Posted On 13 Feb 2018
Security for Your Small Business
Part 1 – Passwords
Photo by NeONBRAND on Unsplash
Your employees have access to a variety of IT resources critical to the operation of your business. Computers and other hardware devices, data storage systems, email and mission-critical software and cloud accounts all require security policies that will protect your valuable data and sources of income. Employees who have access to any of those resources are the first line of defense against malware, hackers, and social engineering attacks. As such, your business needs a strong and properly managed IT security policy.
Passwords
Passwords are the most common security measure used in office IT systems. Passwords must be sufficiently complex and difficult so as to limit unauthorized access to systems. Employees must choose passwords that are at least eight to twelve (8-12) characters long and contain a combination of upper- and lower-case letters, numbers, and special characters, ideally something like 6iN!m8HLxS&A. Company policy needs to support these requirements for every case where a password is required, without exception.
Common sense must be applied when choosing combinations to avoid combinations that are easy to crack. Hackers are aware of the tricks for making easy-to-remember passwords, including those with the appearance of complexity such as choices like “password,” “password1” and “Pa$w0rd.” All of these are equally inappropriate from a security perspective. Recognizable words, proper names and common phrases must be avoided. According to security expert Bruce Schneier:
Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: “$” for “s”, “@” for “a”, “1” for “l” and so on. This guessing strategy quickly breaks about two-thirds of all passwords.
One recommended method to choosing a strong password that is still easy to remember: Pick a phrase, take its initials and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
Most people can understand the need for complex password strategies, but many do not use them because they are simply too difficult to maintain and remember. So the question really boils down to: How does one find the balance between the necessity for secure passwords with the need to be able to easily recall them all? The answer is to develop a system for creating passwords which are both secure and memorable.
Some Methods for Choosing Unbreakable Passwords
Bruce Schneier Method
Use a personal and memorable sentence and turn it into a password. Take the words from the sentence, then abbreviate and combine them to form a password. For example:
I like to pick up a latte at Daves’s every morning before work = iL2pUaL@DeMb4W!
Will Smith is my #1 actor at the moment = !WSim#1a@atm!
My first trip to Disney was when I was 12? = Mft2DwwIw12?
I work for the best boss ever at Cogswell! = Iw4tbbe@C!
Pass Phrase Method
Rather than a complicated string of characters, you might want to try a phrase. First, come up with a random, but a memorable phrase, preferably a little nonsensical rather than a common quote. Try something like:
I wake up at 6 every morning with a cat in my face= IWakeUpAt6EveryMorningWithACatInMyFace@
Twelve of my kinfolk like to wear parkas = 12OfMyKinfolkLikeToWearParkas$
I usually have at least $15 left at the end of the week = IUsuallyHave$15LeftAtTheEndOfTheWeek!
Alternately, you can come up with a set of 12 random words rather than a phrase (note that it would take roughly 238,378,158,171,207 quadragintillion years for a brute force attack to crack such a passphrase!)
DogCatFluffy9LivesCemetaryStoneRockPetBruceBatmanGotham
KoolaidMunchkinLollipopWellSpotKrakenGameTortoiseHareLittleMittenDoll
To make remembering easier, use the memory trick of chaining these into a story in your head: “My Dog likes my cat Fluffy who recently used up her 9 lives and ended up in the pet cemetery…”
The PAO Method
Other common mnemonic devices might also assist you to remember an unbreakable password. One suggested method by Carnegie Mellon University computer scientists is the Person-Action-Object (PAO) method to create and store your passwords.
First, choose an interesting place such as Disney World. Then think of a familiar or famous person such as Michael Jackson. Finally, imagine a random action to tie them together (Flying). Now see Michael Jackson flying over Disney World. From this image, create your password by combining the first 3 letters from each word into a new made-up word: MicFlyDis.
Develop 4 such picture stories, add the resulting words together, and you have a nice random, lengthy password. Seed it with some numbers and characters for additional security. It helps if you weave the website or account for which you use the password into the story to solidify the memory for a specific location. Once you create and memorize a few of these PAO stories, you can use the stories to generate new passwords as they are needed.
Phonetic Muscle Memory
Blogger Kevan Lee suggests yet another memory device for creating strong passwords. Start at any random password generator website, such as Secure Password Generator (which, as a bonus, gives you suggestions of the type noted below).
Randomly generate 20 or so new passwords that are at least 10 characters long and include numbers and capital letters. Allow punctuation for extra security. Scan the list of passwords looking for phonetic structures within the randomness. You want to find sets that make something sensible to you:
drEnaba5Et – which could read: (doctor enaba 5 E.T.)
BragUtheV5 – which is more memorable as (brag you the V5)
From the list, keep the ones that are easiest for you to remember and forget the rest. This should give you a series of passwords to choose from as you need them.
Use A Password Manager
If you have a large number of passwords to remember (keeping in mind that passwords should never be reused on different accounts and should be changed often), you may wish to make use of an encryption-based software password tool like LastPass or 1Password.
These tools will store passwords for you using a solid encryption algorithm as well as provide randomly generated new passwords as they are needed. To access any single password, you just need to remember the master password for the tool. Please make sure you use an extremely secure password for the master and change it often.
Test Your Password Strength
OnlineDomainTools provides a password tester to verify the security level of your passwords. The tool checks your password against tricks used by password crackers to determine how long it would take to crack using typical methods. Try it out to see how secure some of your current passwords might be.
Some Final Advice on Password Security
Regardless of the strength of your passwords, they must all be changed regularly. More secure accounts, such as banking and other financial accounts, should be changed more frequently. If possible, you should allow this to be managed automatically in software or accounts which provide for it. It is difficult to forget to change your password if you are required to do so every so often in order to enter the account. Any time there is any suspicion that a password may have been compromised, change it immediately along with any others that may be related.
Always avoid using default passwords when setting up new accounts for employees or others. Each new account should have a new, strong password generated along with it. Make sure the new account holder is required to change it as soon as possible to his/her own strong password.
Many sensitive accounts now provide two-factor authentication. This method requires you to enter a password and then requires a secong method of proving your identity, such as sending an email or text message containing a secondary passcode. Whenever this is available, make use of it.
Avoid sharing a password unless it is absolutely necessary. If it does prove necessary, change it as soon as the shared user is done using it.
Get out of the habit of using a “Remember Me” function to store your password for easy entry even on your personal computer, but especially on public computers. Try to avoid using any passwords at all on public computers which are often infected with viruses that can steal your password and pass it on to a hacker. If forced to use a password on a public computer, change it as soon as possible on your private computer.
If you must keep passwords written down, be sure to store them securely. Ideally, these should be under lock and key.
Why is it so Important to Maintain Password Security?
Even accounts which may not expose your personal or financial data directly can provide juicy bits of information which can be used by hackers, scammers and other bad actors to put together a profile that eventually adds up to a pretty solid picture of your identity. This profile may be pieced together from many seemingly insignificant chunks of information left lying about along your electronic trail on the internet. The final result can be used to break into your accounts, open new accounts in your name, or even steal your tax refund.
Whole or partial profiles are regularly sold in bulk to organized crime organizations in the US and abroad. Carefully aggregated data is then sold again and again to anyone willing to pay a few cents for your name and any identifying information that goes with it. If you use the internet for any reason, or even if you don’t, thanks to huge data breaches such as the recent Equifax and Target leaks, there is a better than likely chance that your information is already out there. So, protect your information as well as you can to keep the amount of data about you to a minimum so what there is will be uselessly incomplete.
NEVER REUSE PASSWORDS
For the reasons stated above, NEVER reuse passwords. If you do and your password is compromised in a breach at a low-level site, someone now has a known-good username/password combination to inject into the other information known about you and he can be reasonably sure that this combination will work somewhere to get even more important information.
The bottom line: Some account you have somewhere will be hacked someday. With luck, it will be an unimportant account. And if you don’t have the same password everywhere, then the damage will be isolated to that one account. But if you reuse one password all over the place, then the chances that other accounts will be hacked goes up significantly.
What Should You Do Now?
1. Purchase or develop a detailed password policy for your business right away and provide training to your employees on its importance.
2. Change at least your most important passwords right away using the suggestions mentioned in this article or elsewhere.
Finally, here are the 100 most popular passwords used this year. This list is tested first by the software used in any brute force attack, which guarantees your password will be cracked in less than one second if you use any of them.
1111
1234
2000
6969
12345
111111
121212
123123
123456
654321
666666
696969
1234567
12345678
123456789
abc123
access
amanda
andrew
asdfgh
ashley
asshole
austin
baseball
batman
bigdog
biteme
buster
charlie
cheese
chelsea
computer
corvette
cowboy
dallas
daniel
diamond
dragon
football
freedom
fuck
fucker
fuckme
fuckyou
george
ginger
golfer
hammer
harley
heather
hello
hockey
hunter
jennifer
jessica
jordan
joshua
killer
letmein
love
maggie
martin
master
matthew
merlin
michael
michelle
monkey
mustang
nicole
orange
pass
password
patrick
pepper
princess
pussy
qwerty
ranger
richard
robert
secret
sexy
shadow
silver
soccer
sparky
starwars
summer
sunshine
superman
taylor
test
thomas
thunder
tigger
trustno1
william
yankees
yellow