Almost every online account we create is protected by a password—and business accounts are no different. Each subscription, vendor, and even news source requires a separate log-in and password. For years, we were trained to choose something easy to remember, like a birthday or pet name, and reuse that password for everything.
However, these bad practices have quickly proven susceptible to malicious attacks. Just go to https://haveibeenpwned.com and check on your email address. Odds are, your data has been compromised at least once. And if you’re reusing that email and password combination anywhere else, you’re doubly exposed.
It’s not that passwords are inherently evil. It’s just that users have been trained to follow these insecure practices and likely, don’t know any better. Unfortunately, those insecurities can bleed into the workplace.
Where your passwords may be falling short
There are several ways that passwords can fail us. The first is that we, as predictable humans, pick the passwords.
Humans tend to see patterns, which help us make sense of the world and remember things. But patterns, when used in creating passwords, introduce weaknesses to our online accounts because just as patterns are easy to remember, patterns are also easy to guess.
Let’s say for example that you’re required to have an 8-character password, with one number a capital and a special character. Chances are you’ll choose something similar to Passw0rd!.
This seemingly simple solution actually has a lot of vulnerabilities:
- We stick to the bare minimum: Most people rarely create passwords longer than the minimum required, in this example, 8 characters.
- We capitalize in predictable places: Capitalizing the first character is what we’ve been trained to do since elementary school; mobile keyboards even do it for you. So most people capitalize the first letter of their passwords, making an easy-to-remember but also easy-to-hack pattern.
- We substitute the obvious: Substituting numbers for letters that match appearance makes the numbers easy to remember—but again, easy to hack.
- We use special characters, like punctuation: Obviously punctuation goes at the end of a sentence, everyone knows that. As a result, many users stick to this easily guessable pattern when setting passwords.
- We use the same password EVERYWHERE: Using the same password on multiple sites is convenient but also increases risk in that if a fraudster is able to breach one site, they now have your credentials for multiple sites.
Even if you’ve upgraded from “Passw0rd!”, you may be committing similarly innocuous errors with passwords like, Spr1nkler!, Mu5tang!, or Sun5hine!
If you’re looking at these examples and feeling embarrassed, don’t be. We’ve all committed these errors—we’re just naturally bad at choosing passwords because we tend to create patterns that make them much weaker than we realize.
By always using passwords in predictable ways, we unintentionally bypass the strength that more types of characters could add.
The simple secret to unpredictability
It sounds simple but one of the easiest ways to increase the security of your passwords is to make them longer. Length is the ultimate pattern killer.
This is why we tend to call stronger passwords “passphrases” instead. You’re literally using more words to increase the security of your account.
The point of length is, that from a practical approach, nothing else matters. It’s probably possible to make a weak 15-character password, but it’s incredibly unlikely. Yes, it’s still technically possible to guess, but the longer your passphrase is, the harder it is for hackers to guess—both manually and programmatically.
For example, thesprinklersprayedinthesunshine is super easy to remember, but also quite difficult to guess.
Best practices for password security
|Use a password manager.||Write down your passwords or store them unencrypted.|
|Use unique passwords for every site and application.||Reuse passwords on multiple sites.|
|Create long, random passwords.||Use short passwords or obvious character substitutions (@ for a).|
|Use multi-word passphrases.||Use single dictionary words (such as “password”).|
|Use salted passphrases or algorithms for security questions.||Think personal web security practices you learned 10 years ago still apply.|
So how does password theft still happen?
One of the most difficult issues with account security is a breach of data. If you are great at choosing a strong password, that won’t make a bit of difference if a malicious actor already knows your password.
There are a few ways people with malicious intent can gain access to your password:
If a company doesn’t properly encrypt passwords and then suffers a data breach, all of the usernames and passwords they had could end up for sale or posted on another site. While a user may not have control over whether or not their company is using encryption, they can keep an eye out for red flags (like poor password storage or a max character limit).
Phishing (not fishing)
Phishing occurs when a malicious user sends emails or other communications to users with the intent to steal private information. Phishing emails have a few things in common:
A sense of urgency
Phishing emails will try to convince the receiver that if they don’t act now, something bad will happen, such as losing email access, losing their job, or even threatening incarceration. It’s good to remember that most companies will never request personal or financial details via email, and legal summons rarely come to your inbox. While legitimate emails may also have a sense of urgency, if that urgency seems unusual, misplaced, or simply out of the ordinary, be suspicious.
A request for information
The goal of most phishing emails is to elicit important information from users. While they may request this information directly (i.e. asking for passwords, SSNs, etc), it’s more likely that the emails will contain a link to a website that will take that information. Again, always question who sent the email and why. Would your bank really need you to verify your social security number on a random Tuesday? Most likely not.
An unusual sender
A phishing email will often come from an unusual sender. The sender can also appear to be legitimate, like [email protected], even when they are not. As mentioned previously, it’s unlikely that the IRS needs to email you to verify your date of birth or social security number. If it seems unreasonable or uncharacteristic, it probably is.
A step above secure passphrases: Multi-Factor Authentication
So what if you’re using long passphrases, encrypting company data, and training employees to identify phishing emails—is there anything more you can do?
The best solution to avoiding password theft is a strategy called Multi-Factor Authentication (MFA). MFA is an option provided by companies that allows users to verify their identity in a number of ways, usually through receiving a code via text message. (This is the “multiple” element of MFA—the username and password is authentication #1 and the text code is authentication #2).
The word “factor” in MFA relates to this concept: “something you are, something you know, or something you have”. Having a password satisfies the “something you know” condition, but security is greatly enhanced when you add a “something you have” criteria. In the case of the text message with the code, the “something you have” is your phone.
There are other versions of MFA, such as requiring a physical token or a software token that generates the number on a device you have. While a physical token is the strongest of these methods, all forms of MFA provide an additional level of protection.
Our recommendation is to enable MFA anywhere it’s offered, and request it be an option anywhere it’s not. The added security offered by MFA will help ensure your account data is not accessible to malicious users.
MFA in Divvy
To help support the safety of our clients, Divvy now offers MFA. MFA safeguards your company’s information and users by adding an additional layer of protection so that even if credentials are compromised, a malicious actor still cannot log in and wreak havoc on your company in Divvy.