*This blog is part of the April 2023 Thought Leader newsletter
‘Aristophanes’ didn’t work for Felix Unger when The Odd Couple crossed paths with TV game show mainstay “Password” in 1972 (and here’s a hint: it’s still too weak for you to use as a login password).
Weak passwords are a serious problem. So are the repeated passwords many of us tend to use from account to account and application to application. The fact is that data thieves steal passwords all the time. If your password is too weak, it’s easy to steal. And if you’re using it across multiple logins, a cybercriminal only needs to steal it once to break into all the other accounts where you use the same credentials.
It’s not just about protecting your own system, either. A data thief can steal your credentials from an online newspaper subscription, a grocery store’s loyalty program or social media, and use them to break into your bank account, your healthcare provider or your email. Even if you’re varying your passwords, it might not be enough.
Take PayPal, for instance. Users recently found that their account information was compromised even though PayPal itself never suffered an attack, as CSO explains: “[T]here was ‘no evidence’ that the compromised logins were taken from PayPal’s systems. Rather, it’s likely that username and password data gleaned from other cyberattacks were used to try to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords.”
Think about all the places you’ve used those old familiar usernames and passwords. There could be hundreds. And if you think some of those organizations are unlikely to suffer an attack, think again. Recent victims of data theft include popular UK bookseller WH Smith, several fast-food restaurants and delivery services and even a breast-milk bank for medically fragile babies. Seriously, nothing and no place is safe.
Of course, that includes your accounting firm. If your employees are reusing passwords, a throwaway set of credentials for a long-lost restaurant or retail loyalty program could open the door to your firm’s and clients’ data.
That’s why you and your employees need to use a unique password for each account you log into, no matter what it is. Sound cumbersome? It can be. That’s where a password wallet can come in handy. Users can store passwords in password wallets, so they don’t have to recall them constantly.
Good examples of password-wallet vendors include 1Password, Keeper and DashLane. One popular vendor to avoid is LastPass, which has recently suffered breaches and is not currently secure. An attacker who steals a user’s LastPass password can steal all the data that user can access.
Another best practice to follow is to mandate use of long passphrases—essentially sentences with 20 characters or more—instead of the classic “password123!” formula with numbers and special characters. Longer passphrases are far harder for cybercriminals to crack and more effective for securing your data.
Also, discourage employees from answering cute little quizzes on social media about the names of their first pets, their birthdays or where they and their partner first met. These questions are often used as extra layers of security in logins, and what may seem like fun little queries are, in fact, data-harvesting exercises.
Speaking of extra layers of protection, the password itself isn’t enough to guarantee a secure login. At a minimum, you should employ multifactor authentication (MFA) along with a password. MFA prompts a user to confirm a login on a different device after the user enters a password.
But even MFA, while necessary, isn’t iron-clad anymore. A good security partner can take you beyond passwords and MFA and offer new types of protection. Biometric security methods, including facial recognition and fingerprint scanning, add another layer of security that’s very difficult to break into.
An ideal security setup would include a combination of all three elements of access—a password, a biometric security method and MFA. In that scenario, for instance, a fingerprint scan could lead the user to enter a password, which MFA would then validate via another device.
You don’t want your firm to be the entry point for a data thief to steal credentials and then use them all over the internet. You also don’t want a thief to be able to use a stolen username and password from some completely unrelated organization to break into one of your users’ work accounts. If a cyberattacker targets the right—or more to the point, wrong—user, the attacker could access all your firm’s data.
Most employees don’t think about how they use credentials. Many will take the lazy way out and reuse passwords across applications. The right security partner can help you educate your employees, so they stop that dangerous practice. A partner that’s familiar with the accounting profession can play an especially important role in employee training.
Here’s a five-decade-old spoiler alert: Felix and Oscar lost on Password in 1972. But you can’t afford to lose your firm’s data. Make sure your employees use strong, unique passwords…and then put the technology in place to bolster your data security. Doing anything else is just too risky.
Please complete the following:
Rootworks members can now use an early access version of Insights, which delivers customer segmentation and pricing data as well as reports for your firm and clients. Connection to QuickBooks Online is required for firms and/or clients.