You already know that small and medium-sized businesses are particularly vulnerable to fraud and data theft. Part of the reason is that these companies often lack the resources for a dedicated information security staff or state-of-the-art security software. But one of the best protections against hackers—creating and implementing strong passwords throughout your organization—is absolutely free.
There are three types of attacks used by cybercriminals to gain access to passwords: brute force, dictionary attacks, and social engineering.
In a brute force attack, hackers use a program that tries endless combinations of letters, numbers, and special characters. A brute force attack is the most time-consuming; the longer and more random the password, the harder it is to crack.
A custom dictionary attack uses a database filled with common words, names, and number/letter combinations. Shorter, more simple, and more generic passwords (such as "abc123" or "ilovemykids") are far easier to guess.
Finally, and most effectively, hackers use social engineering to crack company passwords. In a social engineering attack, the criminal uses a fraudulent persona—for example, posing as a member of the IT staff and "testing the system"—to trick employees into willingly giving up passwords.
Here are some tips for strengthening your small business' password policy.
1. Choose easy-to-remember, hard-to-guess passwords
Passwords that are at least eight characters in length, with a case-sensitive mix of letters, numbers, and symbols are best. Here are some things to avoid when choosing a password:
- Personal information such as birthdays; names of spouses, children, or pets; or Social Security numbers
- Using only letters or only numbers
- Using the same word as your login
- Using a word that can be found in any dictionary (even in a foreign language)
- Using double letters or numbers
- Use numbers to represent letters where possible. For example, use the number 0 for the letter o, or the number 3 for the letter e. This makes passwords much harder to crack using either brute force or custom dictionary attacks.
2. Don't reuse passwords across sites
It's tempting to use the same password across multiple sites or programs in order to make it easier to remember. The Center recommends strongly against this. Otherwise, a hacker who discovers your company's Facebook password might also be able to access your company's financial information or something equally sensitive.
3. Change passwords regularly
In the same way that changing the locks on your home or office deters would-be burglars, changing your passwords helps protect against data theft. It's best to update your credentials every 30 to 60 days.
4. Consider a password management program
One problem often faced by small businesses is the use of passwords across teams (for example, if everyone needs the same credentials to use a company-wide program). This can lead to weak security habits such as e-mailing or IMing passwords among team members. To combat this, choose a password management program, which automates and secures credentials for systems with multi-party access.
5. Train employees to avoid social engineering attacks
Clicking on unsolicited email attachments, giving sensitive information to a caller without verifying the caller's identity, or buzzing a stranger into a secure work area are all activities your employees should know to avoid. Take a look at The Center for Identity's articles Spotting a Phishing Email and Training Employees to Protect Data for further information on social engineering attacks.
Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy.