Why are passwords so hard for lawyers?

That’s the question Tom Mighell poses in his latest blog post.

I haven’t given as many presentations as Tom about the need for good password practices, but I have seen the same reaction from many lawyers: “Here we go again. This is silly, no one is going to hack me. I don’t have anything worth hacking.” After the presentation, the lawyers go back to their offices and don’t change a single thing they are doing.

Such a cavalier attitude—”I’ve got nothing worth hacking” can lead to big headaches. Here’s a summary of what happened to just one unfortunate guy who did use good password practices.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all…. [T]hey used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

If this is what can happen to someone using good passwords, what do you think can happen to you when you use crappy passwords?

If the threat of losing irreplaceable photos of your family isn’t enough to frighten you into good password practices, then how about a potential malpractice suit? I haven’t researched it, but I bet it isn’t too hard for a judge or jury to conclude that a lawyer is negligent for using an easily hackable password that leads to disclosures harmful to a client’s financial interests.

I don’t know about you, but I would not want to be the defendant in a test case like that.

Yes, good password practices can be a pain. So is locking your doors and setting an alarm. But you do it because you want to protect the things behind those doors. Passwords are your keys and alarm systems. If you use crummy ones, you’ll regret it. There are plenty of tools available (like this one or this one) to help you create and manage secure passwords. If you aren’t using one of them, you’re begging for trouble.

If you think it’s still too much trouble, good luck using that excuse with your malpractice carrier or your bar’s disciplinary authority.

Advertisements

Why your passwords suck, and how to fix them (pt. 2)

Password security is a necessary evil in today’s society. Too many people online have weak (even guessable) passwords. As identity thieves and hackers become more sophisticated, we users need to improve our own security habits.

The first step you should take is to stop using the same username and password for every online service. When you use the same password for “cutekittens.com” that you do for your bank accounts, you are asking for trouble. A security breach at “cutekittens.com” means the crooks now have your bank password, and they can clean you out. The crooks don’t even need to break into the web site: there is an entire market online for usernames and passwords. Hackers do the hard work, and they sell the information to the people who want to steal your money (and more).

But wait, you say, how do the crooks know where I bank? They don’t. They don’t have to. They can simply play the odds that you bank at one of the big banks: JP Morgan Chase, Citibank, Bank of America, Wells Fargo, and so on. The crooks simply try your username and password at the various bank web sites. They find that enough of these efforts work that they keep doing it.

Admit it to yourself: you are vulnerable.

To protect yourself, you have to use different passwords for each online service you have. Yes, it can be a royal pain to keep track of them (although there are some tools for this, which we will look at momentarily). But it is the only way to protect yourself. Think of it this way: would you use the same key for your car, your home, your office, your safe deposit box, and so on? Of course not. Most of us have at least two or three keys on our key rings, sometimes more.

So how do you keep track of these various passwords? One way is old-fashioned yet effective: you write them all down on a single piece of paper, fold it up, and put it in your wallet. We are already pretty good at protecting our wallets (or purses), but there are still pickpockets and purse thieves who would no doubt be thrilled to find a bonus in the stolen item.

The better practice is to use a password manager application. I am most familiar with two of them: Lastpass and1Password. There are undoubtedly others, but they all work in similar fashion. You use the applications by creating a good, solid master password to unlock the app, and then the app can fill in your unique password on the web site. What I like about Lastpass and 1Password is that they work on multiple platforms: Windows, Mac, iOS, etc. Lastpass also works on Linux, if that’s your preferred operating system. Let’s look at this idea in a little bit more detail.

Let’s say you sign up for Lastpass (did I mention its basic–yet feature-rich–version is free?). You create a master password, like round#fa?77 (this example is actually too short, but it will do for now). Then, Lastpass can create a strong, secure password for each web site you use. You pick how long, how many numbers, special characters, and the like, and Lastpass does the rest. It can even fill the password into the proper field on the web site. Save it, and you’re set. Lather, rinse and repeat for each web site, and pretty soon you have a collection of unique, completely unmemorable and unguessable passwords. The only thing you have to remember is round#fa?77.

Whenever you visit one of the sites, like your local bank, you unlock Lastpass, use the Lastpass browser extension to fill in your username and password, and voila! You’re in. It really could not be easier. 1Password works the same way.

The simple fact is that if you’re not using something like Lastpass or 1Password, you’re asking for trouble. Yes, modern browsers have “keychains” that will remember your passwords, but if your computer is stolen (or hacked by malware), the crooks have your passwords. You need a solid password manager to keep your password data encrypted, and all they require of you is remembering one master password.

Given that Lastpass is free for its basic service, you owe it to yourself to give it a try. It may seem like a bit of a headache at first, but it’s nothing compared to the headache of dealing with the police, banks, insurance companies, and so on if your bank account is cleaned out. Lastpass has a premium version that runs $12 (US) per year.

1Password is more expensive, but it operates as a standalone application, meaning you can store plenty of things like Social Security Numbers, credit card account information, software licenses, and so on without having to launch a web browser. 1Password also has a free trial, so it cannot hurt to give both services a look.

Your homework assignment is to start using one or both of these services and use them to create long, impossible to memorize passwords for your various web sites. In the next (and hopefully final) article in the series, we’ll look at how to create a good master password.

Technorati Tags: , , , ,