NEW YORK (AP) — It may seem obvious: Companies' computers, mobile devices and accounts need secure passwords. But many small business owners don't take the time to educate staffers about these very basic forms of cybersecurity. And staffers may not know that their passwords could be easily guessed by hackers and cyberthieves.
Whenever there's news of a data breach at a big company, or people hear of a friend's email being hacked, many computer users realize they need to change their passwords. It's a good start, but not enough. A study by researchers at Virginia Tech's Department of Computer Science found that it's fairly easy to guess how people modify their passwords after a breach. The researchers used a computer program that was able about half the time to figure out what a new password was based on an existing one. A cyberthief could also use such a program. So, owners who want to increase their cybersecurity need to not only ask employees to change their passwords, but to also come up with entirely new ones — changing a password like "aardvark123" to "aardvark124" isn't secure.
But new passwords can also be problematic. Companies that make password protection software periodically release lists of the most common passwords and they include "123456" and "qwerty," the letters in the top left-hand corner of a keyboard. "Password" is also popular as are "Iloveyou" and "starwars." But even when computer users try to personalize their passwords, using their first names or favorite teams (the most often-used passwords in Britain included the names of soccer teams like Liverpool, Arsenal and Chelsea).
An employee might think that a hacker will never know the name of a pet. But if cyberthieves do some searching on social media, they can find the name and figure out a password like "Fluffy123."
The IRS advises computer users to get creative and do a little free associating. For example, think of a series of items like those in your living room and create a password out of them. The IRS came up with BlueCouchFlowerBamboo. The Department of Homeland Security has a list of tips for creating passwords that can be given to employees — owners can download it from the agency's website at https://bit.ly/2dhCdH7 .
Cybersecurity experts advise against using the same password — or guessable variations of one password — for multiple accounts and devices. Employees may balk at having to remember different passwords, but keeping track of them can be simplified with password management software. It's a bad idea for staffers to keep printed lists of their passwords in their desks.
Owners who want to step up their security should consider multi-factor authentication, which requires a password and a security code sent by text or email. Many financial institutions now use multi-factor authentication for online customers. Small businesses can buy multi-factor authentication software and apps or sign up with vendors that provide the service.