Securing Your Small Business Starts With Authentication

Using Strong Passwords, Password Managers, and MFA

In cybersecurity, authentication refers to the process of verifying the identity of a user, device, or system to ensure that they are who they claim to be. Authentication is a critical step in securing systems, applications, and networks. It is the first line of defense in preventing unauthorized access and protecting sensitive information.

In this lesson, we’re going to focus on the two most important recommendations when it comes to authentication:

(1) using strong, unique passwords
(2) multi-factor authentication (MFA)

One of the most important things that everyone can do to maximize their online security is to use strong passwords and multi-factor authentication.

It’s arguably more important for small businesses than almost anyone else because small businesses can’t rely on layers of expensive security technologies the way that big business can.

So at small businesses, getting the fundamentals right is critically important. It all starts with authentication.

We can significantly improve our security posture by using strong, unique passwords, a password manager, and multi-factor authentication (MFA).

When it comes to cybersecurity, one of the most basic yet crucial components is using strong, unique passwords.

A strong password is a combination of letters (both uppercase and lowercase), numbers, and special characters that make it difficult for unauthorized individuals to guess or crack.

Passwords: Your Business’ First Line of Defense

It is essential to have a strong password because passwords often act as the first line of defense against cyber attacks. Without a strong password, hackers may be able to easily access our systems or data.

Let’s look at some of the characteristics that make a password strong, like length and complexity.

Password Length

The most important characteristic of a strong password is length. Longer passwords are more difficult to crack because there are more possible combinations.

A 12-character password is 62 trillion times harder to crack than a six-character password, even though it’s only twice as long.

The current minimum length tends to be 8-characters, but this is much too short to prevent brute forcing or cracking. We recommend a minimum of 15-characters. However, once you are using a password manager, having a longer password doesn’t make it any more difficult to use.

As a result, we recommend using a password manager and having it automatically generate long (~32 character) passwords using random letters, numbers, and special characters. We’ll see more on password managers below.

Password Complexity

After length, complexity is the second most important factor in creating a secure password. Complexity means using upper and lower case letters, numbers, and special characters in the password. The more random the pattern is, the better. However, it can actually be tough for us as humans to create truly random patterns. When we use the keyboard, our hands tend to move in predictable ways.

Computers are actually better than we are at generating random passwords.

The easiest way to achieve maximum complexity is to use a password manager to generate your passwords.

Using Passphrases

Using a randomly generated password is a great way to make a super-secure password, but if you like being able to remember your passwords, then consider using a long passphrase instead. Something unique is unlikely to be guessed or cracked.

For example, a passphrase like “MoonRiverIsMySunshine2193!” is very strong and memorable.

You can use a passphrase generator like this one from Keeper, to create passphrases for you.

Password Behaviors to Avoid

It is important to avoid using easily guessable information, such as your name, birthdate, common words like the company name, season/year, etc. It’s also a good idea to avoid common phrases and sayings, such as Bible quotes.

Additionally, it is recommended to use unique passwords for each account or platform to prevent a security breach in one account from compromising others.

Password reuse is one of the most helpful things to an attacker, and it is very important to avoid. Any time an attacker discovers a password linked to their target, or a previously breached password in a leaked database online, they will try to use it for every single login associated with that person or others at their company.

Password Managers

A password manager is software that makes it much easier to…manage passwords. Let’s think about the target requirements of great passwords:

1. Long ( >> 8 characters)
2. Complex (random is better)
3. Unique (every password only used once, period)

This is hard to do without a password manager. Even using passphrases, most people don’t have the mental capacity to remember unique passphrases for every single login.

Password managers help us generate really strong passwords (think random, 32-character passwords) and give us a place to securely store them.

They also make the process easy. Instead of having to remember passwords, write them down, or keep them (insecurely) in a file, the password manager will keep them safe and secure for us exactly when we need them.

The Real Reason to Use a Password Manager

The real reason to use a password manager is that it’s not easy enough to use strong, unique passwords without it. It’s not enough to use one strong password for all of your logins. They have to be unique too. Among our clients, we’ve seen that people either use a password manager, or they give up and simply don’t use strong and unique passwords.

Password managers perform the critical function of making it easy enough to actually use super strong, unique passwords for every application. Think of it as your first, and potentially most important step, toward better security.

Getting Started With a Password Manager

If this is your first foray into using a password manager, don’t hesitate. Here’s a quick guide to getting started:

Step 1: Select and download a password manager. We like Bitwarden, although there are many other great options. Just sign up for a free account to get started.
Step 2: You will need to select a master password. This needs to be very strong. Don’t store it on the computer! It should be memorized or stored in a safe place that would be impossible for a hacker to access, like a safe.
Step 3: Most password managers have desktop and mobile applications as well as web browser extensions. Choose a format that works for you. For example, if you mostly use Google Chrome, then you will definitely want the corresponding extension.
Step 4: Start using it! The next time you login to an account, store the corresponding credentials (username and password) in the manager. Better yet, reset it; choose a new super-long password, and store that! Do this for all of your applications.

Multi-Factor Authentication

Multi-factor authentication (MFA) is an essential security measure that adds an important layer of protection to your accounts.

MFA makes authentication much more secure by requiring additional verification steps such as a fingerprint scan, a code sent to your phone, or using an authentication app.

This additional layer of security makes it much harder for unauthorized users to access your accounts, even if they have your password. Not only does it stop bad guys from logging in if they do manage to get your password, it actually prevents any attempt to brute force your password to begin with!

By using MFA, you significantly reduce the risk of a security breach and protect your sensitive information from falling into the wrong hands.

It is crucial to understand that MFA does not replace the need for a strong password but complements it. While a strong password is the first line of defense against cyber threats, it can still be vulnerable to breaches through tactics like phishing or brute force attacks.

Using MFA

More applications are supporting MFA every day. To enable MFA, you may need to find the option in the application settings.

Just Google ‘enable MFA <app name>’, substituting in the name of your application.

When it comes to what type of MFA to use, they aren’t exactly equal. The most common options are: using text message (SMS), email, or an authenticator application.

Email-based MFA is considered more secure than text message, and using an authenticator app is more secure than email-based. While any MFA is better than no MFA, using an authenticator app is more secure than using text messaging or email.

The most popular authenticator apps are Microsoft Authenticator and Google Authenticator. Simply download one on your mobile device. In the app, you will be able to add a new account using a QR code or setup key.

Getting Started With MFA

Here’s a quick summary of how to get started using MFA with an authenticator app:

Step 1: Download either Microsoft Authenticator or Google Authenticator to your mobile device.
Step 2: Sign up for MFA using the application settings. Select ‘Use an authenticator app’ or similar option. Note: if authenticator app option isn’t available, continue to sign up for MFA using your email or text message.
Step 3: The application will prompt you to scan a QR code. Simply open the app on your mobile device and use it to scan the QR code.
Step 4: Once signed up, the authenticator app will populate codes for you to login.