists calling businesses, stating they are from the businesse’s bank and asking them for their login credentials for their online banking for some contrived reason.  Alternatively the fraudsters might state they are from PayPal, Amazon, or eBay.

Similarly, never respond to an email asking for your password or login credentials, regardless of how legitimate the email looks.  If you do get an email asking you to change your password, never follow a link in an email.  Type the web address you know to be correct into your browser’s navigation bar directly, and follow the instructions on the site to change a password from there.  Hackers frequently set up fake websites that act as doppelgangers for a legitimate business you may deal with.  The sole purpose of these sites is to steal your login credentials.  Fortunately, this ploy is easily thwarted by simply never following links in an unsolicited email.

 

Passwords should be at least eight characters or longer.  One common way hackers break into electronic accounts is through “brute force.”  This is when hackers have no prior knowledge of the person or business they are trying to victimize, but are taking advantage of the fact that the server that they are trying to log into allows an unlimited number of retries without freezing the account and imposes no delay between attempts.  Without getting into too many technical details, a 7 character password that was made up of only lower case letters would be 100% guaranteed to be broken in less than ten days.  The hackers would be able to run through every possible password that exists in that time using nothing more than a single none too powerful desktop computer.  Lengthen the password just one more letter, even keeping only lowercase letters and the time it takes to brute force the password jumps to 257 days.  In reality it would actually take much less time to actually brute force a password, so please do not use a password this simple.  This example just illustrates the maximum possible time before a password could be broken.

 

All else being equal, using multiple character sets is better.  Again, this is primarily for protection against brute force attacks.  The reason brute force attacks get a lot of attention is they are common and all too often successful.  Going back to our seven character password, if we use both uppercase and lowercase letters, the time to guarantee breaking the password jumps from ten days to just about three and a half years.  Throw in numbers?  Eleven years, 223 days.  Feeling really feisty, and want to use some symbols and punctuation too?  Now the time gets to be a daunting 228 years.  In reality there are a number of things that a determined hacker can do reduce these times substantially.  Be that as it may, this illustrates just how easy it is to make a criminal hacker’s life difficult and keep your own data safe.

 

Do not use details that are easily linked to you in your passwords such as birth date, or names of children or pets.  Though brute force attacks are the most common they are not the only attack that hackers use and they are far from the most effective.  Much more effective is the social engineering attack.  The way this is typically carried out is a hacker finds the name of a key person in a business then spends a little time doing research.

Typically the hackers will gather all the details they can that are publicly available on social media such as Facebook, Google+, LinkedIn, Twitter, and anywhere else they can find.  Additionally, the hacker will also find out where a business does their banking, and if they have accounts elsewhere such as PayPal, Ebay, Etsy, or others.  Once the hacker has some background information on their target, they will begin attempting to guess the target’s passwords to these sites using variations of key information like children’s, and pet’s names, birth dates and other likely seeds for passwords.  This approach increases the likelihood of their attack being successful substantially.  The best approach is to simply not use any information that can be linked to you as part of a password.

 

If you ever suspect one of your passwords has been compromised, change it immediately.  Be aware of signals something is amiss.  Changing a password doesn’t take long but the results of failing to can be devastating.  Did you attempt to log into your online banking and find access had been frozen due to too many attempts to log in?  Did you get a random email from a website you use asking you to change your password or notifying you of an attempted password change?  If something seems off, change your password.  There really is no downside to changing a password, and it may save you a world of trouble.

 

Change all your passwords on a regular basis.  Yearly at a minimum, more often for highly sensitive and frequently used passwords.  There is a good reason corporate IT departments force users to change their passwords at least once every three months; moving targets are harder to hit.  The longer a password stays the same, the more chances a hacker has to attempt to break it.  Every time the password changes, the time it takes to break a password is essentially reset.

 

Making it easier

Hopefully by now, everyone agrees password security is important, and knows exactly how to maintain it.  The next question is, how are we going to keep track of all these ever changing passwords?  The best answer is the same way you probably keep track of your ever changing schedule; use a tool to help you.  For your schedule that would be a calendar, or if you are a bit more technically inclined a calendar application such as Outlook or Google Calendar.  In the case of passwords, the tool is either a sheet of paper for the low tech version, or a password manager for the more high tech version.

It is entirely legitimate to write down your passwords on a sheet of paper and keep that paper somewhere safe such as a locked file cabinet, or a safe.  The fact is we are far better at keeping a physical object secure than we are our data.  Most the attacks you will face will be from hackers in distant countries attacking remotely rather than someone breaking into your office and stealing your passwords.  Since a sheet of paper is not vulnerable to remote attack, it is in fact relatively secure.  Much more so in fact than keeping the passwords in a text file on your computer.

If you do use the pen and paper method just make sure to mind a few key points.  First, keep the sheet up to date.  Much like a check registry, record something as soon as it changes, do not wait until later or you are likely to forget.  Second, do not leave the sheet laying around where just anyone passing by could see it or take it.  Even more, do not put a post it note on your monitor with your login credentials on it!  Finally, make sure you always put the sheet back in the same place.  Losing it could be a disaster unto itself!

For the slightly more technically inclined, using a high quality password manager is the gold standard for password security.  Password managers can generate truly random passwords of any length for you, then remember what site they are associated with.  The best password managers work almost transparently, auto filling your login credentials when you navigate to a website.  Once a password manager is set up all you need to remember is the password to log into the password manager application and you’re done.  Just make sure the password for the password manager software is a good one!

Two password managers that we are fond of are LastPass and KeyPass.  LastPass is a commercial software.  Though they have a very good free option, to get the full benefit of the service you will have to pay a yearly subscription fee.  Fortunately, the cost is very low at $12 a year.  The advantage of paying for the software is you get the benefit of a technical support department that can help you set things up and sort future issues out if you have trouble.  LastPass also produces plugins for all smartphone platforms to ensure the service is available to you no matter how you use the web.  KeyPass by contrast is completely free software.  The security KeyPass provides is as top notch as the commercial offering, but it does not have the advantage of the technical support department, and does not directly support use on mobile devices.  Which one is right for you will depend on your needs and your technical savvy.

 

Following the steps outlined here will do a great deal for keeping your accounts and information safe and private.  Though good password security does take a little extra effort, the cost of that effort is low compared to the cost of being hacked.  If you have questions or comments about any of the information covered here, please feel free to respond to us on our blog, or email us at newsletter@smartflexsolutions.com.  We always appreciate your feedback.  Until next time, do good work and stay safe!