TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Password Security

Advanced Strategies To Lock Down Your Business Logins

Good login security works in layers. The more hoops an attacker has to jump through, the less likely they are to make it all the way to your sensitive data.

For small and mid-sized businesses, this layered approach can be the difference between a near miss and a costly breach.

The first and most obvious layer is password hygiene. Unfortunately, many businesses still allow short, predictable logins or let staff reuse the same credentials across multiple systems.

That gives attackers a head start. A stronger approach is to require unique, complex passwords for every account. Even better, swap out traditional passwords for passphrases – short sentences that are easier for humans to remember but much harder for machines to crack.

Since most people can’t keep dozens of long, random strings in their heads, a password manager is a smart addition. It lets employees generate and store strong credentials securely, so no one has to rely on sticky notes or memory alone.

But passwords aren’t enough. Multi-factor authentication (MFA) has become one of the most effective defenses against compromised logins. It works by adding an extra verification step, like a code sent to a phone or an approval in an authenticator app.

Even if a hacker does steal a password, MFA forces them to clear another hurdle before gaining access. The key is to apply it consistently. Leaving one “less important” account unprotected is like locking your front door but leaving the garage wide open.

Another important safeguard is access control, often called the principle of least privilege. The fewer people who have administrative rights, the fewer chances there are for those credentials to be stolen or misused.

Keep high-level privileges limited to the smallest possible group, and avoid using those accounts for everyday work.

Instead, maintain separate admin logins and store them securely. The same rule applies to third-party vendors: give outside users only the access they need, and nothing more.

Device and network security also play a role. Even the strongest login policies won’t mean much if an employee signs in from a compromised laptop or an unsecured public Wi-Fi connection.

That’s why company laptops should be encrypted and protected with strong passwords, while mobile devices should have security apps in place – especially for staff who travel or work remotely.

Firewalls should remain active both in the office and for home-based workers, and automatic updates for browsers, operating systems, and applications should always be turned on. Those updates frequently include security patches that close holes attackers are quick to exploit.

Email deserves special mention because it remains one of the most common gateways for login theft. One convincing message is all it takes for an employee to hand over credentials to an attacker.

Advanced phishing and malware filtering can block many of these messages before they ever land in an inbox. On the technical side, setting up SPF, DKIM, and DMARC records makes your company’s domain harder to spoof, reducing the chances of a successful impersonation attack.

Just as important, regular user training helps employees learn how to verify unexpected requests and spot suspicious links before they click.

Finally, even the best defenses can be bypassed. That’s why preparation matters just as much as prevention. An incident response plan ensures your team knows what to do the moment something looks wrong, minimizing panic and downtime.

Routine vulnerability scanning and credential monitoring can catch issues before they escalate. And reliable, tested backups guarantee that even if attackers gain access, your business can recover quickly without paying a ransom or suffering permanent data loss.

None of these steps need to happen overnight. The best way to approach login security is to start with the weakest link – maybe it’s an old, shared admin password or the lack of MFA on your most sensitive systems – and fix that first.

Then move on to the next gap. Over time, those small improvements add up to a solid, layered defense that protects your team, your data, and your reputation.

In the end, good login security isn’t just about keeping hackers out. It’s about giving your employees confidence that when they log in, they’re working in a safe, secure environment. With the right layers in place, your logins become a security asset – not a weak spot.

Biometrics Are the New Password – But What Happens If Yours Gets Stolen?

Technology moves fast, and one area that’s quickly becoming part of everyday business life is biometrics. Instead of typing in a password, more people are logging in with a fingerprint, a facial scan, or even voice recognition. It’s quick, easy, and it feels more secure. No more forgotten passwords or sticky notes under keyboards.

But as with most things in technology, convenience comes with a catch.

Unlike a password, you can’t change your fingerprint. You can’t “reset” your face. So if your biometric data is compromised, it’s not just a minor headache – it’s potentially a long-term problem.

And that has business owners starting to take a second look at how this data is being used and protected.

Biometric information is now among the most valuable types of data a business can hold. That makes it a prime target for hackers. If your systems store fingerprint or facial data – especially if you’re using it for employee or client logins – you’ve got to treat that data like gold.

Unfortunately, cybercriminals already know how powerful biometric credentials are. Unlike a password that can be changed in minutes, biometric data is permanent. That’s part of what makes it so attractive to attackers.

On underground markets, this type of information is sold at a premium. Criminals can use it to get past identity checks, access systems, and even impersonate someone online.

So what’s the best way to protect your business? The first step is understanding where and how this data is stored. If you’re using devices that store biometric information locally – such as a smartphone or a fingerprint reader on a laptop – that’s often safer than storing it in a central database.

Local storage keeps the data off the network, which makes it harder for hackers to get to.

However, if you do need to store biometric data on a server – maybe for time tracking, door access, or centralized logins – it needs to be properly secured.

That means strong encryption, keeping it separate from other sensitive data, and limiting who has access to it. You’ll also want to monitor and log any changes or login attempts.

If you’re using third-party apps or devices that rely on biometric login, make sure you know how those vendors handle security. Read the privacy policy, ask questions, and check whether they’ve had any past data breaches.

Not all providers treat this data with the care it deserves, and you don’t want to find that out the hard way.

Done right, biometrics can be a great tool. They streamline access, make logins easier, and reduce password fatigue for your team. But they need to be handled with the same (or even more) care than a traditional password system.

Bottom line: If you’re going to use something as personal as a fingerprint or a face scan to unlock your business systems, make sure you’re the only one with the key.

Want help reviewing your current biometric security practices? We’re happy to chat. Reach out today.

What Is A Password Spraying Attack?

Password spraying is a complex type of cyberattack that uses weak passwords to get into multiple user accounts without permission. Using the same password or a list of passwords that are often used on multiple accounts is what this method is all about. The goal is to get around common security measures like account lockouts.

Attacks that use a lot of passwords are very successful because they target the weakest link in cybersecurity: people and how they manage their passwords.

What is password spraying and how does it work?

A brute-force attack called “password spraying” tries to get into multiple accounts with the same password. Attackers can avoid account shutdown policies with this method.

Attackers often get lists of usernames from public directories or data leaks that have already happened. They then use the same passwords to try to log in to all of these accounts. Usually, the process is automated so that it can quickly try all possible pairs of username and password.

Password spraying has become popular among hackers, even those working for the government, in recent years. Because it is so easy to do and works so well to get around security measures, it is a major threat to both personal and business data security.

As cybersecurity improves, it will become more important to understand and stop password spraying.

How does password spraying differ from other cyberattacks?

Password spraying is distinct from other brute-force attacks in its approach and execution. While traditional brute-force attacks focus on trying multiple passwords against a single account, password spraying uses a single password across multiple accounts.

Understanding brute-force attacks

Brute-force attacks involve systematically trying all possible combinations of passwords to gain access to an account. These attacks are often resource- intensive and can be easily detected due to the high volume of login attempts on a single account.

Comparing credential stuffing

Credential stuffing involves using lists of stolen username and password combinations to attempt logins.

How can organizations detect and prevent password spraying?

Detecting password spraying attacks requires a proactive approach to monitoring and analysis. Organizations must implement robust security measures to identify suspicious activities early on.

Implementing Strong Password Policies. Organizations should adopt guidelines that ensure passwords are complex, lengthy, and regularly updated.

Deploying Multi-Factor Authentication. Multi-factor authentication (MFA) significantly reduces the risk of unauthorized access by requiring additional verification steps beyond just a password.

Conducting Regular Security Audits. Regular audits of authentication logs and security posture assessments can help identify vulnerabilities that could facilitate password spraying attacks.

Enhancing Login Detection. Organizations should set up detection systems for login attempts to multiple accounts from a single host over a short period. Implementing stronger lockout policies that balance security with usability is also crucial.

Incident Response Planning. This plan should include procedures for alerting users, changing passwords, and conducting thorough security audits.

Taking action against password spraying

To enhance your organization’s cybersecurity and protect against password spraying attacks, contact us today to learn how we can assist you in securing your systems against evolving cyber threats.

Should You Use A Password Manager?

Password managers keep our online accounts safe. They store all our passwords in one place. But are they hackable?

What are password managers?

Password managers are like digital vaults: they save all your passwords inside themselves. You need only remember one master password to then gain access to all of your other passwords. This makes keeping a lot of accounts much easier to handle.

Dedicated password managers are difficult to hack if configured properly. While hackers are always hunting for ways to steal your information, a properly configured password manager has a complex password and two-factor authentication. This makes it very difficult to crack.

You can protect your password manager by using a strong master password. The master password is the “key” that unlocks all of your other passwords. Use a mix of letters, numbers, and symbols, or better yet, a secure passphrase that is easy to remember, but hard to guess.

Be sure to enable two-factor authentication. 2FA adds an important layer of security.

What happens if a password manager gets hacked?

If you’ve set up your password manager properly, the chance of it being hacked is extremely low. However, if your password manager is compromised, you should:

  • Change your master password immediately.
  • Determine which accounts could be affected and change their passwords as well.
  • Consider shifting to another password manager.
  • Keep up to date with any security news about your manager.

The benefits of using a password manager usually outweigh the risks. They help you create strong, unique passwords for each account.

Choosing a reputable password manager with good reviews and security features is key. Do some research before deciding which one to use.

Using a password manager will go a long way in enhancing your online security. If you need help in selecting which one, give us a call at (734) 240-0200.

How To Make The Pain Of Passwords Go Away

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Passwords. They’re the keys to our digital kingdoms, but also the biggest pain in our necks.

They’ve been around since the dawn of the internet, and guess what? Even with replacements being introduced, they’re not going away anytime soon.

I’m sure you’ve felt the pain of managing a billion passwords for all your accounts. It’s exhausting and risky. Perhaps it’s time you considered using a password manager.

The real beauty of password managers is you only have to remember one password – the master password to log in to your manager. Then, it does everything else for you.

  • It creates long random passwords
  • It remembers them and stores them safely
  • And it will even fill them into the login page for you

That means no more wracking your brain trying to remember if your password is “P@ssw0rd123” or “Pa55w0rd123” (both are really bad and dangerously weak passwords, by the way). With a password manager, all the work is done for you.

We won’t sugar coat it – password managers aren’t invincible. Like all superheroes, they have their weaknesses. Cyber criminals can sometimes trick password managers into auto filling login details on fake websites.

But there are ways to outsmart criminals.

First, disable the automatic autofill feature. Yes, it’s convenient, but better safe than sorry, right? Only trigger autofill when you’re 100% sure the website is legit.

And when choosing a password manager, go for one with strong encryption and multi-factor authentication (MFA) where you generate a code on another device to prove it’s you.

These extra layers of security can make a big difference in making your accounts impenetrable.

Enterprise password managers offer useful features like setting password policies and analyzing your teams’ passwords for vulnerabilities. Plus, they often come with behavior analysis tools powered by machine learning tech. Highly recommended.

But here’s the thing – no matter how advanced your password manager is, it’s only as good as the person using it. So, do yourself a favor: Train your team to stay vigilant against scams, and always keep your password manager up to date.

We can recommend the right password manager for your business and help you and your team use it in the right way. Get in touch at (734) 457-5000, or info@mytechexperts.com.

 

It’s Time To Fix Your Risky Password Habits

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

We all know how important it is to keep our data safe, but sometimes our best intentions fall short. And when you have employees, you’re at an increased risk of security threats and bad habits creeping in.

Here’s the deal: Even if you invest in cyber security training, changing long held password habits can be a tough nut to crack. People love convenience, and remembering a ton of complex passwords just isn’t their idea of a good time.

Your employees are juggling dozens of passwords for work and personal use. It’s a lot to handle, and sometimes they slip up and reuse passwords across different accounts. It’s a familiar story, right? And it’s where the trouble starts.

When passwords are reused, it’s like leaving the front door wide open for cyber criminals. If the password is breached on one site, they will try it to access other sites.

Here’s how you can make sure your team stays on top of their password game.

Password audit: Ask your IT partner to do an audit of passwords and look for weak ones that should be changed.

Block weak passwords: Ask your IT partner to implement a password policy that stops common passwords from being used.

Scan for compromised passwords: Even strong passwords can be compromised. Stay one step ahead by scanning for breached passwords and prompting employees to change them.

Use password managers: Password managers securely generate then store a unique password for every different account… and fill them into the login box so your team doesn’t have to.

Multi-Factor Authentication (MFA): Add an extra layer of security with MFA, where you get a code on a separate device. It’s like putting a deadbolt on your front door – double the protection, double the peace of mind.

With the right tools and guidance, password security doesn’t have to be hard work. If we can help you with that, get in touch – (734) 457-5000.

Is It Time To Ditch The Passwords For More Secure Passkeys?

Passwords are the most used method of authentication, but they are also one of the weakest.

Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks.

The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way.

61% of all data breaches involve stolen or hacked login credentials.

In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in.

You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password.

This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification.

The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

More secure

One advantage of passkeys is that they are more secure than passwords.

Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data.

Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location.

This makes it much harder for hackers to gain access to your accounts.

More convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming.

Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds.

Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password, or worse, writing it down.

Phishing resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account.

They click on a link that takes them to a disguised login page created to steal their username and password.

When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

Are You Still Using That Same Old Password?

We talk a lot about strong passwords. It’s kind of our job. But they’re really important if you want to protect your online accounts and keep your data safe.

So why are we hearing that ‘123456’ is still the most common password? Researchers found it used more than 100,000 times in a recent study.

‘Admin’ is another popular choice, found 17,000 times, followed by the highly creative ‘root’ and ‘guest’. Often these are pre-set default passwords which you’re supposed to change when you first login – but too many people don’t bother.

Names – personal names, celebrities, even football teams – are also common, as are profanities. One swearword cropped up 300,000 times in the study (we’ll let you guess which word it was).

But popular choices make for weak passwords. A brute force attack involves throwing thousands of passwords at a system.

So if you’re using any of these examples, it wouldn’t take long for an attacker to gain access to your account.

A good solution is to use a password manager. This will create long, strong, random passwords that are impossible to guess. It also stores them securely and auto fills them, saving you time.

An even safer solution is Passkeys. These could take over from passwords entirely – Apple and Microsoft are already rolling them out across their apps and accounts. Passkeys consist of two ‘keys’: One on your device and one within the application.

When they connect and recognize each other as the right fit, you gain access to your account… all without clicking a button.

The best part is that you never have to remember a password. It’s all done within your device and the application, so it’s unlikely that a cyber criminal will ever be able to get their hands on your log in credentials. And there are 123456 reasons why that’s a good thing.

Need help to find the right password manager? Get in touch.

The Way We Use Passwords Is Finally Changing

Passwords are a problem that companies are always trying to fix, but they are still essential for accessing pretty much anything online. And even now people aren’t changing them after a breach and then still use the same password to access multiple sites.

Reused passwords are a potential security problem because if a password has been compromised once, then hackers can use it to access other accounts if it’s been used as the sign-in for another site.

Truth be told, passwords are annoying for most people. If you look at the best practice password advice, it’s creating work for everyone:

  • Generate long random character passwords rather than using everyday words that can be guessed by cyber criminals’ automated software
  • Use a different password for every single application
  • Never write passwords down or share with a colleague

This is why we tell our clients to use a password manager. It’s a safe way to generate highly secure passwords, store them, and fill in login boxes so you don’t have to.

Recently we’ve heard that tech giants Microsoft, Apple and Google have joined forces to kill off the password and introduce its replacement.

That’s called a passkey.

It’s very simple. To login to something, you’ll use your phone to prove it’s really you.

Your computer will use Bluetooth to verify you’re sat nearby. Because Bluetooth only works a short distance, this should stop many phishing scams.

Then it’ll send a verification message to your phone. You’ll unlock your phone in the usual way, with your face, fingerprint, or PIN.

And that’s it. You’re logged in.

We could see this new no-password login being introduced to some of the world’s biggest websites and applications over the coming year. Exciting!

If You’ve Ever Reused A Password To Sign Up For Something New, You Have A Problem…

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

It’s something many people admit to doing: they reuse the same password across a few different services.

Not judging you if you’ve done it. It’s easy to see why thousands of people do this every day. It feels like an easy way to get signed up to something.

If you reuse a password, you won’t have to go through the hassle of trying to remember it and needing to reset the password in the future. However, you only have to do this once, and you’re at big risk of something called credential stuffing.

This is where hackers get hold of millions of real usernames and passwords. These typically come from the big leaks we hear about in the news.

Once leaked, information from databases from major companies like Facebook, Twitter and LinkedIn can be bought on the dark web for pennies each. [Read more…] about If You’ve Ever Reused A Password To Sign Up For Something New, You Have A Problem…