Strong Padlock

Strong Padlock

I work with a wide variety of people, from home users to various sizes of small businesses.  A common issue I see is poor password security.  Passwords have been used since some of the earliest computer systems in order to keep people out of areas they shouldn’t be in.  They are in essence a padlock on your stuff.  The problem is a lot of people use a master key for all their padlocks and their padlocks are about as strong as a little luggage padlock.  Perhaps you are also guilty of re-using variations on the same password like your dog’s name, the town you were born in, or even your phone number.  The problem with these passwords is that they are fairly easy to guess for a hacker.

Weak Padlock

Weak Padlock

Don’t think it’s a big deal?  Check this out: as a small business owner or even an employee at a business, you probably have an email address @businessname.com so any mail from you is official business communication.  If someone could guess your password, they could access your address list, your sent mail, and all your mail in your inbox.  Is there any information in those emails you wouldn’t want getting out?  Like profit margin information, price list info, buyout or merger info?  There could be a lot of damaging information stored in your email.  Now suppose the person who guessed your password decided to send mail to your customers as you because they can do that now.  What if they sent out an offensive email to your entire address book?  While they’re at it, they go ahead and change your password so you can’t get into your own mail.  Depending on how your mail is set up, an admin might be able to reset the password for you but it may take awhile and you may have to do a lot of damage control before you can get the hacker out.  They could access your Facebook page and reset the password because they have access to your mail.  How many other online sites would they now have the ability to access and change passwords because they have access to your email and can hit that “send me a new password button” on sites?  With several of your sites in hand what kind of havoc could a hacker cause and how much trouble could they cause?  How much work will it take to recover from the hack and do you have the time?

One of the worst places I see poor passwords used is on a registrar like GoDaddy.com.  If you have a domain for your business, then you have it registered somewhere.  If your password isn’t extremely secure, a hacker could gain access to your domain, take over your website, your email and anything about your domain.  They can redirect your traffic to other sites or just stay quiet and glean as much from your information as they can.  It all depends on the intents of the hacker as to how much damage they can do.

I completely understand why people want to use the same password and make it simple to remember.  The problem with this is that hackers have automated tools that can run through dictionary searches against your passwords.  This is basically trying every word in the dictionary, then trying words with 1 or 01 or 02 and so on at the end, or capitalizing the first letter.  All of this can be done on a pretty simple computer in minutes.  This is why a good password 1. doesn’t contain any words, 2. has upper and lower case letters, with the first letter not being the only one capitalized, and 3. has numbers and symbols interjected.  Something like this: vU5ZQ85u7E is a good, strong password and would survive any dictionary attempts.

Just changing your passwords to make them strong won’t fully solve the problem if you use a spread sheet to keep track of them or they are on sticky notes on the side of your computer.  Case in point: the recent Sony hack was made much worse because a spread sheet with a number of online account information was found sitting on a server.  This allowed the hackers to go even further with ease.  Most of us humans can’t remember passwords like vU5ZQ85u7E  unless we use it a lot.  So what’s the solution?  Use a password manager.  A password manager uses encryption to securely store all your passwords under the lock of one good password.  So you use one good password to open your password vault and then pull passwords for other sites as needed.  There are a number of products out there.  Some encrypt your data then upload them to cloud storage making them available to any of your devices.  Others are for use on a single computer and don’t leave that machine unless you backup the vault.  I have used LastPass which is an online service and also KeyPass that is a local only program.  There are other options and I may do a review at a later date, but if you have your business locked down with a luggage lock, I highly recommend that you fix it soon!