Owning a small business means owning data. You’re constantly acquiring new information related to your customers, your financial details, and all the vendors and contractors with whom you work. One cyber criminal, though, one lucky hack, and you’ve just exposed your business to a major blow. From lost trust among your clients to costly lawsuits for the damage done, protecting your company from data theft is among your most important responsibilities.
A lot of it comes down to one simple choice you make: passwords.
“Overall, passwords still present the biggest challenge for businesses of all sizes,” said Ron Schlecht, founder and managing partner of BTB Security. Businesses hire Schlecht’s company to test their digital security for weak spots and, he said, “you can’t imagine how many times we still break in to companies because of a bad password.”
If you want to avoid weak passwords at your business, start by steering clear of the following list. Read on for seven passwords you should never (ever) use.
Password
Arguably, this is the number-one and most common bad choice. Also prevalent are variations such as P@ssword and P@55w0rd!. These might be easy to remember, but they’re also among the first options hackers will try.
QWERTY
Easy-to-guess passwords often take root because they’re simple to remember. That’s the story with this hacker-friendly option constructed from the sequence of letters at the top left of the typical computer keyboard.
12345
Or, 98765. Or, 4567. You get the picture — no consecutive numbers (and the same goes for sequential letter combinations). You can only count on passwords such as these to expose your business to digital theft.
BusinessName1
If your shop is called Serafina’s Weddings, don’t set your password as SerafinasWeddings1. That would be a early choice for hackers looking to break into your valuable data.
Business Address
Skip it entirely, when it comes to passwords. Also avoid trying to mash together similar details, such as your street name and street number — i.e. Main215.
Date of Birth
Thanks to the Internet, it doesn’t take much effort to find a person’s DOB. Birthdays, birthdates, years of birth — all of them make for readily attainable passwords and are poor choices for your company.
Simple Dictionary Words
Especially if they’re related to your business, don’t use them. No baseball, football, or soccer for your sporting goods store. No muffler, tire, or spark plug for your auto garage.
And so, what should you do when it comes to picking a password?
A key approach starts with thinking of a passphrase. Next, substitute letters, characters, and abbreviations for parts of it. For example, my first car was a Honda in 1990 would be easy enough to remember, if that was the case in your life. Now, change it to my1stc@r=honda90.
Steer clear of the not so magnificent seven above, and protect your data with hard-to-guess constructions. With a strong password strategy, you’re well on your way to foiling online attacks.
Next Steps: Are you looking to expand and grow your small business but don’t have time to keep up with the latest trends and technology? We’ve got you covered with the weekly Small Biz Ahead newsletter. Sign up today and start receiving the weekly newsletter chock full of the latest tools and resources to help you run a successful business.
I am looking at some of the comments below and wow!! Never use a street address or any combination password that if found on 2 sites could easily access your other sites. Invest in a Password manager that makes sense to you and your company. I have 2 favorites. One that will ask for MFA before it’s password. The other only stays on company computers and never leaves the environment (If you have the correct cybersecurity in place).
Great article! The list of “7 Risky Passwords” was an eye-opener. Simple, yet crucial tips for enhancing password security. Kudos for the reminder to stay vigilant in the digital age!
Thank you for the nice comment, Lindsey!
The best solution is to use a password manager. That way, you only need to remember one password: the password for access to the password manager. A good password manager will create randomly generated super safe passwords for all other websites you visit that require passwords. So just come up with a single great password for your password generator and after that, the problem is solved.
Thank you for sharing, Lawrence!
I do not store any of my passwords in the computer.
What role does the login user name play on hacking attempts? I do not hear much discussion in this topic. I use odd login user names and am wondering if that helps defeat hackers. Thanks.
I will remember this. Thank you.
You’re welcome, Rudy!
The problem with using safe passwords is of course remembering them. If you write them down then that’s another risk…………
Recently I had money stolen from my business accounts, was a nightmare getting that straightened out. The thieves used VENMO, CASHAP and my debit cards which were in my possession!? Had to open all new accounts and that in itself has been a whole other nightmare. Companies like QuickBooks which is just a canned computer program got suspicious when I had to change the bank account number; and at the same time decided to update my address and mailing address since I’m semi retired.
Thank you for sharing!
If you have to share your password with staff then you have to use your business name / street name etc. in the password. Please suggest what kind password should be used?
Thanks for the help!!
You’re welcome, Judy!
Best advice I ever heard from an IT guy, was to use a pattern on the keyboard along with the first letter of the website your logging into. I’ve been using this now for over 10 years. By using a pattern you establish by leaving the first letter of the website makes a different password for every site but easy to remember. It doesn’t always work for the new restrictions some websites require things like there must be 10 characters and include special characters, but if you automatically add something you always will use in the arrangement like an asterisk and set of numbers, it can still work well and be easy to remember.
Thank you for sharing this information, Todd!
Very interesting about the passwords. Thank you for sharing that very important information.
You’re welcome, Gwenn! Thank you for commenting!
Darn, now I have to change all my passwords. You should make this article sharable on social media!
We’re glad you liked it, Kalvin! You can use the social media buttons at the top of the article to share it. You can also download the article!
I have three passwords that I rotate. Each password is 8 characters (I realized that 8 is the magic number for most website) and they contain 1 capital letter, 1 letter replaced with a character and 2 numbers.
Thanks for sharing, Adrian! That sounds like a good strategy.
That works until 2 of the accounts gets hacked. Then it is very easy for them to figure out your password system. I recommend getting a password manager and then the only passwords you need to know is your password logging in your computer and the password manager. A good password manager must have MFA and ask for MFA before your password. FYI.
Sounds like a great idea, until one of them is leaked… Then 1/3 of your accounts have the potential to be compromised. Best option is to use a password generator and a password keeper.
Neat info. Thanks.
You’re welcome!
Good article. You’ll never write an article of any type that won’t bring out the opinions of people who know better. It’s always good to be reminded of and get tips on, changing your passwords. I’m not an IT techie and hacking is a mystery to me, but like gravity, it still exists. I use a password manager myself. i figure I cannot trust my own memory or my diligence to change and remember passwords, so I have to trust someone. There were a number of good ideas for creating passwords, but if you need a lot of them, I’m back to remembering or writing down. If we are talking about just one, say for a network, most all of those suggestions are good. It isn’t clear what exactly, we are trying to protect against, personal data, company data, or Ransom? I use off network hard backup, such as a HD, or SSD. I use a cloud backup at home. If it’s only connected long enough to make a copy, it should be pretty safe. But, nothing is perfectly safe. It was interesting to hear about the length vs the complexity issue. But one person said all Lower Case, and I’ve always heard adding a capital letter increases the complexity a lot. My master password for my Password Manager is 8 characters long with two caps and two numerals. It’s not a word, just random characters. It’s the only Password I actually have to remember, and probably the only one I can remember. Should I make it longer? If I change it often, I’ll never know what it is. I don’t have any office network passwords in my manager, though I do use it for websites I use at work to do research and procure items. Ransom ware scares the crap out of me. I have a friend in the security business and has just gotten a client who is ready to pay like a 6 $million ransom, against his advice. Our IT guy says we are safe from ransomware, but how do I know for sure? Anyway, thanks for all of the comments. I’m never too old to learn, but old enough to forget what I just learned.
Great advice. Thank you for sharing!
Years ago IT guy hinted to use last six of your SSA #s preceded by upper case letter (first name) succeeded by # 1 = a, etc., followed by special character if required. All kept in drop box Spread sheet as X______3$ with variations for each site. Close family knows where to find the file and hopefully if a hacker accessed the file they won’t have the basic info to make any sense of it, but my close family will be able to piece it together.
Great tactic! Thank you!
Random complex passwords are hard to remember. Try using the first letters of each word in a phrase, and add/substitute capital letters, characters for letters, add dates and punctuation. You can use song lyrics or titles, quotes, etc. You now have a complex password that is a little easier to remember.
For example:
Hismf@vIC! – Hartford is my f@vorite Insurance Company!
Mnpw4ws030419 – My new password for web site March 4, 2019
IHcrcped# – I Hate creating random complex passwords every day
Hi Mary,
Your question about managing passwords is great. I have 3 suggestions:
1 – use a Password Manager. Here are a few: https://top5-passwordmanagers.com/?
2 – create a spreadsheet, password protect it and save it online (Google Sheets or Dropbox, for example)
3 – create a special record in your customer relationship management program where you store all passwords (that’s actually what I do).
However, in ALL cases, you must TELL someone where to go to get this information. Some of my clients keep that information with the rest of their important life docs like their estate plan or wills. Others share it with a spouse or trusted friend.
Hope this helps….
After reading entire 📑 article and all comments that followed, there seems to be one topic that is NEVER mentioned.
As a small business owner of 34 years, I literally have 💯’s of different, original passwords.
Each one is cleverly retained in my 💭 memory (and 🖊 written down 🚫 nowhere) so they appear to be safe.
However, what happens if I get a 🧠 concussion in a 🚑 car accident or something similar to that?
Or step off the curb and get hit by “the proverbial 🥛🚛 milk truck”?
Someone (a trusted 👤 colleague or 👥 family member) would need access to all my 💻 accounts to either temporarily run my business and/or just shut it down.
So HOW and WHERE do I manage that situation?
Even if I listed all the passwords on 📝 paper, put it in a safe, and only gave one or two people the combination, it still wouldn’t work for me.
I find that passwords are created and/or changed weekly, so “The Master 📝 List” would ALWAYS be out of date. 😱
How are other small business owners handling this dilemma?
Thanks,
MER
Great advice Mary, thanks for sharing!
We are a webhosting company and passwords are a way of life and soon with each password (yes I said EACH, Never use a password for 2 different log ins.) you will be required to use @FA 2 Factor Authentication. Why? Well because hackers are training their computers better, building better software. Key points I would like to offer:
1) The MOST secure password you should create is the one to your email box. If someone gets it they have full access to reset all your passwords on all your accounts. TADA no hacking required.
2) Passwords should be a minimum of 12 but we recommend at least 13 if the site will allow it. Why because the FBI seminar we attended several years ago stated that the software used to decrypt password runs on blocks of 4 so with 12 they would need to complete 3 blocks but with 13 or 14 the would have to start on the 4 block. chances are greater they will give up before then.
3) Purchase a Password Manager like LastPass.com you only have to remember for sure one password that is the one to open the vault. if you lose it you have lost it all there is no recovery. But there are extensions for your browsers (love them), you can download to an excel file all your vault entries, you can provide in your will the master password and then access to all your accounts (person and business) will be available to your assigned person. Oh when you update/change a password on a website it will update it in the vault. And you can share between LastPass members. There are Free versions and Paid versions (recommend for businesses with employees as you then own the passwords and the accounts)
Hope that helps
(Knowledge learned and not shared it wasted)
This is great advice! Thank you for sharing it!
You should also 2FA all your email accounts – for just the reason you said. I’ve used a gmail account for years for “junk” and “shopping” – dozens of accounts are set up using that email. Once I watched a cybersecurity video of someone who lost their “junk account” – I went and added 2FA immediately.
We don’t use LastPass anymore as it was compromised last year, but there are dozens of others – including some that store your data locally.
A password manager is your best bet. Everything is encrypted with a master password. That doesn’t have to change all the time.
In your safe could be the login information and your master password. That would give your trusted family or colleague access to everything they need.
You can even store notes, computer logins, credit card info, etc in most password managers.
Length of the password is the most efficient way to gain complexity, using the character substitutions published in the comments is a red flag; if you read them here, you can assume that hackers are aware. One trick I use is I keep 5 phrases that are longer, but logical, and attach them to a set of 5 phone numbers that I remember, but was never associated with personally (I remember my best friend’s phone number from 40 years ago) So something like Iusedtocall_joeym@6719248, my wife used to live at 3816 Maple St. Shehadadognamedsammyon3816Maple. Simple, easy to remember and with a few rules you can process your way into the account if you forget your password.
Very creative, Patrick! Thanks for sharing.
I have been preaching strong passwords for almost 20 years. I think I have heard every argument against good password policy that has been dreamt up. Here is the bottom line that will help every user with their passwords:
Read vanity license plates – there are some excellent choices out there. Think ST8, L8, D8, GR8, 4D, 1DERTFUL, EVERY1, NO1, etc. I know someone who starts every password with ST8MN or whatever state the company is in and the adds something to identify the company and then some random characters. So, his password for Target stores is: ST8MNtrgt@)!( or ‘State=Minnesota, Target, 2019’.
That sure beats the user who found a way to beat the system that required complex passwords changed every 90 days – her password is Winter2019! – I know her passwords for the next 20 years. Some days you just can’t win!
Dale
Thank you Dale.
A password protected Excel document can be cracked in seconds. THIS IS NOT A SECURE WAY TO STORE PASSWORDS.
Also, a password protected document is NOT ENCRYPTED… it’s still plain text.
To anyone not using a password manager, which IS encrypted, you are putting your security at risk by not using a proper encrypted password manager.
Don’t let your fear of the “unknown” or complexity of a proper password manager prevent you from maintaining proper security.
As many have mentioned, 1Password is an excellent tool for password management. It is encrypted. It can be synced to multiple devices. It will assist you in creating stronger and more difficult passwords (most of my passwords are at least 32 characters, unless the site forces something smaller). It includes plugins for all major browsers so you can easily insert difficult passwords into websites and forms.
In a business environment, you should be using something like 1 Password for Teams, which allows each employee the ability to keep their own passwords secure, and shared passwords for company required sites and functions (which is very important as employees come/go from companies). You don’t know the number of times I’ve seen an employee fired, and the company is crippled for weeks trying to gain access to required resources online because that employee “had their own system” which wasn’t defined with any oversight. As a business owner, you should not leave the security of your business up to your employees. You should not leave the management of passwords up to individual users. YOU need to be in control. If this is outside your comfortability, please please please, hire a competent IT/Security professional.
Reading some of these comments makes me shudder…
Thank you for your feedback!
As others have commented here, password managers are the best solution to create complicated passwords. I’m a little surprised this option wasn’t mentioned at all in this piece. I’ve been using one for years and every account I have has a complicated, difficult to guess password including numbers, letters and special characters. I’ve been using 1Password and highly recommend that other small business owners look into using them.
2 Factor authentication should be used for every account that offers it as well. You’ll receive a code (either to your phone or via email) that you need to enter in to sign in.
Great suggestion, thank you for sharing.
I worked with a woman once who’s password was “unique”. She did this because when the system was set up a memo came out and told the new users they must create a userid & password and the password must be unique.
How funny! Thanks for sharing Frank.
We have 6 employees and hundreds of passwords, most of which change regularly and many of which are shared by everyone in the office. I don’t trust password managers, so we’re currently using a password-protected excel doc stored on our local server. Can anyone comment on how secure this actually is?
A suggestion we have Holly is making sure the password for the protected excel doc is something creative and different from the “hundreds of passwords” you mentionned in your comment. Also looking forward to what other business owners have done with their passwords.
I use long (15-20) random passwords that I store in an encrypted spreadsheet that is backed up in the cloud. It is available on all my devices and any other computer connected to the net. I only have to remember one master password. The file contains the organization name, website, account / user name, password and other notes like answers to the security questions. I also list a category ie banking, medical or invest. It’s not as convenient as a password manager but I feel more in control.
Great tactic Allen!
All so difficult to deal with. I try to make it easier for myself. I have about 20 passwords in my head. I use these on a rotating basis.I can’t remember which password I used for “this or that” site but I have it written down – IN CODE. It’s a code I invented myself. Try to use what I’ve written down and you will not get far. But I easily recognize which one it is.
Very clever! Thanks for sharing.
The end user is the usually who gives the password out in my experience. I only have one client whos email password was hacked because of lack of complexity.
Thanks for your comment, Nick!
You always do such a great job producing content that is business owner relevant! Thank you!!
Thank you for your feedback!
I heard a short teaching at a business networking saying that far more effective that combinations of letters, symbols and numbers is a string of 4 unrelated words (as a single word) in small letters. For their example, they strung together the words “horse” “clamp” “battery” and one other I can’t remember, so something like “horseclampbatterygrape” (the quotes would not be part). Passwords like this would take a very sophisticated hacking program multiple centuries or even millennia to crack. And they’re easy to remember with a word picture–say, imagine a horse putting a clamp on a battery with a grape on his nose.
Yet most programs will NOT allow you to get away with something like this.
Can anyone comment on the validity of this? And on why it’s not allowed?
Thanks in advance.
Great idea, Ken! Looking forward to hearing what others think.
The key points to password management in the 21st century (or, at least, this part of the century) is the following:
– Use a password manager
– Don’t reuse passwords across multiple sites
– Definitely don’t reuse passwords across sites of different trust levels (your online banking & some social media account)
– Since you’re using a password manager anyway, consider random password
– Keep your passwords safe and backed up
-ASB
I agree with the concept of the phrase. It is much easier to remember, at least for me. A friend showed me his system and he never has to write them down. His system is: This is myHartford21pw!
This turns into TimHartford21pw!
The Tim is: this is my, Hartford is the company you are signing into, 21 is a random number you choose and always use, pw stands for password and he always uses an !
Not perfect, but pretty good and he doesn’t write them down anywhere.
I agree some of this info is dweary!
What do I do with passwords? First of all, I don’t trust those online password manager programs. NOTHING is secure online!! So I created a Word document and saved it to my desktop. Most of the passwords are not connected to my business. I”’m a sole proprietor with no employees and no customers. My passwords are for online busnesses I use. Yes, I use my dog’s name in some passwords, but the name is from another language, so although it uses regular letters, the odd spelling will probably deter hackers. At one point I had 3 cats and 2 dogs. I created passwords using 1 or 2 letters of each pet’s name and added a number. Security checks always indicated they were strong.
I strongly recommend NEVER save passwoords online. One day a hacker will breack their security wall, and you’ll loose EVERYTHING!
The basic idea of the article is good advise, but the suggestions of what to use does not always work. Every site or program has different requirements, so just because some of those fancy passwords will work on one site, does not mean it will work on another. One may require you to have so many numbers and so many special characters, where another site may not allow the use of special characters.
Example: my1stc@r=honda90 may work on one site, but next site says no special characters so now my1stcarhonda90, then the next site says must have a capital letter, so My1stcarhonda90, so this may be a good suggestion, but see the combinations for sites continues to change.
Some sites/programs require you to change every so often, (3 months, 6 months, 12 months) and do not allow you to reuse a password again.
A good idea is keep work passwords different than personal passwords.
As an older person, I have a simple solution to passwords that can never be hacked or stolen. It’s called a Rolodex file system, which not only has the names of businesses I deal with, but also has phone numbers, and PASSWORDS. Yes, I hand-write each card (in pencil, in case I need to change a password, which some sites require after a few months). But everything is perfectly safe, unless you are working in an office where someone might steal your file, and then you’re in the wrong office. It is easily moved from work to home, and back again.
Being an older type myself I use the same written system except in a notebook kept in a fire proof safe that can be locked up nightly. I have to remember the combination of the safe. Having codes sent to my cell phone would work how well if said cell phone is 1) stolen 2) lost 3) hacked or my all time favorite 4) run over by a fork lift!
There’s a familiar, dreary cluelessness about articles like this. It’s as if it’s written from the point of view of a business that doesn’t know how their customers really live. Sure, you can tell people to choose a strong password, but there’s not a hint of awareness in the article that people have to have strong passwords for 30-50 accounts. That each strong password has to be unique. That each strong unique password has to be changed every 6 months. Sure you can argue about complexity versus length, but most accounts do not allow for long passwords. I have one that is actually still limited to 6 characters (!!!!). As for complexity, people have to deal with one login that requires special characters, and another login that forbids special characters, and yet another that requires special characters but forbids /, %, and @. And so on and so on.
In other words, these articles are basically telling people to use passwords that they will never remember. And so comes the password managers, which require you to entrust your passwords not to your brain but to some software or thumb drive. If you lose that, you lose all your passwords! And what if you are trying to log in on a computer that does not have your password manager loaded on it?
Stop the insanity and stop articles like this. Until you figure out a better solution than passwords, open up your system and let people choose whatever password they want. Otherwise, they’ll use 12345 or – and I’ve seen quite a few security specialists actually recommend this now – they’ll write it on a post-it and stick it to their computer screen!
I’m a sticky note on the base of the computer type of person! Thankfully, hackers can’t see the rim of my computer and I keep the camera covered. Easy peasy.
Passwords are a nightmare. Typically, a small business has 20 to 50 essential passwords. A large business has hundreds of passwords, used by hundreds of staff. The management of passwords alone is a significant impairment of digital utility. And each password must be changed regularly, be composed of no less that ten characters, which must include one capital, one lower case, at least one digit, one non-language character, there must be no reference to your name or prior passwords, &c., &c. &c…
Even the “fingerprint” and “retinal” solution invites nightmares, especially in foreign intelligence. All I need is the authorized eyeball or digits to have access. And the sensors themselves need intense maintenance, or security is undermined by emergency backdoors.
I look forward to return to the use of metal keys. They also have their own weaknesses, but the chaos they inspire is of zero burden compared to digital passwords.
When I am looking to log on I always see network names that clearly identify which business owns the network. It’s a welcome sign for hackers. How about naming your secure network with a random name as well!
Your password shall be no less then 15 characters or more, random phrase that you remember well, but no one also, should do. All lowercase too.
Keep changing it every month or two,
No one will crack that one.
Good suggestions, though, I tend to use passwords related to the business…for instance, the auto shop, I’d be perfectly fine with $P@rk=Pl^g (instead of spark-plug).
Generally, I use the following substitutions: $ for S, 3 for e, @ for a, 1 or ! for I, 0 for O (and vice versa!), and ^ for U. Replacing all the vowels means you don’t have a dictionary password.If I’m lazy, I might add a 123 at the end; of course, it looks like !@3.
My mechanical engineering clients could use 2ndL@w-Th3rm0dyn@m1c$ that should slow down the script-kiddies a bit.
Years back I read a study on password psychology. Then I sized up my boss, knew she did not have children, treated her dog like a child, and had very strong maternal instincts, so I guess her password to be her dog’s name, and she was shocked when I told her my prediction. Got that one right. People often use their children’s names, and there are many other common categories.
We found the best solution is to use a password manager that is highly secure, most of our passwords are actually unknown even to us because the system fills the password fields for you. We set ours to create very strong passwords with letters, numbers, symbols, and at least 16+ characters. The software syncs to your phone as well so you have access anywhere you go, and 2-factor is highly encouraged.
Download a copy with 6-free months.
https://www.dashlane.com/en/cs/gRT-IgRWliGW
I have to disagree with this article.
Most security researchers and IT Pros (myself included) understand that length is more important than complexity.
You can have a password that is easy to remember, as long as the number of characters is high enough.
A password which is overly complex (might also be secure) also encourages people to write them down on sticky notes.
You can create long passwords with a favorite phrase, bible verse, or movie quote:
“you are what you eat” could be = You are what you eat!xx where xx defines your birth year or other memorable yea.
“say hello to my little friends” could be = !Say hell0 to my little friends!
Passwords need not be complex to be secure. They only feel complex to us because they are hard to remember!!!
More detail here: https://www.grc.com/haystack.htm
This was very helpful for my friends mom because she owns a small business and she looked at this and she was going to do a address password. I showed her this and she said she was going to do something complicated but easy to remeber. Thank you.
I have been using Bitwarden, free version for a few years now. It not only allows me to store many URLs and my own conceived passwords but will also generate passwords and will check to see if any password has been used in a breach.