It still amazes me just how bad businesses–in particular, but not exclusively, small businesses–manage their passwords. We’re almost a quarter of a century into the Internet revolution (I date it to 1993, when the popular press began talking about the Internet), and still the average person does a totally absurd job of managing passwords.
Working with my consulting clients I see these types of problems:
- Passwords are absurdly weak: Way too many people (you know who you are!) create ridiculous passwords; a pet’s name, a child’s name, a favorite vacation spot, or maybe even password123.
- Passwords are being saved unsafely: Written down on pieces of paper, waiting for some unauthorized person to walk off with them.
- Passwords are lost: If I had a penny for every time a client has come to me asking how to get into their hosting account, or GoDaddy account, or whatever, because they can’t find the password … well, you know, I’d have a very large pile of pennies.
- Passwords are shared: People give their passwords to too many people.
- Passwords are re-used: The same dumb, easy-to-break password is used for logging into your bank accounts, Google, Twitter, etc. … If someone can figure out the password you use for one account, they’ve got them all!
- Accounts are shared: All too often companies use a single account, shared throughout the company, when they could use individual accounts.
As an example of the last item on the list, many companies set up a single account in their ecommerce system, then anyone in the company who needs access uses that one account. Five or ten employees may end up using the same account. Don’t do this!
If something goes wrong, there’s no way to figure out who was in the system when it happened. If someone quits, you have to change the password and tell everyone who needs access (though you could take the path that many companies do, and not bother changing the password, just trusting that the ex-employee is an honest, happy ex-employee!).
So, here’s a series of rules for small-business password management!
- Don’t share accounts! Set up separate accounts for each employee who needs access to a system.
- Use a password-management system. Such systems save your passwords securely, allow you to create more complicated (and thus safer) passwords, automatically log you into accounts, allow you to share passwords with people without them being able to see the password, and so on. More of this in a moment.
- Use complicated passwords. No more 123456 (the most popular password of 2017), or qwertyuiop (the 11th most popular). Now you’re using a password-management system, it’s easy to use complex passwords; the program will log into your accounts for you, so you don’t need to remember or type passwords. Use something like *n0q9wrBinF7ON$3g^ (yes, seriously!), which is essentially an unbreakable password.
- Don’t reuse passwords. Each login gets its own, unique, complicated password.
- Don’t share passwords (if you can help it). Look into using a password-management program that shares passwords without the borrower seeing the password (more on this in a moment). If you really have to share a password temporarily, change it as soon as access is no longer needed by the borrower.
The secret to good password management is using a password-management program. These are programs that save your passwords in an encrypted form; without the master password there is no way for anyone, even the National Security Agency or the CIA, to access your passwords. (Oh, quick note; use a strong password as your password manager’s master password!)
I’ve been using Roboform for years, but there are a number of good, well-known programs:
- LastPass
- Sticky Password
- LogMeOnce
- ZohoVault
- … and plenty more
PC Magazine did a review of password managers. Spend some time looking for one you like; try them out, even … this is important stuff. Find one you like, then learn how to use it thoroughly!
I decent password manager will do these things for you:
- Securely save passwords. You won’t be able to access them without a password.
- Make your passwords available across platforms. In a Windows PC, on a Mac, on your smart phone, and in a Web browser. You’ll be able to get to your passwords wherever you are, even if you are not near your computer.
- Generate passwords for you. Yes, passwords like *n0q9wrBinF7ON$3g^.
- Automatically capture passwords from login forms. The first time you login, the program captures the info for you … then you never have to log in manually again, you use the program.
- Automatically log into accounts for you. Type the name of the account into the browser plugin, press Enter, and the program opens a Web tab, goes to the account, and logs in. (This has saved me somewhere around a gazillion hours over the last decade.)
A good password manager does more.
- Analyze your passwords and show you where you’ve reused passwords, and which ones are so weak they should be changed.
- Securely save your personal information (address, credit cards, social-security number, etc.), and automatically fill in forms for you. Another huge time saver!
- Share passwords with someone else; they’ll be able to login to the site automatically, but will never know the actual password you used. Once they no longer need access, you can stop sharing.
And there’s more … save text notes within the password app (bank account numbers, the code for your garage door opener or safe, and so on); digital inheritance (a way to pass on your passwords to someone else in the event of death or incapacitation); importing passwords from browsers; and more useful stuff.
Come on, it’s time to get this nonsense sorted out! A quarter of a century is long enough, accounts and passwords are now part of normal life for almost half the world’s population, surely it’s time we took password security seriously!