Small businesses are a prime target for hackers—and one of the biggest vulnerabilities is the weak or stolen password. In fact, the humble password accounted for 63% of data breaches in 2016. Here are three top reasons passwords become low-hanging fruit for cyberthieves:
- Password re-use. Given the number of passwords needed in modern life, it’s understandable that you or your employees may use the same ones across multiple platforms. However, this practice gives hackers a chance to deploy “credential stuffing,” a term coined to represent the use of automation technology to deploy login information stolen from one site on other sites.
- Common passwords or patterns. Surely you and your employees would never make the mistake of choosing the most commonly used passwords—“password,” “123456” or “qwerty.” But you may be using common company password standards that are easy prey for password-cracking programs. For example, one of the most common password patterns is one uppercase letter, five lowercase letters, then two digits (e.g., Dulith57).
- Sharing passwords. People are more likely to share work passwords (and thereby increase security risk) than personal passwords, perhaps because they’re working in a shared team account or delegating work to others.
Fortunately, a range of affordable password safety measures is readily available:
1. Password managers, such as Sticky Password, LastPass or 1Password, are software programs that generate unique, strong passwords automatically and “remember” them when you log in. In general, these passwords are stored in an encrypted database and can be accessed only by your master password—the only one you have to remember. Most offer both free and affordable paid versions and are available as web extensions and apps. Versions for team or business use are also available.
2. Two-Factor Authentication (2FA) has become a widespread and highly recommended method for securing access to many business networks and programs. It is easy to enable on social media and other online accounts (for example, go to “Sign-in and Security” on your Google account settings). The most well known method of 2FA involves an SMS text message sent to a user’s cell phone to verify identity after entering the traditional password.
3. Universal 2nd Factor (U2F), a form of 2FA, involves purchasing a universal security key (which can range from under $15 to over $100), and connecting it to a computer so it can correspond with the browser using encryption technology. The connection can be via USB port, Bluetooth or NFC (near field communication). Even if a password is hacked, it can’t be deployed without this key. Because the process involves a physical token, there is no need to rely on a personal device like a cell phone. U2F is backed by the FIDO (Fast IDentity Online) Alliance and works with major sites and platforms, such as Chrome, Firefox, Dropbox, Salesforce, Facebook and GitHub.
4. VPN (Virtual Private Network), an online service that creates a kind of private virtual tunnel into your business network. “Logging in through a VPN ensures that data in transfer is encrypted from malicious third parties,” explains Keri Lindenmuth, marketing manager for technology services company Kyle David Group in Allentown, Pennsylvania. “When in use, the VPN encrypts all of your data in transfer so hackers or third parties can’t access it. All data, including passwords, that passes through the VPN server is anonymized and privatized.”
5. Biometric technology, which uses a person’s unique physiological (like face, fingerprint or voice) or behavioral (typing patterns, gait) characteristics for identification purposes. Two-thirds of companies have begun implementing biometrics, mostly in the form of fingerprint scanning and face recognition, according to a recent survey of IT professionals. Apple Touch ID is frequently used, as are fingerprint readers from Lenovo, Samsung, Microsoft and Dell. Apple, Windows and Android all offer face ID. Survey respondents said they recommend clients use biometrics in tandem with another traditional security measure, such as asking a security question, as a backup.
Print this article