Every website – and indeed, every piece of online software – should have a solid defense against hackers in place. Your developers and IT department should be helping you to create and implement your safety strategies.
But there’s one thing it’s much harder for a developer to help you secure against: Someone who has your login and password, who can let themselves in by the metaphorical front door. In fact, a malicious person logging in using correct login details is one of the most common ways that a business loses control of their website or other digital asset (banking data, anyone?) Most people have no idea how insecure their password habits are, and many companies are unwittingly operating at a high risk of digital trespassing, theft or vandalism because they don’t have policies in place about “password hygiene.”
There’s lots of things that can be done to keep your passwords from ending up in the wrong hands, but no one else can do them for you — or for your employees. When it comes to protecting your digital assets, security is everyone’s job. Here are a few simple rules we recommend you put in place as policies to keep yourself (and your business) safe online.
Password Hygiene Rule #1: Choose Good Passwords
The stronger a password is, the harder it is to crack. But what makes up a strong password?
- Longer = stronger. A minimum of 10 characters is a good rule of thumb, but more is always better. To make your password memorable and hard to crack at the same time, use long strings of words. For example, you might include an entire stanza of song lyrics. You can remember the words to your favorite song, right? If you’re looking for password inspiration, check out our synergy password generator.
- DO NOT use any part of your company name, including initials.
- DO NOT use any part of your own name, username, initials, etc.
- DO NOT use common phrases like “password” “letmein”, names like God or Jesus, or sequential numbers like 123 or 8910.
- Adding special characters such as %, * or ^ is a good idea. We recommend placing your special character somewhere in the middle of your password, since hackers know that most people will only include a single special character, and most people only do so at the end of their password. The most common special character in a password is an exclamation point at the end.
Why does this matter? There’s an exceedingly common type of hack known as a “brute force attack.” This is when a bot will continually guess passwords until it cracks the code. Such a bot can make about 10,000 password guesses a minute, it never gets tired or bored, and it knows all the common patterns that many humans use when creating a password to make its guesses even more likely to work.
Most well-secured modern sites (certainly the ones we create and administer!) are set up to detect when a brute force attack is occurring and lock the bot out after a certain number of wrong guesses, but some bots are wily and will simply switch IPs to try again several more times. You can make this process too time-consuming and difficult even for a bot by following the above rules when creating passwords.
Password Hygiene Rule #2: Don’t Reuse Passwords
Each site you have a login to should utilize its own, 100% unique, not-shared-with-any-other-site password. This is true for all sites, but ESPECIALLY for:
- Your email
- Your banking accounts
- Your logins to company properties
Why does this matter? No matter how secure you make your OWN site, you can’t control (or even know) how secure OTHER sites are. Say you join a forum to discuss crafting with other hobbyists, and a year later that forum is hacked. If you’ve used the same password as you do for other sites, that hacker now knows a likely username that you might be using elsewhere, your email address, and your password for that site. With that information, it only takes seconds for a bot to crawl the web, attempting that combo of username/email/password and seeing if they can log in anywhere else that’s more important! If you happened to re-use the same password for that forum as you did for your email address, then you’re really in trouble; the hacker can log in to your email account and use the password reset form on any site they like, such as your company website or your personal bank account. You can foil this scheme simply by not reusing the same password for any two sites.
Password Hygiene Rule #3: Don’t Share Logins
Give each person with access to your website or online portal a unique login, and de-activate it if they leave the company. As much as possible, do not share logins. If you must, remember to reset the password every time there’s a staffing change.
Why does this matter? A disgruntled or employee or contractor who kept their passwords when they were fired can engage in revenge vandalism or theft, either immediately or months later — if you’ve forgotten to deactivate their logins or change any shared passwords. I’ve seen this happen a few times (and helped to clean up the damage) in my career, and it’s ugly.
Password Hygiene Rule #4: Every Device Must Run an Anti-Virus Program
Every computer you or your employees use to access company properties should have an up to date anti-virus program installed, activated and monitoring the computer at all times. Run regular deep scans to make sure no one is spying on you — make sure they are scheduled to occur at regular intervals. If you or your employees work from home or on other computers, make it company policy that they need to install and keep active an anti-virus program on any machine they use to login to the site.
Why does this matter? If your computer is infected with malware, there are many different ways that that malware can gain access to your passwords. It might do a search on your hard drive for any file where you have stored password information, and send that back to its master. Even if you aren’t storing that information on your computer, malware can simply record every letter that you type throughout the day (called a key logger) and send the record back to its master — you can’t get away with not typing your passwords! Therefore, make sure your computer is virus and malware free at all times.
Password Hygiene Rule #5: Store Passwords Securely
If you follow these instructions, you will have more passwords than you can personally remember. Resist the temptation to write your passwords down on paper. It’s too easy for someone to swipe the slip of paper, for your laptop bag with your notebook full of passwords to be accidentally left in a coffee shop or taxi, or for someone to take a smartphone photo of your notes — I’ve seen all of these things happen to people in my career. Similarly, do not store the passwords in a text file on your computer where someone could simply open the document while you’re at lunch or in the bathroom.
Store your passwords with encryption.
There are many products on the market today that allow you to store your passwords securely, while still having easy access to them from your many different devices (desktop, laptop, phone, etc.). Here’s some potential options:
For many companies, it’s a firing offense to write down or otherwise store a password without encryption, because of the level of risk it can expose the company’s data to.
Why does this matter? If you follow all of these rules, you’re going to have too many passwords to memorize. You’re going to have to store them somewhere; so make sure that somewhere is safe too, so all this effort doesn’t go to waste!
Password Hygiene Rule #6: Transmit Passwords Securely
When you need to give someone else a password, such as a new hire at work, don’t just email or IM them the username and password! If your password storage solution doesn’t have a built-in method of securely sharing passwords, then follow these steps when your passwords must leave the safe storage of your encrypted environment to make the trip to someone else’s safe storage solution:
- Send the login URL and username as normal.
- Then send the password only through a site like onetimesecret.com — this site only let the recipient look at the password once, before destroying the information.
That way, even if one or both of you loses control of your email, the person who got in won’t be able to find any useful passwords. And even if onetimesecret experiences a security issue, the person who sees your secret will only see a jumble of characters, with no clue as to what site and username that password matches.
Why does this matter? Email, SMS and IM are inherently insecure, and if either of you or the recipient experienced a hacking, malware, device theft or even just a plain old “forgot to log out from your email before leaving the hotel business center and flying back home” event, then that password is toast. Records of sent or received messages can stay in a system for years, so it’s even possible to lose control of emailed passwords years after the fact.
Sound Like Too Much Trouble?
Something is only paranoid if it’s an unrealistic level of alarm or caution. Keep in mind that roughly 30,000 to 50,000 websites are hacked per day, and most of that hacking is being done by bots who never get tired or bored. Hackers are a real threat to your business!
If protecting your customer information, financial data, and reputation are important to you, then it’s worth taking the extra precautions to treat your passwords like the “keys to the kingdom” that they really are. If your options are…
- spending thousands on a clean-up after a hack and potentially untold quantities of money defending against customer lawsuits after their information was taken from you and running PR damage control, OR…
- spending a few extra seconds encrypting your passwords and a few extra bucks making sure your sites are hardened against common attacks…
…then the choice should be obvious.
Cultivating good password hygiene habits (and including them in your company policy manual!) is a necessity for modern business people, and indeed, modern people from all walks of life.