Security experts have been advising for years against re-using online passwords. But apparently business owners – along with the rest of us – are not listening.
Surveys show that most small businesses have close to 25 Internet accounts requiring passwords, but rely on fewer than 10 passwords to access them all.
Why aren't we following instructions? Remembering multiple passwords is simply too difficult, so we employ the same passwords for multiple accounts and compound the mistake by making passwords easy for identity theft crooks to guess. The challenge is even greater now that websites and workplace computer systems demand "strong" passwords that must be changed regularly. Just when you really know a password, it's time to change it.
The scale of the threat doesn't become real, however, until a small business suffers a financial loss or data breach, said Ron Sharon, information technology director at ibotta Inc., a Denver-based startup.
"When we say 'hackers,' people think about a teenager sitting at a computer in his basement like we see in movies. But hacking has become an industry. They'll steal 45 million passwords or 45 million Social Security numbers and sell them in bulk," Sharon said. Crews of mercenaries operate from the relative safety of foreign lands, probing constantly to glean passwords and create a data breach. Then they peddle the information to the highest bidder.
“This kind of crime is low-risk and high-return for crooks. It's easier and safer than robbing a bank or mugging someone on the street," said Pete Platt, investigations and fraud manager at City National Bank.
Use an automated password manager that requires you to remember only a single master password and stores multiple passwords for all your accounts. A good program will also generate secure passwords when you need them, using whatever parameters are necessary: letters, symbols, upper- and lower-case characters, etc.
Some password programs are available online for free; others may require an annual fee, typically $10 to $40. Most will identify and eliminate weak and duplicate passwords in your accounts, making them more secure.
Nate Lord, a security specialist at DigitalGuardian, uses "passphrases" rather than a single password.
He strings together three random words into a combination of letters that are difficult to guess but relatively easy to remember. He suggests giving the words a unifying theme, such as baseball, to make them even easier to keep in your memory: strikebalktriple, for instance.
Another way to make memorizing the passphrases easier is to memorize an easy sentence, “I ran all the way to the park," and use the first letters, IRATWTTP, in various combinations.
Memorize a complex string of symbols, such as &)#@*@*, and incorporate them into longer, phrase-based passwords, sometimes at the beginning, sometimes at the end.
"I am very paranoid about information security, particularly password security. I've been in this field for 30 years and I've never seen so many breaches," said Silka Gonzalez, president of Enterprise Risk Management (ERM), a leading cybersecurity consulting firm headquartered in Miami.
Do not write down your passwords or put them in an electronic file, Gonzalez advised.
She memorizes her passwords with her own system of mnemonic devices. A numeral or symbol can stand in for a letter: A "3" might represent an "E," for instance, or a "$" might mean an "S."
Once you have shored up your passwords, keep them secure from hackers. Never access a secure site, such as your bank or brokerage, through an email that purports to be from that institution – even if it displays the proper logo.
Sharon, the security firm owner, said scammers go after passwords through email “phishing" schemes that ask you to log in and deal with some issue. Then they capture the password you enter into what is actually their fraudulent site.
Passwords are just the first line of defense, said Karl Mattson, chief information security officer at City National Bank. “If a site offers additional security features, such as secondary or two-factor authentication, enable them," Mattson said. “Then when you enter your password, you will receive a text message with a one-time code that you must enter before you can log in."
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.