6 steps to better password hygiene

Business name
Cyber Aware
Last updated date
29 May 2019

A DSLR camera sits next to an open laptop showing the login screen.

Let’s do a little test.

Give yourself 1 point for each of these password no-nos you’re guilty of:

  • you use an overly simple password like password1.
  • you haven’t changed your passwords in over 6 months. Give yourself a bonus point if it’s been longer than a year and an extra bonus point for every six months beyond that.
  • you use the same password on multiple accounts. Give yourself a bonus point if those accounts include your banking login.
  • your accounts keep offering to set up two-factor authentication when you login in but you can’t be bothered, have been too busy or figure it’s overkill.

Read: Manage cybersecurity in your business

How many points did you score? The bad news is that even 1 point is too many and it’s time to work on your password hygiene.

Luckily, we've got six easy ways to clean your rusty old passwords.

Hacked passwords cause 81% of all data breaches. Given that the most frequently used passwords of 2018 ranged from “password” and “12345678” to “donald” and “iloveyou”, we don’t find that statistic at all surprising. It is concerning that for most businesses, their password can be the only thing between an attacker and all of their key data assets.

Follow the tips below to keep your private data and business operations safe and secure.

A number of padlocks on a metal cable.

Minimum Password Strength

The average seven-character password can be automatically cracked and stolen by hacking software in only 11 minutes.

However, if that same password uses a mix of uppercase letters, numbers and symbols, it would take over a decade to crack.

While adding numbers and hashtags to your password won’t stop it from being stolen from viruses on your computer, or protect you against a phishing attack, it will help to keep the bots at bay.

At the minimum, we recommend that every password within your business follows the below rule of thumb at the very least:

  • one capital letter
  • one numeric digit
  • one special character such as @!$*

For example, if you’re using a password such as “homersimpson” for a login, you can immediately make it a much safer password by changing it to “H0m3rS1mp$0n”.

Password Lifecycle

We recommend treating your password the same way you would a toothbrush; pick a strong one and change it regularly.

Simply put, the longer you use the same password for your login, the more likely it is to be cracked, stolen or outright guessed by malicious code and phishing attackers. Furthermore, in the event that your password has already been stolen, it can often sit in a database to be sold or used in an attack at a later date.

By regularly changing your password, you not only reduce the likelihood that your password will be stolen, but you also protect yourself from damages in the event that your password has already been stolen.

Update your password at least every 6 months for all of your logins and update it to something entirely unique (changing just one character or number isn’t going to cut it).

Unique Passwords

If your password gets compromised, you can expect significant damages to the account or system it’s used for. For example, if somebody guesses your email password, they immediately gain access to all your emails and gain full control of your email identity.

That’s a nightmare and can be tough to recover from. Now imagine if, on top of that, they gained access to your banking, personal devices, work systems and all of your social media accounts.

Breaches of this severity are seen far too often, due to one silly and easily avoided mistake; using the same password for multiple logins.

Simply put, if an attacker steals your password, they gain access to your private data and systems. If this password is then used on multiple different logins, the attacker not only has access to one login but all of your other ones too.

To avoid this, use significantly different passwords on all of your logins, and do not use the same passwords for personal accounts that you do for financial or professional accounts.

Read: Remote Access Scams: How can your business identify and avoid them?

Hands on a laptop keyboard.

Passphrasing

For all business owners, we highly recommend taking a further step with your password strength and utilising passphrasing.

Passphrasing is when you use a phrase or sentence that you’re likely to remember and converting it into a password.

For example: “A penguin was knighted in Norway” would translate to “apwkin”.

Now take your new password, and spruce it up with some basic password strength (upper case letters, numbers and symbols) and you can make a strong, memorable password such as ApWk1n$. By using passphrasing, you practically eliminate the risk of your passwords being guessed based on your personal information or interests, and you end up with a strong, unique password that is far harder to crack than passwords based on real words.

Two-Factor Authentication

In 2019, it’s almost impossible to have a conversation around password security without mentioning Two-Factor. Two-Factor is effectively a second security measure on your logins so that if an attacker breaches your password and compromises your login, they are still unable to get into your account.

It works like this; upon successfully logging in with your username and password, Two-Factor will prompt you for a unique, randomly generated code that is provided via email, SMS, or a two-factor app such as Authy or Google Authenticator.

It’s arguably become just as important as having a strong password, if not more, and it’s super easy to set up.

We go into more detail on the importance and function of Two-Factor in our STOP Policy article, so we won’t elaborate on the whys and whats. In summary, it’s quickly become a necessity for any business looking to stay secure online and can be quickly implemented at little to no cost.

Password Managers

By now, you may be thinking “how am I supposed to remember all of these passwords?” The simple answer to that is Password Managers. In most cases, it is very unsafe to store or note down passwords on your computer or the cloud. Password Managers work to not only make this a safer practice but also to keep all of your passwords in one secure, online location.

Look at services such as LastPass, which not only encrypt and store all of your passwords and logins but can also automatically generate strong and secure passwords for any new sets of logins you’re creating.

One potential weakness to Password Managers is that if an attacker successfully gains access to your master account, they then gain access to all of your stored passwords. To avoid this, always use Password Managers in combination with Two-Factor.

If you aren’t using Two Factor Authentication on your master login for your Password Manager, you’re likely to do much more harm than good by employing one. Further to that, they’re an extremely powerful tool for easily creating and recording strong, unique passwords across all your accounts.

By performing any of these steps, you’ll have immediately improved your password hygiene and your business security. We recommend putting aside 5-10 minutes to perform as many of these steps as possible, and protect your business from password-related data breaches:

  • brush up your existing passwords with upper-case characters, digits and symbols
  • change any passwords that you’ve been using for longer than 6 months
  • diversify your passwords, make sure you’re using different passwords at home and work
  • create a strong, secure password with passphrasing for your key data systems
  • enable Two-Factor on your emails and work systems
  • use a Password Manager secured with Two-Factor to safely create and store strong passwords.

Well, what are you waiting for?

Read: Why a simple update policy could save your business from cyber attacks