How many of your passwords would someone need before they could figure out how to log into pretty much everything your business relies on? One? Two? Ten?

Why do I need to worry about Password Management?

Passwords are a painful but necessary part of using technology securely. Using the same one in multiple places or relying on some kind of pattern might be simpler, but this approach also makes things a lot easier for someone breaking into your accounts.

Today’s cyber criminals don’t discriminate based on the size of businesses. Because small businesses often don’t have robust cyber defence policies in place, they’re a tasty target.

81% of data breaches in 2018 were caused by poor password security, mainly as a result of:

Easy to guess passwords: Nearly 80% of cloud services allow users to set up weak passwords.
Password reuse: 65% of people use the same password across multiple systems and applications.
Insecurely sharing passwords: 69% of employees admit to sharing passwords with colleagues.
Stolen passwords: Microsoft recently announced that a staggering 44 million accounts were vulnerable to an account takeover due to compromised or stolen passwords.

What can a hacker do with my password?

Your password might sell for as little as $1 on a darknet market

There are a bunch of reasons cyber criminals want your password and none of them are good:

To steal money and/or confidential information.
Use it to access your other accounts. For example, use your email account to ask for a password reset on your bank accounts.
To lock you out of your own accounts or use it for their own purposes.
Sometimes it isn’t even you they are after - they just want to get into your account so they can get to a bigger juicier target (perhaps your boss).
They can sell them dark web for another criminal to use, sometimes for as little as $1.

How can a hacker steal my password?

What is a Brute Force password attack?

A brute force password attack is simply trying every possible combination until the jackpot is it. As computers get faster, the amount of time it takes to figure out a password this way drops.

Password Spraying

Lists of common passwords are easily available from the internet. Cyber criminals use these password dictionary lists within programs that automatically try every combination until they successfully log in (password spraying).

Despite the mountain of advice around creating strong passwords, the most commonly used passwords are still sadly very predictable:

A determined Cyber criminals might also browse your social media for clues for common password sources, looking for things like:

Avoid commonly used passwords at all costs.

Pet names
Children's names
Nicknames
Favourite sporting teams
Postcodes
Birthdays
Favourite sayings

How long does it take to crack a password?

Hackers can use brute force to figure out your password in seconds

A very simple password like password123 takes less than a millisecond to crack.

Adding in a few numbers, caps and special characters is a slight improvement, up to 1 minute.

Test Your Password Strength

Think you have an uncrackable password? The Use a Passphrase (https://www.useapassphrase.com) password tester can show you how long it would take a hacker to crack it.

Try it out with a few passwords you don’t use anymore to see how secure they were. The results might surprise you 😰

What is password reuse and why is it such a bad idea?

The more places you use your password, the greater the chance there is that it’s been involved in a data breach. If at some point you signed up for LinkedIn, Yahoo, MySpace or Dropbox, chances are at least one of your passwords is in the hands of a hacker somewhere.

Credential Stuffing (AKA list cleaning or breach replay) is when hackers then use these stolen details from big data breaches to try to logon on to your other accounts.

What can I do to protect my password?

Create long passwords

Remember the seconds it took to crack the earlier examples? Lengthening your password makes a huge difference!

Password vs Passphrase

The easiest way to create a long password is to try coming up with a single word or string of characters by combining a few words into a phrase or sentence. Add some grammar and pretty quickly you’ll have something that would take centuries to break. Just avoid making it your favourite catchphrase if you’re trying to protect your account from people you know!

If you get really stuck for inspiration, use a password generator or a password manager that will generate random passwords as required. A solid passphrase based password generator is Use a Passphrase.

Use different passwords for different accounts

Just as your house has a different key to your office, it’s important to have a unique password for each account you have. That way if your password is ever compromised, the damage is limited to one account and can be fixed with a quick password change.

Avoid revealing your passwords to others

To see how easy it can be to get someone's password check out this short video from Jimmy Kimmel of very helpful people happily giving away their passwords in front of a camera.

If you can’t avoid sharing passwords, change the password as soon as possible afterward.

Check to see if your account has been involved in a data breach

Have I Been Pwned? can tell you if your password has been compromised in a data breach.

Have I Been Pwned is an amazing (and free!) service that can tell you if your email address and/or password has shown up in well-known data breaches.

Small Business owners can also get a report on data breaches associated with email addresses from domains they manage.

Know what to do if your password is pwned

Knowing what to do if your password is compromised is almost as important as keeping it secure in the first instance. It doesn’t matter how strong your password if someone already knows it.

Change your passwords immediately: Change your passwords to a long, unique passphrase, something different from the one that was compromised.
Consider notifying your bank: If the password is associated with a banking account, it’s important to let your bank know, so they can keep an eye out for anything suspicious.

Use a small business password manager

Instead of trying to remember all those long, unique passwords, start using a password manager to store them. Most password managers will help you stay on top of all of our other recommendations as well.

There are plenty of great options out there to choose from. We can help you find the right one for your business if you’re not sure what will work best.

Protect your accounts with multi-factor authentication

Strong passwords aren’t enough to protect your critical systems anymore. Wherever possible look for multi-factor authentication options to add an additional layer of defence. Multi-factor authentication (MFA) means that someone needs to know your password and to have access to your phone in order to access your account.

Becoming a better password manager for your small business

One insecure password in the wrong place could leave the doors to your business wide open.