Unfortunately, having strong, unique passwords isn’t always enough.
Users of Yahoo!, LinkedIn, and Adobe had passwords exposed to the world by hackers because the companies did not protect them. This is the balancing act legal professionals have. You can’t possibly stay up with the evolving world of online encryption, whether your passwords have been salted and hashed, and so on. You, as the reasonable lawyer, need to make sure you are only putting client data on sites that are transparent about how they secure your data, including passwords.
Password management is also made difficult by old tropes that continue to get bandied about. I’d like to dispense with a few of them.
Passwords are like underwear
This is an unnecessarily coarse comparison, used to suggest that passwords should change regularly.
You should create a unique, strong password (using a password manager) for each account or device. If it is truly strong, it shouldn’t need to be changed. Requiring regular password changes is irritating for users, encourages weak passwords, and is a pointless administrative exercise.
Passphrases are more secure
I’ve been guilty of pushing this option, and perhaps, a decade ago, it made sense. The idea was that using a set of words together – applebettylimepie – would create a stronger password. And it is stronger than runner4567. But passphrases are only moderately stronger than other passwords and are really only useful if you need to remember the password. Otherwise, you can just use a random alphanumeric password. I would use a passphrase for the two passwords – encryption and operating system – that I can’t use a password manager for. But otherwise, there’s no need to remember passwords and using words seems to expose passwords to dictionary attacks, even if they’re part of a phrase.
Don’t write down passwords
This might have made sense when we had one password to remember. There is no problem with writing passwords down, though, if you need to do so to remember them. The problem occurs if you do not secure that written password, the anecdotal sticky note under the keyboard.
At some point, you should write down (or type) your passwords, although I wouldn’t keep a written copy around for daily use; that’s what a password manager is for. If you are using a password manager, you can export your password list.
Why? Because lawyers have clients and if the lawyer is unavailable, due to injury, or sickness, or death, someone needs to be able to assist those clients. If your law practice is locked behind passwords, you need to consider how to provide access to a backup lawyer.
One easy way is to write down and share your master password or to write down all of your passwords. Then store this list where you’d store other critical documents: a safe, a bank security box, that sort of thing. Once you’ve done this, include this entire process in your business continuity plan so that, worse comes to worst, someone can use that password list to keep your practice going.