Herzlich writes the Small Business column in Newsday. ...
A password breach can be catastrophic for a company. Yet, many firms don't put enough emphasis on security, often opting for easy-to-remember words or phrases.
Considering what's at risk, companies should routinely re-evaluate their password policies and consider improving security measures, say experts.
"It's human nature to create less work for ourselves," explains Morgan Slain, CEO of Los Gatos, Calif.-based SplashData, which recently released its annual list of worst passwords, such as 123456 and "password."
"As much as we try to educate people and enforce stronger password policies, this list has remained fairly unchanged for three years," says Slain, whose top-25 list was compiled from files containing millions of stolen passwords posted online in the previous year.
Passphrases: If you want to create a secure password easy to recall, consider using "passphrases" -- short words with spaces or other characters separating them, advises Slain, adding it's best to string random words together, not common phrases.
Three words or more is ideal, he adds. For example, "cakes years birthday" or "smiles_ light_skip."
Be inventive: Don't use the same username/password combination for multiple websites or accounts, another common error, he notes. "People tend to reuse their passwords," says Jeremi Gosney, CEO of Tacoma, Wash.-based Stricture Group, a password recovery and security firm.
That's because they have so many passwords to remember, which ultimately results in their creating simple ones, says Gosney, adding, "Most people know they have a bad password."
Digital route: If you want a truly secure password, remove the human element entirely, he says. Have a digital password manager generate your password for you, he advises, such as LastPass. "Any kind of human-generated password we're going to be able to crack."
Management app: SplashData also offers its own password manager application, SplashID Safe, which generates, organizes and protects passwords. Users need to remember just one master password to get into the program, which safely stores your passwords and can automatically log you into accounts and websites without your having to retype a multitude of passwords.
The stronger the password, the less often you need to change it.
"If the password is sophisticated enough, you don't necessarily have to change it every few months," says William Collins, president of NST Inc., an East Northport-based information technology services company.
Policy for workers: Whatever protocol you follow, it pays to have a password policy so employees have guidelines and understand what is expected, says Collins.
Use the policy to enforce a standard, such as requiring passwords to have a certain level of complexity, he notes. Require a combination of letters, numbers, capitals and symbols, and avoid common words and phrases.
For example, you wouldn't want to use the last four digits of your Social Security number or your kids' names, he says.
Restrict access: Also, remember not everyone needs the same access to the same passwords.
"Restrict access to only those who need it," advises Collins, and don't be careless with your passwords (i.e. don't write them on a sticky note).
Brian Selltiz, president of Digital Provisions in Smithtown, a commercial security integration firm that works with NST, says his policy dictates certain standards, such as the minimum length of passwords. He also limits access to passwords to certain employees based on their positions.
"It's always better to be safe than sorry," says Selltiz.
2013's WORST PASSWORDS
5. abc1236. 123456789