Password Security Tools For SimplyBook.me: Maintaining secure access for users and clients

This post is also available in:

Online security techniques are continuously evolving to meet the conditions of online data threats. Sometimes the biggest threat to data security is the people involved. However, password security tools can help mitigate the danger and keep systems secure, even with the human error elements of lost and forgotten passwords. 

Online data security is paramount both for your business and for the peace of mind of your clients. Data privacy laws hold you responsible for any client information leaked from your system, so it makes good business sense to keep your data as secure as possible.

Password security

Gone are the days when you could get away with leaving your assigned password as “password”. Once upon a time, a password was all about internal security and tracking. Now it’s far more critical to keep data secure. Every con artist and hacker knows about less tech-savvy people’s tendency to leave their passwords as something simple or to leave post-its on the bottom of keyboards – we know many people do it, even when they know they shouldn’t. But it has gone much further in recent years. 

Now the cybercriminal knows how to scrape social media for all those insignificant little details, looking for the little clues that will let them make an educated guess at your password. They call it social engineering, posting little quizzes and memes that make people reveal personal details that seem innocuous at the time.

Sure, I get it. When you have to change your password every ‘X’ weeks to maintain strict security levels, you have to pick something you remember. It gets even worse when you have multiple systems, and you need a different password for each one.

Best practices for creating strong password security

Did you know what the most common password in 2020 was? The top 5 passwords, by the number of people who use them, and how long it takes to crack them:

• “123456” – <1 second
• “123456789” – <1 second
• “picture1” – 3 hours (new entry in 2020)
• “password” – <1 second
• “12345678” – <1 second

It’s a pretty dismal picture for password security when four of the five most common passwords can be cracked in under a second.

There are some common and recommended best practices for creating strong passwords that are at least more difficult to crack, if not wholly ‘unhackable’ – that’s not possible.

Try

• Use a minimum number of characters for password length. Most websites will demand a minimum of 6 or 8 characters, but best practice recommends at least 10-12 characters minimum.
• Use a mixture of uppercase, lowercase, special characters, numbers, and even spaces.
• Try using passphrases of 3-4 unrelated words to create a more random string. For example, “random fortitude quantum mole”
• Try making the words even harder to deduce by replacing letters with symbols or number. For example, “R@ndom F0rtitude Qu4ntum Mol3” 
• Change passwords every 90 days – there is some debate that insisting on password changes too frequently leads to greater data security threats. People find it hard to remember a new set of passwords every time they have to create new ones, and they tend to write them down.

AVOID!

• Entirely numeric passwords; are the easiest to hack. Equally easy to guess and brute force are keyboard-adjacent letters and consecutive alphabetical lists.
• Personal information – Any information, which is easily discernible about you, should be avoided.
• First or Family names – it’s probably one of the first things someone would try and extremely easy to discover. The same applies to family members such as children, parents, and family pets. 
• Old passwords – Don’t use old passwords; don’t do it. We are all guilty at times when it seems easier to 
• Trending or common slang phrases – It might surprise you how quickly these can be cracked.

Defining password complexity settings

Okay, so now you know the best practices and recommendations for choosing strong password security. You can implement most of these guidelines in your password complexity settings for your system users. Additionally, if you use the client login feature, you can also implement these setting for your clients. 

To set up the password security settings in Simplybook.me, you will have to enable the custom feature – it’s a free one, just like most of the system’s enhanced security settings.

Password settings for users and clients

Before you decide whether to impose client login requirements on your clientele, you really ought to assign password security settings to you and any other staff members. If a client has poor security, they only expose their own data. If you or your staff have poor online data habits, you risk exposing ALL of your clients’ information.

Here you set the minimum password character length. By default, we set it to 8 characters, but you can change that to a longer string. If you’re following best practices, 10-12 should be the minimum length.
You can enable the use of uppercase and lowercase letters and the use of special characters with a simple toggle switch. You can specify the complexity of the password using the dropdown menu.

To further secure access to your booking system, you can restrict whether the company or user login can contain the same character strings as the password. You can limit the number of false logins to 3-10 times and specify the lock-out time after the set number of failed login attempts from 5 minutes to 24 hours. These limits and restrictions further protect your accounts from attacks involving brute force and random guessing.

If you decide to make your clients register and login to use your booking system, using the client login feature, you can apply the same password complexity settings. The details are virtually identical. You could also choose to set different password security settings to make it easier for your clients.

Adding an extra layer of password security with authentication

You can do everything you can to make your passwords secure, but adding another layer of password security is a better way to protect your online data. Google authenticator is an easily enabled feature that will allow you to keep data secure even when passwords might be compromised.

Demanding the authorisation from an external source such as a phone or tablet adds more than one authentication level. Sure, the actual 2FA from Google authenticator is only officially one factor of authentication. Still, when you consider that most people have PINs to access their phones or even biometric data, it adds another password security level. A laptop and phone might reside in the same stolen backpack, but without the proper access to both laptop and phone, the chances of cracking both are slim.
Of course, that also assumes that someone doesn’t duplicate their passcodes or biometric data across devices – that would not be password security best practice.

The importance of password security tools and multi-level authentication

People forget their passwords. It’s a sad fact. Sometimes they don’t use a system frequently enough for the password to remain in their heads. Other times, it might be because of extended illness or time away from work. It happens, and there’s nothing we can do about it. However, when someone forgets their password and the single authentication point of accessing an email address is the only requirement, things could get a little unsecure. When external authentication is required to reset or regain access to change the password, you enhance your data’s safety.

Another unfortunate fact is that loss and theft happen. We hope it doesn’t, but hope is a pretty fragile thing on which to base your data security. Ensuring multiple levels of authentication 

That’s why Simplybook.me has password security settings and Google Authenticator to mitigate those risks and prevent (as much as possible) unauthorised access and long term loss of access to systems.

In Summary

Passwords were created for security, right from demanding the secret password for entry to the treehouse. However, the online nature of data and access has required that passwords evolve, but much quicker than those who need to use them.

You can follow best practices to maintain your password integrity and authorisation. You can use the tools available to help mitigate risk and double-check the authority of people using the passwords. Maybe you could even go further and use other means, such as biometrics, NFC chips, and even chip implants in people.

Unfortunately, some of the more technologically advanced ideas carry some ethical objections, while others are just too expensive. So far, using tested and effective password settings, 2-Factor authentication, and appropriate security training are the best balance of cost and efficacy for companies to maintain their data security. They are also the easiest ways to introduce everyone to the practice of good online password security habits. And in the ever-changing digital landscape, those good online security habits are priceless.