Finance News & Insights

The sloppy security habit that could be costing you big

Internal Control / Fraud Prevention

Of course you know 12345 isn’t the best idea for a password. But are the passwords and practices you and your staffers use just as bad?

Finance is a goldmine of sensitive information. You want to be confident that sloppy habits aren’t putting it at risk. Here’s how to sleep better.

What not to do

It’s probably easiest when talking about passwords to start with the worst practices. You want to begin by reminding all finance staffers that these are not the passwords you want guarding your company’s financial systems. Some may seem obvious — but you’d be surprised how many people do ’em anyway:

  • Passwords that are the same as your log-in name
  • Easy-to-guess personal info (spouse’s, kid’s, pet’s names)
  • Passwords based on keyboard layout. “Asdfgh” and “qwerty” are common choices because they’re a straight shot across the row on the keyboard.
  • Simply subbing the obvious choices of other characters for letters. So if your cat’s name is Scruffy, making your password “$cruffy” won’t keep anyone out.

What to do instead

Armed with a long list of what not to do, you also want to give your people a list of what they should be doing to protect your systems. The biggies:

  • Make passwords at least 8 characters — a mix of letters, numbers and symbols. Here’s why: Use a five character password of all lowercase letters, and there are 11.9 million possible passwords. Sounds solid, but it’s hackable with today’s sophisticated tools. On the other hand, if you use an eight-character password that includes upper and lowercase letters, as well as numbers and symbols, the possible number of passwords leaps to 899.2 trillion!
  • Have a nonsensical password. They can make sense to you so you can remember them, of course. But you probably don’t want a real word. Better to make a password out of a variety of things: your great grandmother’s initials, the year you got your drivers’ license, your favorite crayon name.

2 other key protections

Once your department is using the right type of passwords, you want to keep them working for you. To do that:

  1. Change it up. Everyone in your department should be changing passwords once a month. Bet if you asked for a show of hands how many people actually do that on their own, you wouldn’t see many raised hands. Why not load a monthly reminder on every finance staffer’s PC to change passwords? And be sure to tell people they can’t just flip-flop back between two passwords. Use new ones each time.
  2. Log off. No doubt your people log off when they leave work for the evening. They probably even sign out when they head to lunch. But what about something as minor as a trip to the ladies’ room? If someone strolls into your department and a screen full of Social Security numbers is on display, that person might not be able to help but sneak a peek. (And in tough times like these, people who never even would’ve considered such a move might just do it.)
Print Friendly

Subscribe Today

Get the latest and greatest finance news and insights delivered to your inbox.
  • Fred

    Use common sense.

    For most users changing passwords mothly would lead to written reminders laying around that would be even easier to access. I have seven typewritten pages of passwords to various applications. I can remember only a few, so my main concern is keeping the list secure. Another question: does management have the list of all passwords? Technology gurus aren’t always available to try to overwrite unknown passwords (or it may not be possible in all cases) during middle of the night emergencies.

    Frankly, changing Scruffy to $cruffy would keep out casual browsers, and I agree keeping out casual browsers is something that must be done. But if someone is trying to hack in for serious destructive or fraudulent reasons, elaborate passwords for the AP Clerk or Inventory Specialist may not be more useful than $cruffy.