Let’s walk through why this is a bad idea and what can go wrong.

No Audit Trail Means No Clarity

When everyone uses the same login, it becomes impossible to track who did what. Was it Sarah who deleted that folder, or James, or someone pretending to be one of them?

Systems that use individual accounts log activity under a name. Shared logins just say “admin” or “user.” This creates confusion, especially when something goes wrong and you need to determine what happened. Without an audit trail, there’s no clarity and no accountability.

No Accountability Means More Risk

If something breaks, something disappears, or something confidential is leaked or shared, shared logins mean nobody’s on the hook. It’s easy to say, “Wasn’t me,” when five other people have the same access. This isn’t just about blame; it’s about building a business where people take care of the systems and data they use.

READ MORE: Stop Account Hacks: The Advanced Guide to Protecting Your Small Business Logins

When each person has their own login, they know their actions are logged under their name. That alone encourages people to slow down, double-check things, and avoid careless mistakes.

One Leak Can Open the Door to Everything

If one person with a shared login account gets hacked, misplaces a password, or clicks on the wrong link, the entire system is compromised. An attacker now has access to everything that the login can do.

Worse still, shared logins tend to be written down, saved in browsers, or shared over email. The more places that the password exists, the higher the chance someone unwanted finds it. And once they’re in, there’s no easy way to trace what they touched or who they pretended to be.

It Gets Messy When Someone Leaves

Let’s say someone leaves the business, and they still remember the password. Now, you need to update it everywhere where a shared login was used, assuming you even remember which systems it connects to.

READ MORE:  Where Did That File Go? (Hint: It’s in Dave’s Personal Dropbox)

It also creates a trust issue. What happens if someone leaves on bad terms? Can they still log in later and cause problems? With individual logins, you can deactivate their account. Done. Clean, easy, no mess.

The Fix: Individual Accounts for Every Staff Member

It may take more time upfront, but providing every staff member with their own login is the right approach. It allows you to:

1. Track changes and actions.
2. Protect your business if someone gets hacked.
3. Easily remove access when someone leaves.
4. Encourage staff to take ownership and to care.

Additionally, you can grant different individuals varying levels of access. Not everyone needs admin rights. Some just need to see information, others need full control. That kind of flexibility comes only with individual logins.

How Hopedale Technologies Can Help

If you’re still using shared logins or are not sure how to transition away from them, we can help. We’ll work with you to set up secure, individual access for each team member that is tailored to how your business runs.

Whether it’s managing passwords, setting the correct permissions, or reviewing how your systems are currently being used, we’ve done this many times before. We’ll make the process straightforward and take the stress out of untangling shared access.

If you’re starting from scratch, we’ll help you build it from the ground up. If you’re dealing with a bit of a mess, we’ll help clean it up.

Years later, the same Wi-Fi password is still floating around, yet the office has changed. People have come and gone, devices have been added, and more and more systems rely on that same wireless network. The password stays the same, and the list of people who know it gets longer by the month.

This is where the problems begin.

Why One Shared Wi-Fi Network Creates Hidden Risks

When everyone uses the same Wi-Fi network, you lose all sense of separation. Staff devices sit on the same network as printers, servers, guest phones, contractor laptops, and even random devices that were connected once and forgotten. It feels harmless on the surface, but you are letting everything into the same room.

Guests bring in their own devices, and you have no idea what condition those devices are in. They could have malware installed, outdated software, or questionable apps. Once they connect to your Wi-Fi, they are inside your network. If that device happens to be infected, it can try to reach other systems inside your office. It needs only one weak device to cause trouble.

Past employees are another issue. If the Wi-Fi password never changes, any former staff member can still connect. Some do not intend harm; they simply still have the network stored on their phone. Others may feel annoyed or bitter after leaving and know they still have access. Sitting in the car park with full entry to your internal network is far more common than most business owners realize.

Even with a single shared password, your router will usually show a list of connected devices. With better equipment, you can even see how much traffic each device is using. The problem is that this visibility is shallow and hard to relate to real people and business roles. You see device names, IP addresses, and MAC addresses, not “accounts” tied to staff, guests, ex-employees, or random visitor phones.

When everything sits on one flat network and everyone uses the same credentials, it becomes much harder to answer basic questions such as “Was this a staff device or a guest device?” or “Was this traffic coming from the finance team or from the waiting area?” You might see that a device pulled a lot of data or connected to suspicious sites, but matching a device labelled “iPhone” or “DESKTOP-29456” to a specific person or group is messy, especially once people have left the business, swapped phones, or brought in their own gear.

What a Safer Network Looks Like

A good business Wi-Fi setup does not rely on one password that never changes. Instead, it separates the network into clear sections. Staff work on their own protected network, office devices such as printers and phones live on another, and visitors have access to a guest network that appears normal to them but cannot access anything else in the office.

READ MORE: 6 Helpful Tips to Troubleshoot Common Business Network Issues

This structure is called network segmentation. It is simply the idea that different groups should not all sit in the same place. Once you split the network into logical sections, you gain more control and experience far fewer surprises. Visitors can still connect to the internet, but they cannot browse your servers or internal devices. Staff can work normally without worrying about what someone in reception is doing on their phone. Devices that do not need to interact with your computers, such as cameras or printers, stay isolated so they cannot interfere with anything important.

Alongside segmentation, proper access control helps you manage who can connect and for how long. Instead of a single, shared password that lasts forever, staff have individual access that can be revoked when they leave. Guest Wi-Fi can expire automatically, meaning visitors do not have open access long after their meeting ends.

The goal is a network that still feels simple to staff and guests but has the right boundaries behind the scenes.

Why It Is Hard to Fix on Your Own

Most consumer routers cannot do real network segmentation. They might offer a basic guest option, but they are not built to separate staff devices, office equipment, and visitors in a reliable way. Proper segmentation needs business-grade hardware and careful setup.

Once you move to equipment that supports these features, the configuration matters. Placing printers, cameras, or EFTPOS terminals on the wrong network can disrupt systems that rely on them. Creating multiple Wi-Fi networks without planning can also cause interference or access gaps.

This is why changing the shared password every few months does not solve anything. The network is still one flat space with no separation.

READ MORE: Stop Account Hacks: The Advanced Guide to Protecting Your Small Business Logins

A review helps you decide who needs access to what, which devices should be isolated, and how the network should be structured. With the right gear and layout, everything becomes safer and far easier to manage.

How We Can Help

As a managed service provider, this is one of the most common network issues we fix for small and mid-sized businesses. We look at your setup, your staff, your devices, and the way you work, then we design a clean network structure with the right separation between staff, guests, and office equipment.

That usually includes setting up safe guest Wi-Fi, moving devices to their own networks, replacing the shared password with better access control, and monitoring the network so problems are caught early. Once the structure is in place, everything becomes simpler. Staff get stable Wi-Fi, guests still get online, and you get a network that is safer, cleaner, and far easier to manage.

If your password is written on a whiteboard, known by people who left years ago, or shared freely with every visitor, it is time to fix it. A short conversation is usually all it takes to see where the gaps are and how we can close them.

Let us review your setup and help you move beyond the single password that has outgrown your business.

Most browsers will ask after you’ve entered a new password into a site or changed a password if you want it stored for you. That way, when you revisit that site, the browser can autofill your access credentials. It saves you the struggle of trying to keep all your passwords straight.

READ MORE:  How the Bad Guys Get Your Passwords

The problem is that some sites, including legitimate sites, can be compromised with a hidden form. You’ll never see it, but your browser will. So, it will autofill that form in clear, unencrypted text. This allows bad actors to capture your username and password without your knowledge.

Another risk? Irresponsible digital marketers may use hidden autofill forms to track your online activity. That’s done without your consent.

READ MORE:  Picking Your Home PC Browser

Using browser autofill with a password manager can also confuse, especially if your browser auto-fills, whereas the manager asks before filling in forms. Using both simultaneously, you also risk duplicating passwords, which could make it challenging to track your passwords and increase the risk of security breaches.

How to turn off autofill

You can protect your passwords by turning off autofill on any browser you use:

• On Microsoft Edge, go to Settings, then Profiles, then Passwords, and turn off “Offer to save passwords.”
• On Google Chrome, go to Settings, then Passwords, and turn off “Offer to save passwords.”
• On Firefox, open Settings, then Privacy & Security, then Logins and Passwords, and “Autofill logins and passwords.”
• On Safari, from the Preferences window, select and turn off Auto-fill.

Can I keep using password managers?

A password manager, such as LastPass (our choice) or 1Password, typically provides more security than browser autofill. Password managers have robust encryption algorithms to protect your login credentials, which means that even if your device is compromised, your passwords are safe.

READ MORE:  The Benefits of Password Managers

Still, you face the same risks if the manager auto-fills your credentials. Most password managers have autofill disabled by default. That’s good. Leave preemptive autofill off. You might see it called “Autofill on page load.” Keep that turned off, too.

Our advice? Use a password manager that requires you to click a box before it fills in your credentials. This action prevents your information from automatically populating a hidden form.

Securing your online activity is an ongoing challenge. Hopedale Technologies can help identify ways you can protect your privacy and data online. Contact us today at 508-478-6010.

Regularly, there are stories about major companies being hacked, their customer data stolen, and their customers left stranded in the news today.  Hackers commonly use data stolen from one site to access others where login credentials have been reused between accounts.  In some cases, access to bank accounts has been gained simply by using a compromised email account.

Businesses and individuals can face significant losses simply because a third party outside their control has been hacked or compromised.

Password Management

Good security practice uses a unique and strong password for every login you use.  A strong password should include, where possible, capital letters, lowercase letters, numbers, and character symbols. It is clearly impossible to manually remember a strong password for each one of the dozens of logins needed today.  Few would even attempt to.  A password manager makes storing, retrieving, and using unique passwords easy.

When using a password manager, an individual must remember only one strong password to access a database, which contains a different login password for each service.  This database can be synced between multiple devices, saved and backed up to the cloud, and even used to create strong passwords for you.

We’re happy to suggest the best solution for your needs and set it up, too. Here at Hopedale Technologies, we use LastPass to manage our passwords. To learn more about LastPass click HERE. 

You’re probably familiar with hackers trying many different password combinations with a username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.

This brings us to password spraying. The cybercriminals have found a way to get around the three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.

Think how easy this could be. Your company database is online for people to contact your employees. The bad actor takes john@yourcompany.com, jane@yourcompany.com, jamal@yourcompany.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.

“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.

The brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.

What to do about password spraying

The most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! Do you think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the “123456” password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.

You should use more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords. NIST further recommends checking every new password against a breached password list.

Multifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app.

It’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.

Put password best practices in place

Keep your business secure with the help of a managed service provider. We can spearhead the installation of lockout policies and– other security measures. Our experts also stay current with the latest vulnerabilities to proactively protect your organization.

Password manager programs generate, manage, and store many different passwords. You may be concerned about whether a password manager is safe to use. But, the cybersecurity industry consensus is “yes, it is.”

A password manager uses top-notch encryption to protect passwords. Plus, they take a zero-knowledge approach. They can’t actually see the passwords they store and prefill on sites. The password is encrypted before it reaches the manager’s server and can’t be deciphered. This is why you need to be so careful not to forget your master password!

Using a password manager is one of our 7 Tips for Better Cybersecurity. That said, the password manager offers more than a vault for encrypted credentials.
 
More Benefits of Password Managers

For one thing, many password managers have apps for download onto mobile devices. Then, you can use the password manager to prefill forms on those, too. This gives you the advantage of convenience not only on your computer but also on the go.

Some password managers offer added security benefits, as well. They might:

• warn you of weak password and login credentials;
• remind you to change your passwords;
• notify you if your passwords may have been compromised in a breach;
• advise you against using the same password on multiple sites.

Another advantage is that you can conveniently share passwords with others. Maybe you want to give family members shared access to streaming accounts or allow a work colleague access to applications you’re using remotely. A managed password sharing feature can allow them to see selected passwords. You aren’t showing everything: you can pick what you make available. Plus, when you change your credentials, the password will change on their end, too. This doesn’t need to be permanent either. You can easily revoke password sharing.

You can also use a password manager to secure other important information. You might store things such as credit card numbers or other personal identifying information. Keeping that kind of data in an unencrypted note on your desktop or mobile device is unsafe, but you can take advantage of password manager encryption to safely store those precious details. Learn how the bad guys get your passwords.
 
Secure your passwords with a manager

You can’t expect to remember all your unique passwords. Yet the days of writing down passwords on Post-it notes are over. Use cloud-based password management to secure your passwords and do more.

We’re happy to suggest the best solution for your needs and set it up, too. Here at Hopedale Technologies, we use LastPass to manage our passwords. To learn more about LastPass click HERE. 

It’s estimated that we each have an average of 100 passwords. That’s a lot to remember, especially as we need unique logins for every site to lower our risk of cyberattack. 

At the same time, every website wants us to set up an account. It helps them get to know their users and target marketing and product development efforts. They might also share the information with third parties as another source of income.

Still, the website wants to keep its users coming back, so they allow you to sign in with Google or Facebook accounts to streamline the process. Weigh the value of that added convenience against these three considerations.

#1 You’re giving away more data

By using Google or Facebook to sign in on other websites, you give the sites greater access to information about you. Now, they not only know what you do on their sites, but you’re also allowing them to build out their picture of you with data insights from the shared sites.

Google and Facebook have powerful tools to dig deeper into your online activity, and other websites can also extract data from your Facebook and Google accounts. If you don’t read the privacy policies, you may not know what sensitive data the platforms share. To learn more about privacy on Facebook, read Everything You Need to Know About Facebook Privacy.

#2 You could lose access

You may join those who decide to quit Facebook or leave Google in favor of another platform. If you do so and you have used that account to access other sites, you’ll have to create new logins.

Even if you’re not going to do away with your Facebook or Google account, you could still lose access. If there’s a major outage at one of those two sites, you won’t be able to log in at any of your connected sites either. The other websites won’t authenticate you until Facebook or Google is back up and running.

#3 Your attack surface gets bigger

If you have one unique login credential for a website, you risk your data there only if that site gets hacked. However, if you use Facebook or Google login, and bad actors compromise that account, they can access any shared sites.

Think of it like dominos. The Facebook or Google account is the first to fall, but all those other accounts you “conveniently” login to using those credentials will come tumbling down soon after. Don’t think the attacker won’t bother looking for other connected accounts? Once they breach one account, all they have to do is go into your settings to see what you have connected.

Social media accounts are also a prime target. Don’t believe us? Bet you’ve seen a post from a Facebook friend (or ten) telling you to ignore strange activity due to a hacked account. Here are  Ten Ways to Protect Yourself from the Facebook Cloning Scam.

Protect your online identity

Account compromise is a top cause of data breaches worldwide. Protect your online identity by following best practices for cyber hygiene. Seven Tips for Better Cybersecurity will help give you smart steps to take.

Need help with password security? At Hopedale Technologies, we use our affiliate LastPass password manager to keep our passwords and logins secure. We can set you up with LastPass and provide other online security help like VIPRE Managed Antivirus. 

Setting up encryption scrambles your data so that only authorized parties can understand the information. Without the encryption key, anyone trying to read your information would see gibberish.

You’re already using encryption when you visit any “https” website. The lock symbol beside the URL shows that encryption is protecting your connection with the site. You’ll see it when shopping or banking online, and it’s protecting the data in transit.

You can also encrypt the data on your computers.

Password Protection Is Not Enough

Many people at this point have a password for their user account on a home computer or laptop. Some of these passwords are even complicated, although the number-one password people use continues to be “123456” – seriously – followed by “123456789” and “qwerty.”

Regardless of its strength, the logon password doesn’t stop anyone with physical access. You might have your browser remembering usernames and passwords (it’s not a shared computer, right?), and anyone with access can use those pre-populated credentials to access your accounts.

If someone really wants to get to password-protected files on a physical device, they can do so. The attacker might bypass your password by booting your computer up to a new operating system. Or the bad guy might even remove your hard drive and put it into a new computer. All they need is a second computer and a screwdriver!

Full disk encryption protects those files, even if the attacker has physical access and even if your laptop is lost or stolen, your home is burglarized, someone seizes your computers.

Encryption Is Not a Silver Bullet

Of course, we need to be clear. Encrypting your hard disk doesn’t make your computer invincible to cyberattackers, although does force them to work a lot harder.

Attackers can also still exploit services running on your computer, such as network file sharing. Plus, encryption doesn’t stop a nefarious agency from spying on your online activity in transit.

Nevertheless, it does beef up your physical security. You can encrypt an external hard drive or your system’s entire hard drive. Then, when you turn the computer on, you’ll need to unlock the disk to boot up your operating system. The computer won’t work until the user supplies the encryption key or passphrase. You can also create multiple unlocking keys if you have several user accounts for that device.

Again, you’re going to want to come up with a strong password. If your key phrase is “password,” (the fourth most common choice in 2019), there’s little point in encryption.

You also don’t want to walk away from your laptop, leaving it open and accessible. You’ll want to set your encryption program to lock again after a certain amount of idle time. Otherwise, you’ll find encryption doesn’t impact your computer’s performance.

Make sure your computers and laptops are always physically secure. With disk encryption, only people you trust can access your data and files.

It’s a good idea to navigate to https://haveibeenpwned.com to see if your email address or phone number is on any data breach files. This isn’t conclusive, but it can help.

Even if you’re not sure if you’ve been a victim of a data leak, you’ll want to take action.

There are several smart strategies to follow immediately.

#1 Limit your social sharing

It is simple to share on social media – that is part of the fun. You share the pictures of your wedding day or anniversary or your new house with its address. You’re filling in family and friends in your life, right?

Well, if you are using any of that information to create access credentials, you are sharing too much. Someone with a beloved cat called “Petunia” in every photo who uses the feline’s name as a password gives hackers an edge.

You might think you are sharing harmless information, but those birthday party photos posted on the big day are a clue to your identity that hackers can exploit.

#2 Use Unique Passwords

Would you believe people still use “12345678” and “password” as their passwords? If you are one of them, stop now. We’ve said it before, and we’ll say it again and again: use unique passwords for every one of your accounts. Yes, it is more to remember, but it helps cut the risk of a data breach at one site snowballing to disastrous consequences for you.

You might use a password keeper such as LastPass to manage your many passwords. This is more secure than the password manager offered by your Web browser, although those are better than revising passwords or trying (hopelessly) to memorize them.

#3 Add Two-Factor Authentication (2FA)

Enabling two-factor authentication (2FA) makes it more challenging for the bad actor. Now, they will need to obtain access to login credentials and your personal device. However, since phone numbers are often included in a data leak, this isn’t the best solution. If the hacker has your name, address, and birthdate from the Dark Web, they can take over your phone number, too. They call the company and say, “I lost my phone. Can I get another SIM card?” Then, they are the ones to get those verification codes via message, not you.

Better still, use a 2FA app to confirm your identity. Authy or LastPass are good authenticator apps. After you attempt to log in, you will need to enter a time-sensitive code generated by the app to complete access.

#4 Stop Signing into Other Sites Using Social

Sure, it is convenient to use your Facebook or other social media account to sign in to connected applications because you have fewer passwords to remember. Some of your data is automatically transferred, so signup is streamlined, too. Yet you are increasing the risk of account compromise.

The hacker may access the third-party application and use that as a stepping stone to get into your social account. That’s where the trove of data is.

#5 Develop an Alternate Ego

It all sounds super spy, but you might have one email account you open to be a burner account for social media. You could also use a fake birth date, a fake alma mater, and other alternative facts to fill out the social profile.

Don’t fabricate personal details for an employer or a financial or educational institution. But you might use a fake identity for entertainment, gaming, and social sites that bad guys may mine for personal data.