A 2014 SplashData survey found that the password "123456" is the most common password exposed by data breaches. Though we've all heard how dangerous it is to use easy passwords, reuse them, share them, list them in a file, or write them down on sticky notes and affix them to computer screens, it seems passwords continue to be the downfall of businesses.
If you want to keep passwords from undermining your business's digital security, you have to watch out for these five small business events. When they happen, you should change the passwords on your essential accounts right away.
1. An employee leaves.
When an employee leaves, they take your information with them, even if they just stow it away in their minds. Keeping the same old passwords can leave the door open for would-be hackers.
For example, The Washington Post reports that the FBI is investigating how staff members for the St. Louis Cardinals hacked into the Houston Astros' network to access proprietary statistics, scouting reports, and trade discussions. When the Cardinals executive Jeff Luhnow became the general manager for the Astros, he took a lot of sensitive information with him. Investigators think St. Louis team officials used a master list of Luhnow's old passwords to break into the Astros' network.
Businesses that use shared passwords or reuse old passwords may be at risk when a disgruntled employee decides to use that information to access your network or give others access to it.
2. You have to give temporary access to someone.
If you hire a contractor, a temp worker, or your employee steps into a new role, you may need to dole out access to restricted parts of your network. However, once these workers no longer need access, void their login credentials and change the password. After all, Target's data breach was only possible because hackers were able to steal the HVAC contractor's login credentials (more on that in "How to Keep Your Business Partners from Exposing You to Data Breaches").
3. You notice suspicious activity.
If your bank account has been drained or your credit card is maxed out even though you haven't spent a dime, you can be fairly certain someone has gained access to your financial accounts. But really any fishy behavior on any business account should trigger a password change. It can't hurt to err on the side of caution, at least.
4. You log on to a public computer or network.
Can't remember if you logged out when you checked your email on a public computer? Don't chance it. Better to change your email password now than to regret your overconfidence later.
5. Someone tried to phish you.
If you or an employee receives a phishing email, be sure to delete the message from your business servers and promptly require employees to change their passwords. Read more about how to detect a phishing scam in "23% of Small Business Employees Still Make This Critical Mistake."
Password Dos and Don'ts
If any of those five events happen at your business, it's time to queue up the reset password option on all your major business accounts (e.g., network logins, email, etc.). Before you choose a password, be sure you pick one that can't be easily cracked. Here are some tips to keep in mind when you switch your locks:
- Don't reuse old passwords. Reusing old passwords gives hackers an easy way to exploit your system, resulting in a data breach.
- Don't use simple sequences. Avoid a sequence of numbers such as "123456" or "567890." Letter sequences such as "qwertyuiop" (the top row of letters on a standard keyboard) are also weak choices.
- Don't use a favorite sport. SplashData notes "baseball," "football," "hockey," "soccer," and "golfer" are popular password choices, as are favorite teams (e.g., "yankees," "eagles," "steelers," "rangers").
- Don't use your birth year. Avoid your birthday day, month, and year altogether.
- Don't use common names. According to SplashData's survey, "Michael," "Jennifer," "Thomas," "Jordan," "Hunter," and "Michelle," all make regular appearances on the frequently used passwords list.
- Do use a combination of letters, numbers, and special characters. Capitalize at least one letter, use a unique key (e.g., "?" or "%") in conjunction with your set of letters and numbers.
- Do use two-factor authentication. This requires a secondary form of authentication, such as a code sent via text message that you must enter to log in.
- Do change your passwords frequently. For email, you may want to change your password once a season. Social media account passwords can be changed biannually.
For more tips on shoring up weak security links that lead to data breaches, read "Avoiding a Data Breach: Lessons from TurboTax."