Learning Center

Password, Please! A Guide to Password Hygiene

As the Internet has become more and more important, most of us have developed a long list of passwords associated with various online activities in our personal and professional lives. But unfortunately, password security and storage – I’ll call it password hygiene – is often neglected. Here’s a quick look at what you can do to improve your password hygiene.

The challenge

Most businesses have passwords for everything from domain name registrations to social media accounts to online vendors. The problems associated with this are obvious:

• Many people have the tendency to use the same password over and over, which is a major security issue.
• Passwords are easily lost or forgotten.
• If only one employee knows the password for a given account and leaves the company, that information can be lost forever – especially if the password is associated with that person’s individual email address.
• Sometimes it’s not even clear whether a company has an account with a rarely-used online vendor, which can lead to duplicate accounts.
• If a password and a registering email address for a social media account are lost, you can be stuck trying to contact technical support – which is a situation to be avoided at all costs. This seems to be a particular problem for G+ Business Pages, as unless your business uses Gmail it can be hard to know what Gmail address was used to verify your business listing.

Generating secure passwords

“The 10,000 most common user passwords represent 99.8% of ALL passwords.”

Mark Burnett, author of Perfect Passwords / xato.net

Would you believe the most common password by far is “password”? It’s true. Author Mark Burnett has researched the question extensively, even creating a word cloud illustrating the most common passwords.

Most of us know better than to create a password like “123456,” “qwerty” and so forth, but when creating a password you should:

• Avoid anything related to you personally. Don’t use your birthday, phone number, Social Security number, names of pets, children, or your spouse.
• Mix uppercase and lowercase letters, and add a symbol or two. If you want, you can base a password on a phrase: 2b8aFISHH@@k is “to bait a fish hook,” which might be memorable to you but difficult for anyone else to crack.
• Don’t repeat passwords across accounts. No matter how careful you are to create a difficult password, it’s still pretty easy to fall into the trap of using the same password over and over – which means that if any one account is compromised, they all are.
• Your best bet is to use a random password generator. Some of the better ones, like Norton’s, allow you to choose length and other variables, and even generate many passwords at a time.

Managing passwords

Of course, the problem then becomes remembering multiple complicated passwords, or finding a secure way to store them (which isn’t, for example, in a Microsoft Excel spreadsheet on your desktop, or on a piece of paper in a file). That’s where a password management solution is a lifesaver.

There are a variety of password management solutions available, including software and cloud-based solutions. With software, you simply download and install it in a way that anyone who needs access to passwords can get to it, such as on your server. The software then allows you to fill in multiple accounts and the usernames/passwords associated with them, or even multiple passwords associated with certain topics or categories – in other words, several layers of organization are possible. There’s generally a section for notes, so that any relevant information that doesn’t fit into a field can be added. Finally, many forms of this software include a random password generator.

To access the password management solution and the encrypted passwords it stores, employees need just one master password – from there, they can copy and paste usernames and passwords when they’re working with a given account.

There are a wide variety of password management solutions available — Prime Design Solutions uses Password Safe, a software solution that is free, open-source, and Windows-based. Other top solutions include KeePassX, Dashlane, and 1Password.

Getting started

If your company’s password hygiene is less than stellar, cleaning up the mess can seem pretty overwhelming. This particular project is easy to procrastinate, because it’s not generally a crisis! But as with any major organizational project, a step-by-step approach is the best way to tackle it. Here’s how:

1. Identify a password management tool and implement it. The hotlinks in the previous section should give you the information you need to identify a tool that meets your needs. Things to consider include your operating system (Windows or Mac?), whether you prefer a locally-hosted software or cloud-based solution, and the level of encryption (experts recommend at least 256-bit encryption protocols).

2. Make a list of all the online accounts that have usernames/passwords associated with them. These can include but are not limited to:

• Social media accounts: Twitter, Pinterest and Instagram especially. These social media are atypical in that company accounts function like personal accounts and therefore don’t have multiple administrators, which can mean login information can easily be lost in case of a personnel change. (While you’re at it, you also might want to consider who’s listed as an admin on your company’s Facebook Page, LinkedIn company page, and any other social medium you utilize. The company owner or president should be an admin on any account the company uses, even if the owner is not the one who posts.)
• Social media accounts: YouTube and Google +. These social media require a Google account, including a Gmail address. If your company doesn’t use Gmail, it’s easy for the login email to get lost — and without that, it’s hard to retrieve the username/login info. Again, the company owner should be an admin on G+.
• Domain and web hosting for your website. You don’t want to lose your domain name, and you need to be able to get your hosting information at a moment’s notice.
• Your website content management system. Your developer can generally retrieve this for you, but it’s easier if you can access it instantly.
• E-newsletter system (e.g., MailChimp, Constant Contact, etc.).
• Online vendors. These can include printers, office supply companies, Amazon, or anything your company purchases online — it’s not a disaster if your company has multiple accounts, but you don’t want to miss out on discounts from rewards points or any other perk you may be entitled to.
• Google Analytics.

3. Fill in what you know, and as you go along change passwords that are too simple or repeated across accounts. Generate new passwords using a random password generator like Norton’s, or your password management software may have a generator built in. If this seems overwhelming, set a modest goal — say, one account per week, and try and stick to it.

4. Change email addresses associated with each account to an “info@yourcompany.com” address. This makes things easier in case of a personnel change — instead of having to change both the email and the password if an employee leaves or is terminated, you only have to change the password.

5. Enlist other employees in the project. Ask your employees to create entries in the password management system for any online vendors or other accounts they might use exclusively, and change email addresses/passwords associated with these accounts as they go along.

6. Identify the holes, and work to fill them. Compare your original list and the list you’ve accumulated in your password management tool. Play detective and fill in the holes, enlisting others as needed.

7. Educate employees in how to use the password management system. This includes creating new entries anytime a new online account is opened.

• password management
• passwords

By Shelley Johansson. Read about Shelley on our Meet Our Staff page.