Over the weekend, the popular website Gawker was hacked by a group going by the name of “Gnosis.” They were able to infiltrate Gawker’s database and posted internal messages and passwords belonging to both staff members and readers. While that in itself would be cause for alarm, the panic was exacerbated among Internet users who often use the same password for all of their online accounts. With a reported 1.3 million people said to have a Gawker account, that equals a lot of people with their lives and personal information exposed.
Online security is something a lot of small business owners take for granted. They don’t pay much attention to the passwords they’re creating for their accounts and, in the end, wind up exposing themselves to potential hacks and identify theft. But it doesn’t have to be that way. Below are a few things small business owners can do to protect their passwords, and themselves, online.
Don’t use the same password for everything.
I know, I know, it’s convenient to come up with one password that you can remember and keep using it everywhere, but it’s not safe. Having one password for all of your accounts makes you incredibly vulnerable to hackers. All someone has to do is sniff out your password for one account and they’ll have control over your entire online identify. Use different passwords to control your online banking, your blogging, your social networks, your Amazon account, etc. It’s just that important. You must create and use strong passwords.
Use one password, customized for each site.
Just because you need a unique password for each account you’ll be creating doesn’t mean you should be staring at the books and plants on your desk for inspiration. A really easy way to generate unique, but easy-to-remember, passwords is to keep a common base and then add part of the service’s name to the beginning or end. For example, if your base password is [rogue], then your Amazon.com password may be [rogueamzn]. You can develop a rule where you use the first four letters of a service’s name or another mechanism. If that looks too easy for a hacker to figure out, then develop a different rule. Perhaps you use the first three vowels, you scramble the letters in some way that’s easy for you to remember, or you decide to work in special characters. Just don’t get so creative that you won’t remember what your system is. Also keep in mind that different services have different password requirements – some will require special characters, while others will forbid them.
An alternative to even having to remember your password is using a site like hashapass which will generate the same password over and over as long as you’re giving it the same master + parameter (typically the site’s name). That means you don’t have to remember the individual password, just your core, and the parameter and the site will recall it for you. An interesting concept.
Use a password manager.
Password manager tools like LastPass take the hard stuff out of password management by not only helping you create strong passwords, but also remembering them for you. Sounds like the best of both worlds, right? Well, it can be. With LastPass, all you have to do is create an account and it’ll pretty much take things from there. Once you install LastPass, it will ask you if you want to import your saved passwords. If you select “yes,” it will run through and show you which of your passwords are strong and which are hackable. If passwords are deemed hackable, LastPass will help you create new ones and will then store them in their “vault,” allowing you to group them for easy reference. You can also create different identities so that not all of your sites are viewable when you log into LastPass from a particular location. Lifehacker (a Gawker-owned property) just posted about how to use LastPass to audit and update your passwords. It may be worth a read.
Those are some easy tips to help small business owners keep themselves password protected on the Web. What methods do you use to keep your accounts safe and your secrets out of the hands of hackers?
My sites also got hacked couple of days ago, I am not much into technical things but I can see the hacker has injected a password into the database of 3 sites, it was not changing… somehow I managed to fix it.
Now I have changed ALL passwords of my sites database, email, domain…everything and really making hard passwords – infact my usernames are not just names they are very strong password like codes that no one can trace (I hope so).
When using a password manager, aren’t you just one hacked password away from having your entire online identity stolen? It may be more secure, but it seems like it has the same core issue.
TJ McCue
This may sound totally insane, but I have kept a written copy of the password clues in a place outside of my office (think safe deposit box). I use code phrases that only I know the answer to (like those security questions banks and such ask). Then I have the memory-joggers in one place.
Martin Lindeskog
I will check out Hashapass, it looks like a neat service.
TJ: I think your way is a pretty secure one. I often use a common base and then add a combo of characters to the password. The good think with most sites is that you could retrieve your password or create a new one, if you have forgotten it.
Do you think that we will see a new type of encryption service based on our identity in the future? For example a voice recognition or scanning of your pupils and fingerprint?
Joel Libava
Thanks for this really important information, Lisa.
Great passwords can be powerful anti-theft tools.
Let’s make it really hard for the losers that try to hack into our accounts!
The Franchise King
I was just thinking the same thing as Robert . . . it would seem that LastPass would be a huge target for hackers, given the collective PW data that they are storing, no? If someone hacked your password for that site, wouldn’t it be a wrap for your online identity as well?
It seems that major breaches like this are becoming quite common.
What does that say about the security thinking among people operating
the compromised system, and about the security thinking among end users?
If you operate a major web site, a big security compromise like this can
kill your business. Not investing enough time, money and infrastructure
in security means putting your organization at risk of major harm, because
of bad press, lost end users, lost advertisers, etc. This is a big deal.
If you are a user whose password has been compromised, I guess it depends
on how many other systems you sign into with the same ID/password and
whether you care about compromise of any/every account that uses the
same credentials. At a minimum, once you learn about a compromise like
this, you should change your “standard, used for systems I don’t care
much about” password everywhere.
– Idan Shoham, CTO, Hitachi ID Systems
Lisa Kanarek
I had chills going up my spine when I read this article. All it takes is one person to hack into your site or Twitter account and there goes any good reputation you’ve built. I use the customized password system you suggested. It makes passwords easier to remember, but (hopefully) still safe. I also change passwords every few months for the accounts I use often (Twitter, Facebook).