Passwords continue to be a key topic of conversation among small-business owners. While we have talked in recent blog posts about ways to make passwords stronger, I’d like to discuss some of the common errors SMBs make when it comes to the passwords they pick to protect their data.

Small businesses are less likely to survive the financial burdens resulting from a breach of its computers than large firms.  Many small businesses assume that they will not be the targets of cyber attacks.  However, recent history has clearly demonstrated otherwise.  An HVAC vendor was targeted by cybercriminals in 2013 and its systems and credentials were used to initiate the breach of Target Corporation.

The best defense that small businesses can adopt is to require that all remote access be authenticated using two-factor authentication.  Reliance on only usernames and passwords for remote access should be strongly avoided by all businesses.  The costs associated with using two-factor authentication have dropped somewhat over the years.  Getting a small business to adopt two-factor authentication often poses less of cultural barrier than making such a change in a large business.

Many small businesses are also reluctant to require the use of passwords longer than  8 characters or require complex passwords that require a mixture of upper and lower case letters, at least one number, and at least one special character.  The reality is that anyone can purchase rainbow tables for less than $1000 that enable easy cracking of any combination of 7 or 8 characters if the attacker can obtain a copy of a user’s hashed password.  Criminals that can’t afford $1,000 are likely to be able to find someone that does have the necessary tools and are willing to use them on some hashed password for a much lower prices.

A recent report from SplashData  indicates that the 5 most common passwords revealed during 2014 were: 123456, password, 12345, 12345678, and querty. Four of those were also in the top 5 position in the 2013 report from SplashData. It is likely that a clever lawyer could argue that reliance on short, easily guessable or crackable passwords is a negligent practice.  If a small business tries to obtain cyber-insurance, it is likely that better practices would have to be used in order for a claim to be paid.  If a small business wants a chance  to limit liability, it must use strong passwords longer than 8 characters.