Although we may feel secure, we’re probably not
A secure password on its own isn’t necessarily enough. Although some people may pride themselves on having memorised a complicated 12 digit password - which in itself is very secure - if you then use that password indiscriminately across all of your online accounts, it becomes almost as weak as using different 6 digit passwords for each account.
All you need is for one of the businesses that you have a password for to have a security issue, and whoever gains access to that one password could have access to everything that you log into. When just one password is used continuously, it’s no more secure than password123. This is an easy trap to fall into, and it’s because we place more emphasis and importance on a password being memorable than secure.
And it doesn’t just happen to other people
LinkedIn was hacked in 2012, and repercussions of the data breach were still being discovered in 2016. What was fascinating to me as a cyber security expert is that over 750,000 people were using 123456 as their LinkedIn password.
When you consider that the vast majority of the world are single password users and are not aware of the dangers that this could open themselves up to, both as an individual and as a business, people continue to gamble on the ‘it won’t happen to me’ approach.
That is a huge gamble to take, especially if you are running a business.
Businesses have even more to worry about
Any business, no matter what sector, industry, or country you are in, have the challenge of keeping your own passwords secure and memorable, but also your client or customer’s data secure too. GDPR legislation now puts the onus on the businesses to protect this, and it’s a huge responsibility.
I know from my own experience in various businesses over the last 20 years that people look for the quickest route from A to Z, always looking to take a shortcut if there is one, because it’s in our nature.
The trouble is that when you transfer that behavioural habit across to security within a business, it can create opportunities of weakness, places where hackers can get in. How many of us have shared a password on a post-it note, an email, or in a spreadsheet? Just one of those passwords needs to be compromised for the entire company’s security to be thrown into question.
We are all becoming more mindful of that on a business level which is fantastic for me to see, but the enormous transition from business to individuals is where things often get stuck. You as a business owner are then trusting each and every one of your employees to be mindful, act responsibly, and create processes which are then followed. In an SME or growing business, few people feel as though they have the time to go the extra mile.
I have been guilty of this myself
I’m guilty! We as a business a few years ago used to use one secure password that was used across several platforms. As I’m sure you can imagine, I recognised that this was not best practice, and changed it - and the incoming GDPR legislation was a good prompt to ensure that we followed what is fast becoming an international unofficial code of best practice.
And yet I’m sure that many companies haven’t done that. It’s important for people to understand that this is a real and genuine risk, not just to themselves as users but to the business itself. It’s a very slippery slope when it comes to hacking: they only need to find one way in, and once they’re in, it’s easy to get access to everything.
10 years ago, we could never have predicted the number of passwords that we would need to create and remember
Systems are improving and there are plenty of good tools out there that are trying to help people to create complex passwords and retain them. If I had my way, the whole world would be approaching this in a different way which is what we’ve built our business on: ‘hacking’ that naturally lazy human behaviour.
By embracing the fact that people simply cannot remember one highly complex password, let alone several of them, we’ve focused instead on an algorithm that generates highly complex passwords based on a doodle. It’s important to me that we remove as many of the boundaries to creating complex, memorable passwords as possible, to empower people to create high quality cyber security without even needing to try.
We all hate clicking ‘Forgot password?’
One of the biggest challenges to a business owner is to encourage people to be bothered to reset passwords when necessary - but companies don’t make it easy! On some social media platforms, for example, it’s a real challenge to find in your account where you can update your password, and it’s genuinely hard work.
I don’t understand that. As business owners, I think we should be making it as painless as possible, to encourage people to update their passwords to something secure.
To give an example of a silly and rather frustrating situation that I’m in myself: we have a GoDaddy account with 2 factor authentication, but it’s tied to my old mobile number. To update the mobile number that I want to use 2 factor authentication with, I have to find a form, download it, fill it in with ink, scan it, email it to GoDaddy…
It’s just mad. I’m not saying remove 2 factor authentication, obviously, but we have to make it more simple for people and businesses to update their accounts. Because otherwise people just ignore the problem, and that’s when the danger sets in.
It’s vital to have these processes for changes in staff
This is a genuine problem: when a staff member with 2 factor authentication for any business account leaves the business. Companies are quite poor at building in cyber security handovers as part of their general exit interviews, but it’s absolutely vital.
People are more willing to gamble on the person leaving the business never ever accessing those accounts again, than taking the trouble to update passwords throughout the business. Should someone go rogue, how much damage would that to do your business? How much liability would you open yourself up to?
Part of this is about managing people well, and understanding what a good leaver and a bad leaver looks like. But without good processes that follow best practice in place, you are opening your business up for problems.
So what are my best practice recommendations?
- Use a different password for every system that you use
- Create a complicated, long, 16 character password
- Use a trusted tool which doesn’t store your passwords (as opposed to Google Chrome, for example)
- Update your passwords with every change of personnel
- Keep an eye on which businesses have been hacked, because you may need to change your password with them
16 digits may seem excessive, but you should never be gambling on the security of your passwords.
Find a simple way to achieve complex passwords which you don’t need to remember, as we have done for our customers, and you can relax knowing you’re adopting best practice and doing everything you can to keep yourself protected.
Mike Crompton, Founder and CEO, forghetti
Image source: Shutterstock/Ai825