Who should be more embarrassed?

Ars Technica reports that one of the top cybercriminals wanted by the FBI had a ridiculously easy password. It was his cat’s name.

So, who committed the bigger blunder here? The criminal, or the FBI’s agents who didn’t bother to use standard passwords like pet names (or even a dictionary attack)?

I think the criminal wins this contest by an edge. No matter how notorious the guy is, he’s an idiot for not using a more secure password.

Why are passwords so hard for lawyers?

That’s the question Tom Mighell poses in his latest blog post.

I haven’t given as many presentations as Tom about the need for good password practices, but I have seen the same reaction from many lawyers: “Here we go again. This is silly, no one is going to hack me. I don’t have anything worth hacking.” After the presentation, the lawyers go back to their offices and don’t change a single thing they are doing.

Such a cavalier attitude—”I’ve got nothing worth hacking” can lead to big headaches. Here’s a summary of what happened to just one unfortunate guy who did use good password practices.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all…. [T]hey used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

If this is what can happen to someone using good passwords, what do you think can happen to you when you use crappy passwords?

If the threat of losing irreplaceable photos of your family isn’t enough to frighten you into good password practices, then how about a potential malpractice suit? I haven’t researched it, but I bet it isn’t too hard for a judge or jury to conclude that a lawyer is negligent for using an easily hackable password that leads to disclosures harmful to a client’s financial interests.

I don’t know about you, but I would not want to be the defendant in a test case like that.

Yes, good password practices can be a pain. So is locking your doors and setting an alarm. But you do it because you want to protect the things behind those doors. Passwords are your keys and alarm systems. If you use crummy ones, you’ll regret it. There are plenty of tools available (like this one or this one) to help you create and manage secure passwords. If you aren’t using one of them, you’re begging for trouble.

If you think it’s still too much trouble, good luck using that excuse with your malpractice carrier or your bar’s disciplinary authority.

Five things to start (and continue) doing in 2013

I’m not one for New Year’s resolutions. But the start of a new year is a good time for many to pause, look back at the last year, and think about things they would like to do differently in the coming year. Here are my five suggestions of things you should start doing right away.

  1. Back up your data and audit your backups. This may be the second most important thing you can do, and it’s not difficult. Florida attorney Katie Floyd has a great set of rules for backup systems. Katie drives a Mac, but the principles work on every platform. Also, don’t forget your portable devices (iPhones, iPads, Androids, etc.)! For iPhone and iPad users, Apple has a good overview of your backup options.  I highly recommend using iCloud to back up your iOS devices. When using iCloud, you can back up when you’re away from your computer. A friend of mine went to France last year, took a gazillion photos on his iPhone, and lost his iPhone at the airport in Paris. He didn’t have iCloud backup turned on, so he lost all of the photos. Learn from his mistake.
  2. Exercise. I know, I know. You hear this all the time. There’s a good reason for this repeated message that bombards us from every direction: exercise is important. In fact, 30 minutes of activity each day may be the most important thing you can do for yourself. Watch this ten-minute video where Dr. Mike Evans explains the research behind this idea.
  3. Reset your passwords. I’ve written about this before, and I’ll write about it again. But for now, read the article at Ars Technica explaining why your current passwords are probably useless. Then read Mat Honan’s article explaining why passwords alone are no longer sufficient to protect your online banking, Facebook account, etc. Yes, long random passwords are inconvenient. So is having two locks on your front door. All security is a tradeoff, and you need to consider how inconvenient it will be if you have to recover from a hacker’s success. As I’ve said before, 1Password and Lastpass are the type of tools you need to reduce the inconvenience. Start using them religiously. And don’t forget to enable two-factor authentication wherever possible (Google, Facebook, Dropbox, Yahoo! Mail, PayPal). You can also do a Google search for your particular service, like “disney.com two factor authentication” to see if there are instructions for setting it up.
  4. Plan your vacation. I’ve learned the value of always having a vacation planned and put on the calendar. One reason I do this is to make sure I always have a break to look forward to. Having that light at the end of the tunnel helps me keep a positive outlook at the office. Another reason I do this is to make sure that I take a break every five or six months. We lawyers are busy people, and if we don’t plan these breaks ahead of time, we end up not having the time to take them. Make the hotel reservations—you can always cancel them if the feathers hit the fan. Or, lock yourself in by making the plane reservations as well.
  5. Improve your work-life balance. Work hard, but play hard too. Commit to getting out of the office by 5:30 one or two days a week so you can have dinner with the family. (It’s really not that hard. If you treat your departure time like it’s time to catch a plane, you won’t have any problem telling your colleagues that a 5:15 meeting doesn’t work on your schedule that day.) No one ever said on his or her deathbed, “I wish I’d spent more time at the office.”

What resolutions or plans do you have for 2013? Leave a comment and share your thoughts.

007 and the Hacker Threat

“You have a secret that can ruin your life.”

That’s how Mat Honan opens his article in this month’s Wired magazine: Kill the Password: Why a String of Characters Can’t Protect Us Anymore. Please set aside 15 or 20 minutes to read that article. Save it to Instapaper, print it out, whatever. Finish it before you go to sleep tonight. The article is that important.

The key point I want you to take away from the article is that it can happen to you.

I think someone tried to hack my life a bit in the last couple of weeks. Not as bad as what Mat Honan went through, but enough to put me on hyper alert.

Incident One: About a week ago I received a notice from American Express that the company had detected some questionable activity on one of my accounts. Specifically, it appeared someone tried to use my wife’s card to try to purchase some crap. I spoke with Amex, got it taken care of, and that should have been the end of it.

Incident Two: Over the weekend, I received a notice from another credit card company that again someone tried to use the card in my wife’s name to purchase some junk. One of the attempted transactions was a purchase at a company that also showed up on the Amex fraud alert. Interesting. The company, Skinit.com (I won’t give them a link), makes iPhone cases. It’s a small company, so the fact that it showed up twice in attempted fraudulent transactions makes me think it was the same person. How that individual got two credit cards for our household is unknown, but I don’t like it.

Incident Three: I received an email from Twitter dated last Wednesday so I could reset my password. Someone tried to reset my Twitter password. I know I didn’t try to reset it because I was completely off the grid on Wednesday. The email might be a phishing attempt, but maybe not.

I don’t want to seem paranoid, but I’m reminded of something Ian Fleming wrote in Goldfinger:

Mr Bond, they have a saying in Chicago: ‘Once is happenstance. Twice is coincidence. The third time it’s enemy action’.

Yes, two of the incidents were financial fraud attempts and the third looks like a hacking attempt. The odds are good that the same person who tried credit card fraud is not the same person who tried to reset my Twitter password. Nevertheless, how many wakeup calls do I need?

More importantly, will you look at what’s happened to a low-profile lawyer and conclude you need to act before something bad happens to you? Will you also look at what happened to Mat Honan and realize you’re not immune?

First thing I’m going to do is a massive password reset on every web site and service I can think of. I’ve already removed all credit cards stored at Amazon.com. I’m using double authentication for Google Mail and Dropbox. I’m also setting up a “password reset-only” email address per the suggestion in the Wired article. And I’m going to be a little more paranoid from here on. As a witness in a trial I worked on once remarked, “Just because you’re paranoid doesn’t mean they’re not out to get you.”

Excellent review of password pitfalls

I used to regularly read Lifehacker, but lately it seems to be loaded with…I don’t know…fluff. This Lifehacker article on password storage, however, is mandatory reading. These takeaway points are good, but read the whole article; it doesn’t take long.

  • All web sites store passwords on their servers. How they are stored (in plain text, encrypted, etc.) is what matters.
  • If a web site will send you your “lost password” in an email, the site’s security is horrible.
  • Easily guessed or crackable passwords are already known to hackers, which is wh you need your own unique strong one. You’re not as clever as you think, so don’t go with password1, studmuffin, etc.
  • The longer your password, the better.