Disclaimer: Night Owl Notions is not affiliated with any of the services mentioned in this blog. We either use them ourselves or have heard of their positive reputations.

It seems like every week there is news about a data breach, or a potential data breach. It’s common these days to hear that you should change your password, not just on the site that has been breached, but also on any other site where you use that password. I often hear that is is frustrating to be forced to change your password, or suggested to change it so frequently. So what, then, can you as an entrepreneur do to protect your business’ data, and as much as possible avoid the frustrations that go along with constant password changes? What are the best ways to protect that data from the increasingly prevalent bad actors out there? Read on for 5 steps to keep your business’ passwords safe and secure!

#1: Password Strength

There are a few main elements to password strength. They are:

1. No dictionary words or modified dictionary words

   An example would be “Protection!” or “Pr0t3cti0n!”. You might think this is a strong password, but hackers commonly use lists of dictionary words and dictionary words with common substitutions to brute force discover passwords.

2. Keep your password long. (12 characters or more)

   The longer your password, the harder it is to find it. This makes logical sense, but aside from number 1, this is by the far the best thing you can do to protect your password.

3. Mix upper and lowercase letters, numbers and special characters.

   Many services now force you to do this, but even if they do not it is a good idea as it increases your complexity and decreases the chance your password will be found. If you run across a service that doesn’t allow special characters in their passwords, I personally tend to avoid that service as I don’t feel like I can trust their security standards.

#2: Multi-factor Authentication

Often referred to as 2-factor Authentication, Multi-factor authentication uses more than one different type of authentication to protect your account. The more “factors”, the more secure. If a service provides it, it is the absolute best thing you can do to protect your account. There are 4 different “factors” of authentication:

1. Something you know.

   • Typically, a password or a PIN number.

   • Most common, but unfortunately also the easiest to “crack”.

2. Something you have.

   • A phone, security key fob, authenticator app, etc.

   • Harder for someone to obtain, but possible by theft, or social engineering.

3. Something you are.

   • Fingerprints, retina scan, your voice-print.

   • Hardest to “crack”, but the most prone to errors (either false positive or false negative).

4. Somewhere you are.

   • You must be in a particular location or on a particular system to access.

   • Less common, variable strength.

To be considered multi-factor, required information must come from two or more of these categories. A password + a pin, for example, is not considered multi-factor because they both come from factor number 1. The earliest mainstream use of multi-factor authentication is one you use all the time with your bank. Your card (something you have) plus your pin (something you know). This combination is also the most common multi-factor today. For most services it is something you know (password) plus something you have (smart-phone app/text). The simple fact is that if a service offers multi-factor authentication, you should use it. Not only does it greatly add to security, it can also warn you if your password has been obtained by someone else. If you get a multi-factor request without having attempted to login, there’s a good chance someone has your password.

#3: Password Sharing

There might be cases where you are tempted to share your password, but it is never a good idea. An example would be giving a web designer the password to your Squarespace account. Squarespace lets you provide contributor access, which is the much better way to provide access for a web designer. Even if you trust the person, and they are in fact trustworthy, by sharing your password with them you add an attack vector for social engineering, or if they write your password down physically or digitally to remember it, it could potentially be stolen. This may seem unlikely, but why risk your business’ health when it isn’t necessary? Night Owl Notions will never ask for your password because of this. We will always ask for a contributor account to access your website, or create the site ourselves, and transfer ownership to you later.

#4: Password Managers

Password managers are programs, browser extensions, apps, etc. that are designed to securely store your passwords for other sites. While they don’t themselves increase security, they can enable increased security. By using a password manager, you can increase the length and complexity of your

password, while providing a means to remember your password. They also make it easier to use different passwords for every service, meaning if one service is hacked, you do not need to change your passwords for everything. Password managers also typically provide password generators to create a secure password, so you don’t have to continually think of new ones. If you use a password manager, there are a couple things to keep in mind.

1. They aren’t foolproof.

   You want a strong password you’ll remember and multi-factor authentication for the manager itself. Without, you risk losing access to all your passwords at once, or someone gaining access to all your passwords at once.

2. Always need access to it

   If you use different passwords you don’t remember, obviously this means you always need access to your password manager. Service outages can leave you locked out, or forgetting your device might make it harder to access your services.

Despite the downsides, password managers are effective tools for increasing security. Some example of password management tools are Bitwarden, 1Password, and NordPass.

#5: Vigilance

Your best defence for your business is vigilance. Keep in mind that no reputable company or person will ever ask for your password. If you see a suspicious 2-factor request, change your password. Make any security questions and answers hard to find out the answers to. Don’t provide answers to them in your website bio, for example! If you have a puppy named “Bolt” and want to share that in your bio, don’t make it a security question for your bank account. It makes sense, but its also something we don’t always immediately think of.

Keeping your data secure is not easy, but there are many things you can do to increase the chances that you will never suffer a data breach. Follow the tips above and you’ll be closer to that reality.