This is the first of six posts on Cybersecurity for small businesses. Click here for the Introduction and links to the others.
Make it Harder
Make the attacker’s job harder, starting with passwords.
Strengthen your passwords
The goal here is “easy to remember but hard to guess”, so length becomes more important than complexity. Consider passphrases rather than passwords. Pick a memorable phrase and use it (or some variation on it) or some random words as your password. (There’s even a web comic about this: https://xkcd.com/936/)
WARNING: DO NOT USE THESE EXAMPLES AS YOUR PASSPHRASE.
Example:
My dog has fleas
- Seventeen characters, one uppercase and two special characters
- Easy to remember, but would take a very long time to crack, unless the attacker knows something about how your mind works and that you’d be likely to pick this passphrase.
My dog has 18 fleas.
- Twenty characters, one uppercase, two numbers and two special characters
- This one would be even harder to guess because the numeric portion isn’t easily predictable.
Places to assess your passphrase ideas:
- https://www.security.org/
- https://www.useapassphrase.com/
The team at Hive Systems (https://www.hivesystems.io/password) has a fantastic article showing (graphically) some of the reasons why long, complex passwords are the way to go.
Add Multi-Factor Authentication (where available)
Expand beyond a username and password and add a second factor (or more). Authentication “factors” are usually collected into three groups:
- something you know (a password or or passphrase)
- something you have (a physical object or token)
- something you are (a fingerprint, face or some other biometric trait)
Banks have been requiring something like this for years, frequently by requiring an authentication code of sorts sent to you via email or SMS. While requiring a PIN via SMS is generally recognized as more secure than nothing (SMS messages aren’t encrypted and it’s possible to intercept them), there are more secure methods:
Authenticator Apps like Google’s Auth, Cisco’s Duo Mobile, 2FAS, Microsoft’s Authenticator or LastPass’ Authenticator. In this case, your mobile phone becomes the second factor (something you have).
Physical Keys like Yubico’s YubiKey (my favorite is the YubiKey 5C NFC) or Google’s Titan Security Key. In this case, the physical key becomes the second factor (something you have).
Use a password manager
Password managers allow you to maintain long and complex passwords and not remember them, by keeping them in a vault only accessible to you. In this scenario, all your passwords are different and they’re all long and complex. You’ll still need a single really-good password to protect your vault of passwords, but that’s easier than remembering two hundred. These services store an encrypted vault that only you can decrypt with your master password. There are a number of really good ones out there: search for “competitors to lastpass”.
Some features to consider:
- how many devices (phone, tablet, laptop) will you need to support?
- do you want to share passwords with someone on your team or in your family?
- what’s your budget?
Don’t use a password at all
Some day we may even move past using passwords and rely on biometrics, physical keys, smart cards, or a combination of factors like geolocation, behavioral patterns, network addresses and the like.
This entry is part of a larger Cybersecurity for Small Business series. You can find the Introduction (and links to the others) here.
