Posted in: Communication tips, Efficiency, Fraud prevention, Internal controls, Management issues, Special Report, Technology
Of course you know 12345 isn’t the best idea for a password. But are the passwords and practices you and your staffers use just as bad?
Finance is a goldmine of sensitive information. You want to be confident that sloppy habits aren’t putting it at risk. Here’s how to sleep better.
What not to do
It’s probably easiest when talking about passwords to start with the worst practices. You want to begin by reminding all finance staffers that these are not the passwords you want guarding your company’s financial systems. Some may seem obvious — but you’d be surprised how many people do ’em anyway:
- Passwords that are the same as your log-in name
- Easy-to-guess personal info (spouse’s, kid’s, pet’s names)
- Passwords based on keyboard layout. “Asdfgh” and “qwerty” are common choices because they’re a straight shot across the row on the keyboard.
- Simply subbing the obvious choices of other characters for letters. So if your cat’s name is Scruffy, making your password “$cruffy” won’t keep anyone out.
What to do instead
Armed with a long list of what not to do, you also want to give your people a list of what they should be doing to protect your systems. The biggies:
- Make passwords at least 8 characters – a mix of letters, numbers and symbols. Here’s why: Use a five character password of all lowercase letters, and there are 11.9 million possible passwords. Sounds solid, but it’s hackable with today’s sophisticated tools. On the other hand, if you use an eight-character password that includes upper and lowercase letters, as well as numbers and symbols, the possible number of passwords leaps to 899.2 trillion!
- Have a nonsensical password. They can make sense to you so you can remember them, of course. But you probably don’t want a real word. Better to make a password out of a variety of things: your great grandmother’s initials, the year you got your drivers’ license, your favorite crayon name.
2 other key protections
Once your department is using the right type of passwords, you want to keep them working for you. To do that:
- Change it up. Everyone in your department should be changing passwords once a month. Bet if you asked for a show of hands how many people actually do that on their own, you wouldn’t see many raised hands. Why not load a monthly reminder on every finance staffer’s PC to change passwords? And be sure to tell people they can’t just flip-flop back between two passwords. Use new ones each time.
- Log off. No doubt your people log off when they leave work for the evening. They probably even sign out when they head to lunch. But what about something as minor as a trip to the ladies’ room? If someone strolls into your department and a screen full of Social Security numbers is on display, that person might not be able to help but sneak a peek. (And in tough times like these, people who never even would’ve considered such a move might just do it.)