Not so fun fact: 81% of all data breaches are caused by weak passwords (according to Verizon Wireless’s research on cybersecurity incidents). Knowing the minimal password security basics can help keep your business safe.

We’re sorry to say it, but the date of your child’s birthday combined with your dog’s name simply does not cut it anymore in terms of password security. For starters, personally identifiable information (such as the name of your dog, and your child’s birthday) is pretty easy to find online through social media. In addition, short, simple passwords are vulnerable to brute-force attacks.

Brute force attacks are a form of hacking where the attacker submits many passwords or passphrases many times until they either get the password right, or they give up.  Most brute force attackers don’t manually guess your passwords because that would take forever. Instead, they use tools that guess thousands of different word/number combinations until it gets the desired response, such as Hashcat and John the Ripper. Theoretically, brute force attempts can even guess long, complex passwords, but in practice, brute force attacks have little success guessing complex passwords, especially if they are a bit longer.

What makes a password “Secure”?

Many apps and programs now have certain requirements for secure passwords, so this might be familiar. A secure password requires all of the following:

• A minimum of 12 characters (but the longer, the better!)
• A combination of uppercase letters, lowercase letters, numbers and symbols
• Significantly different from other passwords or previous passwords that you have used
• A phrase, as opposed to a name or a word

For example, “ilovecliffordthebigreddog” would be an insecure password despite it meeting the length requirements. Alternatively, “1_l0V3_Clifford-th3-BIG-r3d_d0g” would be significantly harder for a hacker to guess. Creating a secure password is great, unless you have bad password security practices that nullify your secure password.

Password SECURITY BASICS – Best Practices

1. Be cautious about sharing your passwords

We all would like to operate under the assumption that the people in our lives can be trusted with our most vulnerable information, but sharing your passwords even with them is a bad idea. Even well-meant individuals make mistakes that can make your passwords susceptible to exposure. Passwords should be treated like a secret.

Now, you may be thinking ‘wait a minute, the web team at iPoint asked for my password to my domain hosting! And I gave it to them!” There will come times when your technical affiliates, such as iPoint employees or your IT team, will ask for your passwords to different accounts. This is simply because we often need to log in as you in order to provide their services that you purchase from us. If you’re uncomfortable sharing your password, you can always ask if there is a workaround- some online services allow you to delegate access to us temporarily without sharing a password, or we can hop on a phone call or video chat and walk you through the process of completing the task that we needed to accomplish.

iPoint is also working continuously to improve how we manage passwords that are shared with us. If you agree to share a password with us, we may have you share it with us through an encrypted process. Make sure to ask the employee that you are working with about how to safely share your passwords with us.

We also want to caution about a type of scam called phishing. Phishing is when a hacker will impersonate a business that you are affiliated with, and ask you for private login information to resolve a fake problem that they just made up. If you ever find an email or phone call to be suspicious, contact your business affiliate directly and confirm the authenticity with them.

2. Use Different Passwords for every site and program you use

If you use the password “1_l0V3_Clifford-th3-BIG-r3d_d0g” for every login, and a hacker gets into even one of your accounts, then they technically have the password to all of your accounts. It is best to prevent this altogether by using unique passwords for every account.

3. When possible, enable multi-factor authentication (MFA)

MFA is now incredibly popular, so you may be already familiar with it: have you ever logged into an app, or a program, and it sends your cell-phone or text message with a code that you need to enter into the app? Many people find the extra step to be a nuisance at first, but it can be incredibly helpful.

The theory behind MFA is that hypothetically, if a hacker somehow guessed your password, they would not be able to access your private information without the MFA code that was sent to your phone because you’re the only person who has your phone.

4. Be cautious when logging into programs using public Wi-Fi

Some people love setting up their computers in a coffee shop, and then logging into their one-drive account to write, or their bank to monitor their budgets. This can be dangerous because public Wi-Fi is generally not encrypted. This means that with the right program, fraudsters that are on the same public Wi-Fi network could see your activity. However, there are ways to mitigate this.

Today, most websites will offer some level of encryption that prevents other people on the network from seeing your web activity, using SSL encryption. Most web browsers have a setting that only allows you to access websites that utilize SSL.  

What if I Can’t Remember All of These Complex Passwords? – Password Security Basics solution

That’s ok, we can’t remember them either, which is why we love password managers!  

Password managers are an absolute game changer to the world of security practices. Password managers are applications that store all of your logins behind one secure login, that way, you only have to remember the password for your password manager (and yes, if possible, you should set up MFA for your password manager).

Password managers also have really cool features that make secure password management incredibly easy. For example, they often have secure password generators, that way you don’t have to come up with unique passwords yourself.

Password managers also often have mobile applications and web-browser extensions. In our experience, the web browser extensions also can often tell when you are changing a password, and will prompt to automatically update it for you. Many password managers can also read if you are logging into a program that isn’t already saved in its database, and it will offer to add it for you.

Those complex, hard to remember, secure passwords can be copied right out of the password keeper and pasted into the password field so you don’t have to worry about memorizing a billion combinations of nonsense. We know this is a lot to consider, but secure password practices can make a huge difference in the security of your business! This is part of a blog series that covers security best practices. If you’d like to see other posts that cover security practices, click here! Want to stay updated with more information about security best practices? Join our newsletter!