Don’t look now, but your flab is showing … and it isn’t pretty. Flabby, weak and ineffective passwords are at the root of up to 80 percent of cyber-attacks.
Yet, many merchants continue to exercise poor judgment when it comes to securing their data and payment systems. They continue to use default passwords, reuse credentials for different systems or users, and show a distinct lack of imagination when it comes to creating unique passwords.
Here are three strong reasons that password security should be a big deal at your business:
1. You’re Showing Hackers Your Hand
The dirty little secret is that scammers can probably find out enough about you and your business online to crack a carelessly planned password. The prime offender? The information you share on social media sites like Facebook. For example, instead of simply posting your age, do you list your actual birth date? Thieves know that the names of your pets, your children and even the address of your previous residence are all commonly used to create passwords as well as answers to online security questions.
Action: Watch what you reveal online. Set the controls on your social media accounts so that only users authorized by you can read personal data. Security settings often change, so review your account and privacy settings on a regular basis. A good way to keep up is by becoming a fan of the official security page on Facebook and receiving regular security updates.
2. Your Password Isn’t as Uncrackable as You Think
If they can’t crack your password by finesse, hackers can resort to brute force with a “dictionary attack.” Here, a program runs through every single word in the dictionary (plus proper names) until your password is cracked. So, even things like the names of movie or TV characters can be deciphered. Ditto for predictable word or number patterns like aaabbb, qwerty or 321123.
Action: Make passwords long, random and memorable. In fact, think in terms of “pass phrases.” Here’s a great example: Tp4tci2s4U2g! (The password for (4) this computer is too (2) strong for you to (4U2) guess!) This password gets its strength from multiple words, random punctuation, random capitalization and random simple substitutions. It’s hard to crack, but easy to remember.
3. Aging Is Good for Wine, Bad for Passwords
Even the best passwords can be compromised. Users may share them with coworkers or be tricked into revealing their passwords (e.g., phishing scams). Servers that store passwords may be compromised and their passwords acquired. To limit the usefulness of compromised passwords, cyber security providers such as Symantec strongly suggest that passwords be changed every 30 to 90 days.
This doesn't mean simply swapping passwords among accounts. Reusing passwords means a hacker who gains access to one account could easily gain access to others. Equally important is immediately changing passwords any time you suspect they have been compromised or a theft attempt has been made.
Action: New passwords should not be based on a small change to an existing password — for example, changing from bobspassword1 to bobspassword2 (both of which are very bad passwords anyway).
Put Technology to Work When it comes to beefing up password security, you don’t have to go it alone. Consider using sites such as Strong Password Generator (www.strongpasswordgenerator.com) to generate a truly random password. Or, use a site such as Microsoft's Secure Password Checker (www.microsoft.com/security/pc-security/password-checker.aspx) to evaluate your password strength.
Likewise, take some of the effort out of password security with a password manager. Instead of having to remember a bunch of long, complicated passwords, you just create one super-strong password to log into the password manager. A couple well-reviewed ones are LastPass (www.lastpass.com) and Roboform (www.roboform.com).
Finally, consider establishing a company-wide password policy that guides staff in using passwords correctly. Provide guidance on how to create strong passwords (note that passwords they create for themselves will be easier to remember than one you create for them) and how often passwords should be changed — and why strong passwords matter to your organization.
If you have questions, contact PNC Merchant Services at 888-235-6959.
Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.