We all wrestle with ourselves when it comes to password creation. “I know it should be complex, but I can’t remember it unless it’s simple!” The problem is, hackers and malicious software can read our minds in this regard, and their exploits are designed to take advantage of our tendencies. This is especially noteworthy for the small business, where cyberattacks are becoming increasingly common, and are often preventable by enforcing simple security measures like strong passwords.
To catch you up on the current state of password complexity recommendations, here’s a list of some no-nos:
- Eight character passwords aren’t long enough. Try for ones that are at least 16 characters long
- Complexity is important, but the length of the password is crucial as well; it increases entropy more efficiently
- Don’t use dictionary words, or typical character substitutions like $ for s or @ for a
- Don’t change your passwords just by adding consecutive numbers, i.e. Swordfish1, Swordfish2, etc.
- Don’t use the same password for everything
If you’re still frustrated that you have to create difficult passwords, and different ones for each website or service, check out a password management tool like LastPass or 1Password. They generate secure passwords for you and you’ll only have to remember your one master password. Our company requires the use of LastPass for its IT staffers and it works well. It also allows us to set policies like timing out browser sessions, checking for duplicate passwords or weak passwords among our staff, etc. Simply put, it satisfies our needs for both better security and ease of use.
Editor’s Note 6/17/2015: In response to the recent LastPass data breach, we’ve also implemented MFA for our LastPass accounts. According to LastPass’s guidelines, we were in good shape with enforced very strong master passwords and restricted trusted devices, MFA adds an additional layer of peace of mind for both us and our clients. -TC
Sadly, strong passwords are not enough. Even strong passwords can be thwarted by malicious insiders or even misplaced post-it notes. As an added layer of protection for your small business, consider multi-factor authentication (MFA). For those companies who must adhere to compliance concerns like PCI, HIPAA, SOX, etc., you may already be required to use MFA (also called two-factor authentication, 2FA or two-step authentication). In simplest terms, multi-factor authentication is something you have, plus something you know. A form of MFA that most people are familiar with is an ATM card. Your card is “something you have” and your PIN is “something you know.” You can withdraw money simply by having the card, neither can you just type in the PIN. This vastly increases the difficulty in circumventing the authentication process.
Historically, multi-factor authentication required employees carry around hardware tokens in their pockets. But today, MFA can be deployed much more easily by using either apps or SMS on mobile devices running iOS or Android. When using multi-factor authentication on a VPN login or website, for example, the user puts in their password, and the MFA system responds with a unique and temporary keycode, sent either via SMS or to the MFA app on the user’s phone. The user types in the code on the website, and gains access. The passcode expires after a set period of time, and can’t be reused.
It’s important to note that multi-factor authentication does not excuse weak passwords. A security system is only as strong as its weakest component. Multi-factor authentication systems are essentially software, and software can have flaws. Think of it like security for your home. It’s best to lock your doors AND set the alarm, not one or the other.
As for which multi-factor authentication system to choose, there are many options. The best course of action is to consult with your IT service provider to find a solution that will work with all of your software and security systems that support MFA. I’ll leave you with a few suggestions, in alphabetical order: