7 Passwords You Should Never Use at Your Small Business

James O'Brien

Owning a small business means owning data. You’re constantly acquiring new information related to your customers, your financial details, and all the vendors and contractors with whom you work.  One cyber criminal, though, one lucky hack, and you’ve just exposed your business to a major blow. From lost trust among your clients to costly lawsuits for the damage done, protecting your company from data theft is among your most important responsibilities.

A lot of it comes down to one simple choice you make:  passwords.

“Overall, passwords still present the biggest challenge for businesses of all sizes,” said Ron Schlecht, founder and managing partner of BTB Security. Businesses hire Schlecht’s company to test their digital security for weak spots and, he said, “you can’t imagine how many times we still break in to companies because of a bad password.”

If you want to avoid weak passwords at your business, start by steering clear of the following list. Read on for seven passwords you should never (ever) use.

Password

Arguably, this is the number-one and most common bad choice. Also prevalent are variations such as P@ssword and P@55w0rd!. These might be easy to remember, but they’re also among the first options hackers will try.

QWERTY

Easy-to-guess passwords often take root because they’re simple to remember. That’s the story with this hacker-friendly option constructed from the sequence of letters at the top left of the typical computer keyboard.

12345

Or, 98765. Or, 4567. You get the picture — no consecutive numbers (and the same goes for sequential letter combinations). You can only count on passwords such as these to expose your business to digital theft.

BusinessName1

If your shop is called Serafina’s Weddings, don’t set your password as SerafinasWeddings1. That would be a early choice for hackers looking to break into your valuable data.

Business Address

Skip it entirely, when it comes to passwords. Also avoid trying to mash together similar details, such as your street name and street number — i.e. Main215. 

Date of Birth

Thanks to the Internet, it doesn’t take much effort to find a person’s DOB. Birthdays, birthdates, years of birth — all of them make for readily attainable passwords and are poor choices for your company.

Simple Dictionary Words

Especially if they’re related to your business, don’t use them. No baseball, football, or soccer for your sporting goods store. No muffler, tire, or spark plug for your auto garage.

 And so, what should you do when it comes to picking a password?

A key approach starts with thinking of a passphrase. Next, substitute letters, characters, and abbreviations for parts of it. For example, my first car was a Honda in 1990 would be easy enough to remember, if that was the case in your life. Now, change it to my1stc@r=honda90.

Steer clear of the not so magnificent seven above, and protect your data with hard-to-guess constructions. With a strong password strategy, you’re well on your way to foiling online attacks.

Next Steps:  Are you looking to expand and grow your small business but don’t have time to keep up with the latest trends and technology? We’ve got you covered with the weekly Small Biz Ahead newsletter. Sign up today and start receiving the weekly newsletter chock full of the latest tools and resources to help you run a successful business.

39 Responses to "7 Passwords You Should Never Use at Your Small Business"

    • Bree Faber | October 22, 2017 at 3:08 am

      This was very helpful for my friends mom because she owns a small business and she looked at this and she was going to do a address password. I showed her this and she said she was going to do something complicated but easy to remeber. Thank you.

    • CW | February 20, 2018 at 8:30 pm

      I have to disagree with this article.

      Most security researchers and IT Pros (myself included) understand that length is more important than complexity.

      You can have a password that is easy to remember, as long as the number of characters is high enough.

      A password which is overly complex (might also be secure) also encourages people to write them down on sticky notes.

      You can create long passwords with a favorite phrase, bible verse, or movie quote:

      “you are what you eat” could be = You are what you eat!xx where xx defines your birth year or other memorable yea.

      “say hello to my little friends” could be = !Say hell0 to my little friends!

      Passwords need not be complex to be secure. They only feel complex to us because they are hard to remember!!!

      More detail here: https://www.grc.com/haystack.htm

    • Matthew Demaree | February 20, 2018 at 11:11 pm

      We found the best solution is to use a password manager that is highly secure, most of our passwords are actually unknown even to us because the system fills the password fields for you. We set ours to create very strong passwords with letters, numbers, symbols, and at least 16+ characters. The software syncs to your phone as well so you have access anywhere you go, and 2-factor is highly encouraged.

      Download a copy with 6-free months.
      https://www.dashlane.com/en/cs/gRT-IgRWliGW

    • Brian | February 21, 2018 at 12:33 am

      Years back I read a study on password psychology. Then I sized up my boss, knew she did not have children, treated her dog like a child, and had very strong maternal instincts, so I guess her password to be her dog’s name, and she was shocked when I told her my prediction. Got that one right. People often use their children’s names, and there are many other common categories.

    • Dan | February 21, 2018 at 3:08 am

      Good suggestions, though, I tend to use passwords related to the business…for instance, the auto shop, I’d be perfectly fine with $P@rk=Pl^g (instead of spark-plug).

      Generally, I use the following substitutions: $ for S, 3 for e, @ for a, 1 or ! for I, 0 for O (and vice versa!), and ^ for U. Replacing all the vowels means you don’t have a dictionary password.If I’m lazy, I might add a 123 at the end; of course, it looks like !@3.

      My mechanical engineering clients could use 2ndL@w-Th3rm0dyn@m1c$ that should slow down the script-kiddies a bit.

    • Roman | February 21, 2018 at 6:55 am

      Your password shall be no less then 15 characters or more, random phrase that you remember well, but no one also, should do. All lowercase too.
      Keep changing it every month or two,
      No one will crack that one.

    • Nadine Silverstein | February 21, 2018 at 7:34 am

      When I am looking to log on I always see network names that clearly identify which business owns the network. It’s a welcome sign for hackers. How about naming your secure network with a random name as well!

    • ElGallego | February 21, 2018 at 11:46 am

      Passwords are a nightmare. Typically, a small business has 20 to 50 essential passwords. A large business has hundreds of passwords, used by hundreds of staff. The management of passwords alone is a significant impairment of digital utility. And each password must be changed regularly, be composed of no less that ten characters, which must include one capital, one lower case, at least one digit, one non-language character, there must be no reference to your name or prior passwords, &c., &c. &c…

      Even the “fingerprint” and “retinal” solution invites nightmares, especially in foreign intelligence. All I need is the authorized eyeball or digits to have access. And the sensors themselves need intense maintenance, or security is undermined by emergency backdoors.

      I look forward to return to the use of metal keys. They also have their own weaknesses, but the chaos they inspire is of zero burden compared to digital passwords.

    • uxf | February 21, 2018 at 12:34 pm

      There’s a familiar, dreary cluelessness about articles like this. It’s as if it’s written from the point of view of a business that doesn’t know how their customers really live. Sure, you can tell people to choose a strong password, but there’s not a hint of awareness in the article that people have to have strong passwords for 30-50 accounts. That each strong password has to be unique. That each strong unique password has to be changed every 6 months. Sure you can argue about complexity versus length, but most accounts do not allow for long passwords. I have one that is actually still limited to 6 characters (!!!!). As for complexity, people have to deal with one login that requires special characters, and another login that forbids special characters, and yet another that requires special characters but forbids /, %, and @. And so on and so on.

      In other words, these articles are basically telling people to use passwords that they will never remember. And so comes the password managers, which require you to entrust your passwords not to your brain but to some software or thumb drive. If you lose that, you lose all your passwords! And what if you are trying to log in on a computer that does not have your password manager loaded on it?

      Stop the insanity and stop articles like this. Until you figure out a better solution than passwords, open up your system and let people choose whatever password they want. Otherwise, they’ll use 12345 or – and I’ve seen quite a few security specialists actually recommend this now – they’ll write it on a post-it and stick it to their computer screen!

    • Carol Quint | February 21, 2018 at 4:14 pm

      As an older person, I have a simple solution to passwords that can never be hacked or stolen. It’s called a Rolodex file system, which not only has the names of businesses I deal with, but also has phone numbers, and PASSWORDS. Yes, I hand-write each card (in pencil, in case I need to change a password, which some sites require after a few months). But everything is perfectly safe, unless you are working in an office where someone might steal your file, and then you’re in the wrong office. It is easily moved from work to home, and back again.

    • Lisap | February 22, 2018 at 12:21 pm

      The basic idea of the article is good advise, but the suggestions of what to use does not always work. Every site or program has different requirements, so just because some of those fancy passwords will work on one site, does not mean it will work on another. One may require you to have so many numbers and so many special characters, where another site may not allow the use of special characters.

      Example: my1stc@r=honda90 may work on one site, but next site says no special characters so now my1stcarhonda90, then the next site says must have a capital letter, so My1stcarhonda90, so this may be a good suggestion, but see the combinations for sites continues to change.

      Some sites/programs require you to change every so often, (3 months, 6 months, 12 months) and do not allow you to reuse a password again.

      A good idea is keep work passwords different than personal passwords.

    • JM | February 25, 2018 at 1:17 am

      I agree some of this info is dweary!
      What do I do with passwords? First of all, I don’t trust those online password manager programs. NOTHING is secure online!! So I created a Word document and saved it to my desktop. Most of the passwords are not connected to my business. I”’m a sole proprietor with no employees and no customers. My passwords are for online busnesses I use. Yes, I use my dog’s name in some passwords, but the name is from another language, so although it uses regular letters, the odd spelling will probably deter hackers. At one point I had 3 cats and 2 dogs. I created passwords using 1 or 2 letters of each pet’s name and added a number. Security checks always indicated they were strong.
      I strongly recommend NEVER save passwoords online. One day a hacker will breack their security wall, and you’ll loose EVERYTHING!

    • Bob | February 26, 2018 at 12:38 pm

      I agree with the concept of the phrase. It is much easier to remember, at least for me. A friend showed me his system and he never has to write them down. His system is: This is myHartford21pw!

      This turns into TimHartford21pw!

      The Tim is: this is my, Hartford is the company you are signing into, 21 is a random number you choose and always use, pw stands for password and he always uses an !

      Not perfect, but pretty good and he doesn’t write them down anywhere.

    • ASB | May 22, 2018 at 8:08 pm

      The key points to password management in the 21st century (or, at least, this part of the century) is the following:

      – Use a password manager
      – Don’t reuse passwords across multiple sites
      – Definitely don’t reuse passwords across sites of different trust levels (your online banking & some social media account)
      – Since you’re using a password manager anyway, consider random password
      – Keep your passwords safe and backed up

      -ASB

    • Ken | February 6, 2019 at 2:47 am

      I heard a short teaching at a business networking saying that far more effective that combinations of letters, symbols and numbers is a string of 4 unrelated words (as a single word) in small letters. For their example, they strung together the words “horse” “clamp” “battery” and one other I can’t remember, so something like “horseclampbatterygrape” (the quotes would not be part). Passwords like this would take a very sophisticated hacking program multiple centuries or even millennia to crack. And they’re easy to remember with a word picture–say, imagine a horse putting a clamp on a battery with a grape on his nose.

      Yet most programs will NOT allow you to get away with something like this.

      Can anyone comment on the validity of this? And on why it’s not allowed?

      Thanks in advance.

      • Hannah Sullivan | February 6, 2019 at 8:27 am

        Great idea, Ken! Looking forward to hearing what others think.

    • D Davis | February 6, 2019 at 4:12 am

      You always do such a great job producing content that is business owner relevant! Thank you!!

      • Hannah Sullivan | February 6, 2019 at 8:26 am

        Thank you for your feedback!

    • Nick T | February 6, 2019 at 10:54 am

      The end user is the usually who gives the password out in my experience. I only have one client whos email password was hacked because of lack of complexity.

      • Hannah Sullivan | February 8, 2019 at 10:24 am

        Thanks for your comment, Nick!

    • JWM | February 6, 2019 at 11:00 am

      All so difficult to deal with. I try to make it easier for myself. I have about 20 passwords in my head. I use these on a rotating basis.I can’t remember which password I used for “this or that” site but I have it written down – IN CODE. It’s a code I invented myself. Try to use what I’ve written down and you will not get far. But I easily recognize which one it is.

      • Hannah Sullivan | February 8, 2019 at 10:27 am

        Very clever! Thanks for sharing.

    • Allen Thorpe | February 6, 2019 at 12:13 pm

      I use long (15-20) random passwords that I store in an encrypted spreadsheet that is backed up in the cloud. It is available on all my devices and any other computer connected to the net. I only have to remember one master password. The file contains the organization name, website, account / user name, password and other notes like answers to the security questions. I also list a category ie banking, medical or invest. It’s not as convenient as a password manager but I feel more in control.

      • Hannah Sullivan | February 8, 2019 at 10:29 am

        Great tactic Allen!

    • Holly | February 7, 2019 at 10:56 am

      We have 6 employees and hundreds of passwords, most of which change regularly and many of which are shared by everyone in the office. I don’t trust password managers, so we’re currently using a password-protected excel doc stored on our local server. Can anyone comment on how secure this actually is?

      • Hannah Sullivan | February 8, 2019 at 10:30 am

        A suggestion we have Holly is making sure the password for the protected excel doc is something creative and different from the “hundreds of passwords” you mentionned in your comment. Also looking forward to what other business owners have done with their passwords.

    • frank | February 7, 2019 at 1:47 pm

      I worked with a woman once who’s password was “unique”. She did this because when the system was set up a memo came out and told the new users they must create a userid & password and the password must be unique.

      • Hannah Sullivan | February 8, 2019 at 10:31 am

        How funny! Thanks for sharing Frank.

    • ESH | February 8, 2019 at 8:33 am

      As others have commented here, password managers are the best solution to create complicated passwords. I’m a little surprised this option wasn’t mentioned at all in this piece. I’ve been using one for years and every account I have has a complicated, difficult to guess password including numbers, letters and special characters. I’ve been using 1Password and highly recommend that other small business owners look into using them.

      2 Factor authentication should be used for every account that offers it as well. You’ll receive a code (either to your phone or via email) that you need to enter in to sign in.

      • Hannah Sullivan | February 8, 2019 at 10:33 am

        Great suggestion, thank you for sharing.

    • C W | February 8, 2019 at 10:55 am

      A password protected Excel document can be cracked in seconds. THIS IS NOT A SECURE WAY TO STORE PASSWORDS.

      Also, a password protected document is NOT ENCRYPTED… it’s still plain text.

      To anyone not using a password manager, which IS encrypted, you are putting your security at risk by not using a proper encrypted password manager.

      Don’t let your fear of the “unknown” or complexity of a proper password manager prevent you from maintaining proper security.

      As many have mentioned, 1Password is an excellent tool for password management. It is encrypted. It can be synced to multiple devices. It will assist you in creating stronger and more difficult passwords (most of my passwords are at least 32 characters, unless the site forces something smaller). It includes plugins for all major browsers so you can easily insert difficult passwords into websites and forms.

      In a business environment, you should be using something like 1 Password for Teams, which allows each employee the ability to keep their own passwords secure, and shared passwords for company required sites and functions (which is very important as employees come/go from companies). You don’t know the number of times I’ve seen an employee fired, and the company is crippled for weeks trying to gain access to required resources online because that employee “had their own system” which wasn’t defined with any oversight. As a business owner, you should not leave the security of your business up to your employees. You should not leave the management of passwords up to individual users. YOU need to be in control. If this is outside your comfortability, please please please, hire a competent IT/Security professional.

      Reading some of these comments makes me shudder…

      • Hannah Sullivan | February 8, 2019 at 12:24 pm

        Thank you for your feedback!

    • Dale Morgan | February 8, 2019 at 10:57 am

      I have been preaching strong passwords for almost 20 years. I think I have heard every argument against good password policy that has been dreamt up. Here is the bottom line that will help every user with their passwords:
      Read vanity license plates – there are some excellent choices out there. Think ST8, L8, D8, GR8, 4D, 1DERTFUL, EVERY1, NO1, etc. I know someone who starts every password with ST8MN or whatever state the company is in and the adds something to identify the company and then some random characters. So, his password for Target stores is: ST8MNtrgt@)!( or ‘State=Minnesota, Target, 2019’.
      That sure beats the user who found a way to beat the system that required complex passwords changed every 90 days – her password is Winter2019! – I know her passwords for the next 20 years. Some days you just can’t win!

      Dale

      • Hannah Sullivan | February 8, 2019 at 12:24 pm

        Thank you Dale.

    • Patrick Fitzgerald | February 11, 2019 at 3:57 pm

      Length of the password is the most efficient way to gain complexity, using the character substitutions published in the comments is a red flag; if you read them here, you can assume that hackers are aware. One trick I use is I keep 5 phrases that are longer, but logical, and attach them to a set of 5 phone numbers that I remember, but was never associated with personally (I remember my best friend’s phone number from 40 years ago) So something like Iusedtocall_joeym@6719248, my wife used to live at 3816 Maple St. Shehadadognamedsammyon3816Maple. Simple, easy to remember and with a few rules you can process your way into the account if you forget your password.

      • Hannah Sullivan | February 12, 2019 at 1:45 pm

        Very creative, Patrick! Thanks for sharing.

    • Mary E Rossow | February 13, 2019 at 11:47 pm

      After reading entire 📑 article and all comments that followed, there seems to be one topic that is NEVER mentioned.

      As a small business owner of 34 years, I literally have 💯’s of different, original passwords.

      Each one is cleverly retained in my 💭 memory (and 🖊 written down 🚫 nowhere) so they appear to be safe.

      However, what happens if I get a 🧠 concussion in a 🚑 car accident or something similar to that?

      Or step off the curb and get hit by “the proverbial 🥛🚛 milk truck”?

      Someone (a trusted 👤 colleague or 👥 family member) would need access to all my 💻 accounts to either temporarily run my business and/or just shut it down.

      So HOW and WHERE do I manage that situation?

      Even if I listed all the passwords on 📝 paper, put it in a safe, and only gave one or two people the combination, it still wouldn’t work for me.

      I find that passwords are created and/or changed weekly, so “The Master 📝 List” would ALWAYS be out of date. 😱

      How are other small business owners handling this dilemma?

      Thanks,
      MER

      • Hannah Sullivan | February 14, 2019 at 8:40 am

        Great advice Mary, thanks for sharing!

    • Gene Marks | February 14, 2019 at 10:39 am

      Hi Mary,

      Your question about managing passwords is great. I have 3 suggestions:

      1 – use a Password Manager. Here are a few: https://top5-passwordmanagers.com/?
      2 – create a spreadsheet, password protect it and save it online (Google Sheets or Dropbox, for example)
      3 – create a special record in your customer relationship management program where you store all passwords (that’s actually what I do).

      However, in ALL cases, you must TELL someone where to go to get this information. Some of my clients keep that information with the rest of their important life docs like their estate plan or wills. Others share it with a spouse or trusted friend.

      Hope this helps….

3 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *