by Mark Stockley on June 30, 2014
When it comes to IT security, very small businesses and micro-enterprises are in a tight spot.
They’re almost always heavily dependent on computers but not large enough to have dedicated IT staff; everyone is busy doing their day job (and probably a few other jobs as well) and the ‘IT cap’ is simply handed to the least non-technical person.
In those circumstances, knowing what to do, what’s important and where to start with computer security can be very difficult and in my experience the first casualty is often a company’s passwords.
Despite the rise of biometrics and two-factor authentication, almost everything we do on our computers is still secured using passwords, so getting them right is a vitally important first step.
I’ve compiled a list of four common password mistakes that I see when working with small companies. If you can avoid them then you’ll have put your security on a stronger footing.
Anti-virus – you need it but it’s not enough
OK, I just said this article is about passwords but I think it’s important to start with a word about anti-virus.
Whatever the state of security awareness in a very small business the chances are that there’s one thing everybody will agree on; that they need to run anti-virus.
That consensus can have a chilling effect on other aspects of computer security though, because to a lot of people anti-virus is computer security and once it’s installed, security is a done deal.
Unfortunately installing anti-virus is the first step, not the last.
You need to ensure that all of your devices; PCs, Macs, tablets, Linux servers and phones are using anti-virus and that they are updating successfully.
And then you need to read on…
Fear of forgetting leads to awful passwords
One of the reasons people use weak passwords, and then weaken them further by sharing them and using them over and over, is because they’re afraid of forgetting them. (I once had a customer who wrote his Windows password on his computer monitor because he was afraid he’d forget it. His password consisted of two letters; his initials).
To overcome the fear of forgetting your passwords you’ll need a place you can keep them safe and always find them.
It doesn’t matter much where it is – it might be a keychain application on your computer, a website like LastPass, a leather bound book or even your own memory – what matters is:
- You know where it is
- You can control who has access to it
- It is the only place your passwords are kept
- It can store hundreds of unique, strong passwords
Once you have decided how you are going to store your passwords put the ones you can remember into your safe place. Gather up any notes, files and post-its where you’ve written your passwords down and copy them over too.
When all of your passwords have been transferred to your safe place remove all traces of them from anywhere other than your secure location. Clean your passwords off whiteboards (or computer monitors), delete them from computer files and shred or burn any pages or post-its where you wrote them down.
By creating a safe place to store your passwords you’ll free yourself to choose complex passwords that you couldn’t otherwise remember.
Which is what we’ll do next…
Passwords are easier to crack than you think
When we talk about strong passwords we mean passwords that a powerful computer will have difficulty guessing.
This isn’t the movies and we’re not defending ourselves against elite hackers whose second guess is always supernaturally lucky.
Your passwords are at risk from computer programs that can guess thousands of passwords a second and are able to understand some of the tricks you use to make passwords more obscure.
A short while ago I was given some old computers by a small business that had recently folded.
As an experiment, and with the previous owner’s permission, I booted one of the computers using a password auditing tool.
Running on the defunct company’s own old hardware, the software guessed the admin password for the first machine in under ten seconds.
The password was an eight letter word (the company name) with a zero in place of an ‘o’ to make it difficult to crack.
The computer, it turns out, was the machine holding the company accounts.
Using dictionary words and paying lip service to security with a few numbers and wacky characters where there should be letters simply isn’t enough.
Use 14 characters or more and switch as arbitrarily as you can between UPPER, lower, d1g1t5 and \/\/@ckies.
If you’re wondering how you’d ever create a password like that I suggest you use a random password generator.
Now you control access to your passwords and you’ve made sure they’re all good and strong it’s time to stop sharing them.
Your password isn’t secure if you give it away
When I work with a small business or micro-enterprise they generally have to give me access to one or more of their systems.
I am staggered at how often I’m simply handed a long list of admin passwords (often for systems I don’t even need access to) that are shared by everyone at the company.
Account sharing like this is a really bad idea, not least because:
- If something bad happens you can’t tell who did it.
- It makes your more vulnerable to social engineering.
- It makes changing passwords too painful to bother with.
- Everyone with a password can cause maximum damage.
- You don’t know who else has your passwords.
One of the reasons that people in organizations share passwords amongst themselves and with outsiders is because it’s incredibly convenient.
Keeping accounts separate and passwords secret is a bit like taking daily backups – most days it’s a small inconvenience and you won’t feel the need for it, but you do it because on the one day you do feel it, you’ll really, really feel it.
Unfortunately you’ll just have to bite the bullet on this one. Yes, it’s a little bit more inconvenient to make sure everyone has their own account but it’s no different than limiting access to your front door keys.
Every person who needs access to a particular system should have their own account with a unique password and the lowest workable access level.
Source: Sophos Naked Security (http://nakedsecurity.sophos.com)