Your Business’s Most At-Risk Password and How to Protect It
Friday September 11, 2015
As a business owner, you almost certainly have a lot of online accounts. Some of these are personal, some professional, and many straddle the line between the two. Most of those accounts have passwords.
Hopefully you have at least a few different passwords, and don’t just use the same one for all your accounts. Hopefully you also use long, complex passwords, with upper- and lower-case letters, symbols, and numbers.
So what do you do when you forget one of those passwords and lock yourself out?
In most cases, you use your email to either reset your password or to get a reminder sent. Your username is usually sent along with it. This means that anyone with access to the email box linked to your accounts can log into any of them.
This makes your email password the most important password for protecting your business’s information. Here are some tips to protect your email password from hackers and your employees alike, so you can keep the rest of your accounts as secure as possible.
Take Password Creation Seriously
The first step to securing your email box is, of course, to set a good, strong password. Especially since your email address is easy to find and public (particularly for businesses), your password needs to be highly-secure.
Password Best Practices
- 12-20 characters long—the ones our password manager generates are 20 characters
- Contain upper- and lower-case letters, numbers, and symbols
- Unique password, not used for any other accounts
- No obvious keywords, like your name or birthday
- Should be something others can’t memorize
Are You Making This Security Question Mistake?
Security questions are, in theory, a good way to make passwords more secure. In many cases, when you use email to reset or recover a password, you’ll be asked security questions before you can proceed.
The problem with security questions is, Facebook has made most information about you accessible to anyone with an internet connection. Mother’s maiden name? Can be found online—all they have to do is find your mom on Facebook. High school? Same story. Even your pet’s name can likely be found on Facebook.
So here are your options, if you want your security questions to actually be secure.
“Why Would You Ask That?”
If you can choose your own questions, make them very personal and un-guessable. If you’re in doubt about whether the answer to one of your questions can be found online, go investigate.
Avoid the Question
If you can only choose from a few questions, you might want to answer the questions in unconventional, tricky ways. For example, you might use a system to construct nonsense answers based on the words of the question – like taking the second letter from each word in the question.
Q: “What is your mother’s maiden name?”
A: “hsooaa”
No one’s likely to guess that. There are all kinds of systems you can use to create answers that will be obvious to you, but are totally un-guessable.
Tack on a Few Extra Characters
You could also add a 4-number PIN or a unique word to the start or end of every answer.
Q: “What is your mother’s maiden name?”
A: “Jenkins8529”
OR
Q: “What is your mother’s maiden name?”
A: “JenkinsNematode”
Again, why would anyone happen to guess that?
Protect Yourself from Disgruntled Employees
If an employee leaves on bad terms, it’s not uncommon for problems with security to arise. Especially if this individual had access to your business passwords, it’s time for damage control.
When an employee quits, even if they didn’t leave on bad terms, it’s good practice to change your passwords anyway. This helps prepare you for when you’re a larger business, plus it covers your back in case you don’t know that employee as well as you thought.
First priority, for obvious reasons, should be your email password.
Hopefully your password wasn’t memorizable, but even if it was, you can’t be certain the employee didn’t write it down somewhere.
Guard Against Both Physical and Virtual Attacks
When you’re talking about security for your business’s information, you have to consider both virtual attacks and physical attacks.
Virtual attacks are things like hackers attempting to guess your passwords or snoop on your information. Physical attacks are related to physical objects, whether that’s looking at paperwork on your desk or directly accessing your personal computer or phone.
If someone gets access to your laptop or phone, you could be in big trouble. Most of us stay logged into many accounts all the time, especially email. This means that, with your phone in hand, an attacker could systematically access one of your accounts at a time, recovering the password through the email on your phone.
To combat this, make sure your devices lock when you’re away, and enable a remote wipe for your phone in particular. At any evidence that one of your devices has been compromised, change your passwords—starting with your email.
Use a Password Manager
“Forgot Password?” systems are a necessary evil of our password system as a whole. They’re one of the weakest links in the system, because they put a disproportionate importance on the security of your email account. This is unfortunate, because email tends to be one of our least secure accounts, because we have to log into it so frequently.
If everyone used a cloud-based password manager, so no password is ever really “forgotten,” we could afford to make those “Forgot Password” systems a lot less easy to access. That would be a huge benefit to cyber security as a whole.
In the meantime, you can use a password manager to keep your own information secure. Using a password manager makes it practical for your business to use a unique, random password for each account, adhering to experts’ best practices.
The first password you should generate? A real humdinger to guard your email account!
What do you do to protect your email account? Let us know in the comments!