Security is a hot topic for any SaaS application where sensitive data is involved. No question.
What is unusual is people’s surprise when I tell them that the best way of increasing their security when using Xero is to choose a strong password and the ability to keep it secure; rather than any security measures that Xero has implemented.
I’ve heard mixed opinions from customers on how sensitive they feel their accounting data is. But picking a secure password isn’t simply about preventing access to a particular site, the consequences of poorly-selected passwords can be devastating. Having your social networking access compromised could be embarrassing but finding your identity has been stolen or bank account compromised is far worse.
OK take a deep breath before we get carried away with paranoia. These things can happen but ask yourself “How many people do I personally know who’ve had this happen to them?” Personally – no one.
So what have Xero done to protect me?
• We make sure you don’t have to share a login with any other user, as all organisations signed up to Xero get unlimited users. Therefore there’s no excuse for sharing logins and passwords.
• It may seem annoying at times, but we’ve purposefully excluded the ability for browsers to remember your Xero password. You have to type it each time. This means no one else will be able to access your data whether your computer is stolen or if you simply leave it unattended and the timeout returns to the login page.
• We make sure you use a password of at least 8 characters containing both letters and non-alphabetical characters.
So what can you do to make sure you’re secure?
Here’s some commonsense rules that will help you with security and help train your memory as well:
- Use different passwords. If you’re signing up for something that doesn’t need to be secure you could use the same password for all similar sites but beware if cracked or guessed it could well be applied to any other site you may have signed up to. Following this same rationale – make sure all your secure sites use different passwords
- Choose passwords that are hard to remember (for other people). Birthdays, names, pets or maiden names are all easily scavenged from Google searches and your public profiles displayed on other sites.
- Ideally choose a password that makes no sense and is a mixture of upper and lower case and non-alphanumeric characters. Take the first letter of a long phrase such as “I love to sing in the shower. No one can hear me and it lasts for an hour.” This can be used to create and remember a really good password “Iltsits.Nochmail4ah”
- Without being patronising, please don’t use passwords suggested in blogs or other sites. Although some sites can provide tools to help you remember a chosen password.
- Never (and we really mean never) give you password to anyone else, no matter how much you trust them. If you think someone knows your password, change it immediately.
- Make sure that your email account has a strong password, as if it is possible to get in to your email account it is possible to get into most of your online services. Use a different password for your email account than you use for Xero.
There are password software solutions available to download to make entering passwords easier. These may mean you only have to enter a single password to access the application which automatically associates the real password with the site. These may be useful but make sure they don’t fall foul of any of the issues above before you consider implementing them.