In the early days of computing, passwords amounted to the use of some personal number, name or word that was easy for the user to remember. These included birthdays, favorite colors, and the name of a spouse, pet or a child. Now, most everyone knows that simple passwords like those are easy targets for hackers.
We’ve all gotten at least one strange-looking email from the email address of a friend or family member that has nothing but a link in it. That’s a sure sign they’ve been hacked. The link, of course, contains a virus or malware that activates if you click on it.
It’s one thing to have a Yahoo or Facebook account hacked. It’s quite another to have your business network hacked.
Having your business network and/or cloud-based applications accessed by cyber criminals can hurt your business financially and harm its reputation as well. Hackers are not only after business and customer data, but can tap into phone systems and make hundreds of premium and international calls for free that then get charged to the business. Unfortunately, your business is responsible for those calls whether you made them or not.
Just because you have firewalls, virus and malware protection on your network doesn’t mean it’s still not vulnerable to attack. Any valid password lets hackers into your network.
That’s why it’s critical to establish a strong password policy at your business, train your employees on how to create strong passwords and make sure they understand the consequences of not doing so.
Here are some good guidelines for a strong password policy:
- Do not “keep it simple”: A password with a mixed combination of lowercase letters could take about 10 minutes to crack. A password with lowercase letters and numbers mixed could take a couple of hours to crack. A password with multiple uppercase letters, a few lowercase letters, a number, and a symbol could take roughly three years to crack. Users should follow these guidelines:
- Avoid the use of famous names, common words in any language, words spelled backwards or words that use common misspellings.
- Do not use numbers in normal sequences, such as 1234.
- Employ a mix of capital letters, lowercase letters, numbers, and symbols.
- Never use personal information such as name, birthday, anniversary, driver’s license, passport number, or other personal information.
- Use different passwords for every login: Having to remember dozens of passwords for all the sites individuals access can be overwhelming. But if hackers discover a password for one account, they could easily use it to gain access to all of that person’s other accounts, including your business network. That’s why it’s vital that you make sure your employees use a different password for every site related to your business. This means that the network login and the logins required to access each piece of cloud-based business software are different.
- Make sure employees replace the default passwords in your voice mail and network systems: The minute a new telecom system is installed, every person in your business should immediately change the default password to a strong password that adheres to your business’s password policy. This should be done by new employees as soon as their mailbox is set up.
- Make passwords longer and be sure the pattern appears completely random: Security specialists suggest lengths of 12 to 14 characters that include uppercase letters, lowercase letters, numbers, and symbols. The more random these appear the better. One trick for creating what appears to be a random password is to use the first letter of each word in a phrase or sentence, then convert some of the letters to numbers and/or symbols. Do not use a popular phrase or saying, however, as these can be guessed as easily as simple words and names.
- Use a password generator: For help coming up with stronger passwords, there are password generators available on the Internet that can create completely random passwords. Then you can change the characters to help you remember the password.
- Build a password checker onto your system’s password creation page: This will help your users determine if the password they are creating is a strong one. Or users can check the strength of a password with an online tool.
- Consider using a password manager: Using a password manager, such as AppID by Intermedia, lets you and your employees avoid having to come up with many different passwords and memorizing them all. Passwords saved by password managers are all encrypted. Users need to create and remember only one very strong password and that’s the one used to activate the password manager.
- Warn employees to never log in with a password on a computer or device that does not belong to them: There’s no way to know the security of the computer being used. Logging into a business site from an insecure computer opens your business network to being hacked.
- Instruct employees to never post or share their passwords with anyone: They should be memorized if possible and never written down on the computer.
In her article “Master Your Passwords,” Anya Kamenetz of The Savings Game, a Tribune Content Agency, provides a strong but easy-to-remember password example. It involves writing a personal statement that means something only to the individual user. Her example is “LindalikestogohikingandeatCheezWhiz.” This could be made even stronger by inserting numbers for some of the letters, such as a number one for some of the “I” letters and the number three for some of the letter “e.” Then this password might read “LindalikestogohikingandeatCh33zWh1z.”
Some sites require users to change their passwords often. But there is a debate about this issue. The theory has been that hackers who discovered passwords would not steal the information or the money immediately, so changing passwords would cut off their access to previously hacked sites. However, there is little proof that changing passwords often really enhances security. Of course, if there is news that a site you or your employees use has been hacked, passwords should be changed immediately.
There is one other security measure that is a must. That is to immediately remove an employee’s mailbox when that employee leaves the company. In fact, there should be no open or unused mailboxes in your system. You can turn to your telecom vendor/provider to verify there are no unsecured elements in your VoIP system.
One option is to eliminate passwords.
Many companies are now dispensing with passwords and have implemented security tokens or authentication tokens that change the login ID number every few minutes. Users use a personal identification number (PIN) and the login to access the company network, which is displayed on a small, easily carried key fob. Large companies are moving to other forms of identification, including iris scans and finger prints.
Another additional security method you can use is to implement two-factor authentication. This requires a second piece of information during the login process. This could be a password and the answer to some personal question only the official employee would know.
Today, however, passwords remain a primary path to security. It’s essential to educate your users to make sure their passwords do the job they are designed to do. Implementing a strong business password policy is the best defense against hackers accessing your systems using passwords.