4 Passwords

Passwords are so obvious that you may not realize that they are the single biggest weak link in your digital world.  It’s a great example of how lawyers already know everything they need to know about technology, but still need to apply it.  I doubt there’s anything new to be said about passwords, and yet it’s in the application of them that we so often fail.

3 Rules

There are three basic rules related to password use.  When you don’t follow these rules, you jeopardize your client information:

  • use a password on any device or internet site that contains confidential and private client information
  • every password is a strong password
  • every password is unique to that device or site

This is easy stuff.

If you read this e-book from the beginning, you already know about encryption.  That will require one password.  Your computer operating system will typically require another one.  These should be different from each other.  For each e-mail account, bank account, and other online service, you need another one.  You may be like me, with over 100 passwords and accounts but you’re unlikely to have that many that contain client information.

You don’t need a unique password for sites that don’t have confidential information on them.  I think you should have unique ones for all of your online activity, but that’s your own affair if you want to do it just for your practice accounts.  The reason you may want one for every account is that your account data itself may be enough to make you vulnerable to a phishing or other e-mail-based attack.  It’s bad enough if one account is exploited; it may be worse if you give up enough bits of information from enough accounts that they are able to actually do something with it.

Strong Passwords

The fuzziest part of passwords is what a strong one is. In the past, you may have been told a certain number of characters made a password strong, with more being better.  There are a couple of things to think about with strong passwords.

Length isn’t definitive.  At one point, there was a feeling that it was but now sites like Microsoft’s Office 365 are capping passwords at 20 characters.  You should still lean towards a longer password over a shorter one, but you may be restricted by the requirements of the site or account.

Randomness is probably the most important and hardest to pull off.  There are many suggestions that you use passphrases too – combinations of entire words – but, while those can be memorable, you don’t need to memorize more than one or two of your passwords.  In fact, I’d recommend against memorizing any but the the two you absolutely need – to decrypt your device when you start up and to log in to your operating system.

The rest of your passwords should be created, and stored, in an offline password manager.

Password Managers

A password manager is a piece of software that stores all of your usernames and passwords.  They have become increasingly popular as the focus has grown more intense on password hacks.  You can find many online password managers, none of which I’d recommend.  They are convenient but I personally think that passwords this critical should be kept off the internet.  I use KeePass, a free open source password manager, on my Windows computers and Android devices.

All password managers work the same way.  You type in a master password and unlock (decrypt) the password database.  You can then cut and paste – or have an app do the pasting for you – usernames and passwords into the appropriate fields.  When you’re finished with the password manager, it should automatically lock (like your phone) or close (encrypt).

When you are ready to create a new account, you access your password manager and create a new record.  It will have the option to generate a new, strong password.  In most cases, it will also have an advanced tool so that, if the site requires certain elements – an upper case letter, a special character but not an underscore – you can create an acceptable password.

I prefer the offline password manager because it doesn’t limit me to being online when I’m using it.  I can save usernames and passwords for my desktop applications as well as my internet accounts.  At the end of the day, I’m more comfortable knowing that my password database is under only my control, and not subject to any mistake in security that an online password manager might make.

One issue I faced when I started using a password manager was knowing where all of my passwords were!  I was re-using a couple of memorable passwords, and storing others in my Web browser.  The easiest way is to fix each password as you use it.  This is a how to blog post I wrote on how I went about this.