bCentral Home
Your Online Business Center

Stay Safe with Strong Passwords

Are you taking passwords seriously?

Nine out of ten office workers seem happy to give away their password in return for a cheap pen, according to a survey carried out at Waterloo Station last year. This should be enough to keep any boss awake at night. Why? Well, instead of clipboard-wielding surveyors, picture a disgruntled ex-employee or a competitor ringing up your staff and pretending to be from tech support and asking for their password. Then reflect on the fact that if a bad guy has a valid password, they can steal, change or delete the information it protects with little risk of detection.

Trust Your Staff?

Now try to get past the thought that nine out of ten office workers in London are morons and consider the dangers to your own business.

The basic problem is that nearly all businesses rely on passwords as the main way to check that users are who they say they are. But used carelessly, they are almost pointless.

The same survey found that the most common password was "password" (12%), the employee's own name (16%), their football team (11%) or their date of birth (8%). So even if they don't give away their password for a bag of crisps, you could guess nearly half of them in minutes.

The stupidity doesn't end there. One third of users write their passwords down. Sometimes on a post-it note attached to the screen. Two thirds use the same password for everything, including online banking, as well as company access. They only have to enter it into a bogus website to give the whole game away. Most of them (75%) know a colleague's password and two thirds are happy to give their own to a co-worker.

It's not just employees. It's the bosses too. My favourite story from the survey was of a company CEO who, at first, refused to disclose his password. The interviewer tried a different track: "how do you decide what password to use?" He replied that he tended to use his daughter's name. So the interviewer quickly asked "what's your daughter's name?" The answer: Tamsin. Bullseye. It's like shooting fish in a barrel.

Many companies spend a fortune on alarms, key cards and secure reception areas to stop people gaining physical access. Even getting cash out of a cash machine requires something you know (your pin number) and something you have (a card).

But businesses seem willing to trust their staff - and remember nine out of ten of them are morons - with the keys to the kingdom when it comes to passwords.

The Key to Better Passwords

Automate good behaviour. Use Windows Server to set up a strong password policy

Enforce the use of strong passwords

Educate users about passwords and social engineering

Update HR policies to make disclosing passwords a serious disciplinary offence, like giving away the key to the office

Consider using smart cards or fingerprint recognition

Make sure the rest of your security is tight. In particular, restrict users' access to files on a need-to-know basis

Take extra care with administrator level passwords

Change default passwords for things like backup clients, accounts programs, routers, wireless access points and so on

Sign into Microsoft Small Business+ for free web-based training and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do you want your PC to help you with?

What do you want your PC to help you with?

Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft