Security experts have been advising for years against re-using online passwords. But apparently business owners – along with the rest of us – are not listening.
Surveys show that most small businesses have close to 25 Internet accounts requiring passwords, but rely on fewer than 10 passwords to access them all.
Why aren’t we following instructions? Remembering multiple passwords is simply too difficult, so we employ the same passwords for multiple accounts and compound the mistake by making passwords easy for identity theft crooks to guess. The challenge is even greater now that websites and workplace computer systems demand "strong" passwords that must be changed regularly. Just when you really know a password, it's time to change it.
The scale of the threat doesn’t become real, however, until a small business suffers a financial loss or data breach, said Ron Sharon, information technology director at ibotta Inc., a Denver-based startup.
"When we say 'hackers,' people think about a teenager sitting at a computer in his basement like we see in movies. But hacking has become an industry. They'll steal 45 million passwords or 45 million Social Security numbers and sell them in bulk," Sharon said. Crews of mercenaries operate from the relative safety of foreign lands, probing constantly to glean passwords and create a data breach. Then they peddle the information to the highest bidder.
“This kind of crime is low-risk and high-return for crooks. It’s easier and safer than robbing a bank or mugging someone on the street,” said Pete Platt, investigations and fraud manager at City National Bank.
How to combat this growing threat? Consider these password protection tips:
- Use an automated password manager that requires you to remember only a single master password and stores multiple passwords for all your accounts. A good program will also generate secure passwords when you need them, using whatever parameters are necessary: letters, symbols, upper- and lower-case characters, etc.
- Some password programs are available online for free; others may require an annual fee, typically $10 to $40. Most will identify and eliminate weak and duplicate passwords in your accounts, making them more secure.
- Passwords are just the first line of defense, said Karl Mattson, chief information security officer at City National Bank. “If a site offers additional security features, such as secondary or two-factor authentication, enable them,” Mattson said. “Then when you enter your password, you will receive a text message with a one-time code that you must enter before you can log in.”
"I am very paranoid about information security, particularly password security. I've been in this field for 30 years and I've never seen so many breaches,” said Silka Gonzalez, president of Enterprise Risk Management (ERM), a leading cybersecurity consulting firm headquartered in Miami.
Do not write down your passwords or put them in an electronic file, Gonzalez advised.
She memorizes her passwords with her own system of mnemonic devices. A numeral or symbol can stand in for a letter: A "3" might represent an "E," for instance, or a "$" might mean an "S."
Nate Lord, a security specialist at DigitalGuardian, uses "passphrases" rather than a single password.
- He strings together three random words into a combination of letters that are difficult to guess but relatively easy to remember.
- Give the words a unifying theme, such as baseball, to make them even easier to keep in your memory: strikebalktriple, for instance.
- Memorize a complex string of symbols, such as &)#@*@*, and incorporate them into longer, phrase-based passwords, sometimes at the beginning, sometimes at the end.
- Memorize an easy sentence, “I ran all the way to the park,” and use the first letters, IRATWTTP, in various combinations.
Once you have shored up your passwords, keep them off limits from the bad guys. Never access a secure site, such as your bank or brokerage, through an email that purports to be from that institution – even if it displays the proper logo.
Sharon, the security firm owner, said scammers go after passwords through email “phishing” schemes that ask you to log in and deal with some issue. Then they capture the password you enter into what is actually their fraudulent site.
Remember, he said, the hackers never sleep.