Online Security Primer for Your Business: Password Safety (part 2 of 3)

Photograph of Workers Dusting Veteran's Administration Records, 06/26/1936

Gotta keep all those passwords dust free!

In part 1 of this series, I went over the importance of doing an audit of your data access—who can get in to see your stuff?  One of the recommendations to increase your online security was to force-change the passwords of anyone who shouldn’t have access any more (if not delete their accounts entirely).  But that raises questions about passwords that I hope to answer in this post.

Be Smart With Your Passwords

There are a couple of basic ideas that can really improve your password security.  The first is that you should change your passwords regularly.  That way even if you don’t take any of the precautions from part 1 of this series, the next time you change your password, anyone that had the old one automatically doesn’t have access any more.  And don’t just increase the number at the end by one.  Everyone does that, and everyone else knows it.  So if they find that your password used to be “SnowWhite7” the first thing any hacker or disgruntled ex-employee is going to try is “SnowWhite8” and “SnowWhite9” because they know everyone pulls that trick when they’re forced to change a password (even I used to do this!).  Change it to something completely new (more on this in a minute).

Next, while it’s useful to have a capital letter and a symbol and so forth, what’s even better (in general) is a longer password.  So even though “SnowWhite7” has uppercase, lowercase, and a number, it may not be as secure as snowwhiteandthesevendwarvesismyfavoritestory simply because if a hacker is using a computer program to try and break into accounts, they’re more likely to randomly come across the right combination on a short password—because most people’s passwords are pretty short.  It’s kind of like the idea of outrunning a lion (or zombies, or whatever’s chasing you): you only have to be faster than the slowest person.  With passwords, it’s length, not speed.

That said, it wouldn’t hurt to mix it up with capitals and symbols, too: SnowWhite&the7Dwarves=myfavor8story, for example.  Still long, but with a larger character set in use.

Finally, it’s great to have a different password for different sites.

And to have each of them be long and complicated.

And to come up with a new one for every site every time you change employees, contractors, and sometimes just for the fun of it.

This is where I think I hear heads exploding.  “I’ll never be able to remember them!” and “I have a hard enough time remembering which site uses which password already and I only have 3 passwords that I use, total!” and “I’m going to have to get a second page to write all my passwords down next to my computer…”

Don’t fret.  It’s actually not that hard with a tool I’ll mention in just a second.

First, though, I want to underline why it’s important to have different passwords on different sites: human psychology.  One way that people get into your accounts is by tricking you through either psychological or technical means to reveal your password on some account that’s really not that important, or that you use so often that you don’t think of it as being important to your digital security (for example, your email password).  But they know that most people aren’t that creative and probably use that same password elsewhere.  So they start trying that password particularly if they also have your email to either log directly into other accounts or to start going through those “lost your password?” links to get into something more important like your bank account.  They might call customer service and pretend to be you to get your login information changed to something they can use.

So let’s make it easy to take care of all of these things at once!

Use a Password Tool Like LastPass

There are a number of tools out there that will help you remember your passwords. However few are as well regarded as LastPass.  It is a good choice for a number of reasons:

1) The folks at LastPass never actually get your information.  It is “scrambled” and “unscrambled” on your computer when you log into LastPass.  They can only ever see the scrambled file, not your data.  Even if they had a disreputable employee or a security breach, your passwords are safe.

2) It can be set to auto-logout, so if you are away from your computer for too long, or shut down your browser, you’re automatically logged out.  That means once you’ve got it set up that way, even if your own laptop is stolen, the thief still won’t be able to log into your accounts.

3) It generates and memorizes those crazy passwords that are more secure.  It’s as easy as selecting “Generate Secure Password” from the menu.  For example, I did that just now and it gave me the following password and asked if I wanted to save it for use on my current site:  5oHX3YxwbMAbwf%CR72NhBk^&9f  Now that’s a password you would never remember, but neither would a hacker be likely to guess it.

It’s very easy then, using LastPass (or a similar tool if you find one that has these same capabilities and security features) to have a different password for every site.  It’s almost effortless to change the passwords often.  They can be long and practically random and use a wide mix of characters.  And best of all, you don’t have to remember anything except your login and password for LastPass and it takes care of the rest.

Caveat:  They don’t have access to your information.  That’s secure.  But it also means that if you forget your LastPass password, they can’t retrieve it or change it for you.  So although you only have to remember one password, you have to remember it.  They do let you create a hint for yourself, though, just in case.  

Do It All Yourself—If You Must

If you don’t like the idea of using LastPass for whatever reason, the previous goals are still what you’re aiming for.  Change your password frequently.  Use different passwords on different sites. Use long and complicated passwords with a variety of different characters.  A couple of do-it-yourself resources you might find useful include this guide to creating a strong password and this set of links on how to keep your Google account safe (assuming you’ve got some Google account somewhere—Google Plus, YouTube, Gmail, Picasa, or Chrome, for example).

But do check out LastPass…it’s made my life much easier and more secure.

Image source: https://www.flickr.com/photos/usnationalarchives/14318685223/

Posted by Michael J. Coffey  |  1 Comment  |  in Tools & Terms

About Michael J. Coffey

Michael started learning about online marketing as the web store manager for a scrappy little game retailer during the "dot com bubble" of the 1990s. Since then he's helped fitness companies, tea wholesalers and retailers, lawyers, clothing designers, restaurateurs, and entrepreneurs in many other fields. In his spare time he drinks very high quality tea, writes letters with a fountain pen, and reads literature.

One Comment

  1. Michael J. Coffey 26 August, 2014 4:53 pm / Reply

    Additional Resource: Here is a list of the 500 most common (i.e., worst) passwords to use: http://boingboing.net/2009/01/02/top-500-worst-passwo.html

Post a Comment

Your email address will not be published. Required fields are marked *

*

  • Stay Connected