Password Insecurity – Lessons from a Personal Story

Mark Bassingthwaighte, Esq.

mbass@alpsnet.com

Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagreeThat’s how things played out in our home for a number of years on the issue of passwords.  My wife viewed my focus on computer security and passwords as something approaching mild paranoia.  I, on the other hand, viewed her insistence on using one easily remembered password for everything in her life the equivalent of tattooing the phrase “victim here” on her forehead.  The only way for us to move forward was to reach an accord.  We agreed to disagree, and things were good, at least for a while.

A few years later, after receiving an email from one of our sons, our accord began to crumble.  I was informed that my wife’s email account had been hacked and was actively being used to send out spam email. Of course, I did what one normally does to remedy that situation and hoped all would be good. Sadly, it wasn’t to be. Our accord abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife.  Apparently, credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments.  Unfortunately, given that my wife wasn’t the one who applied for and received that credit card, we had a new problem.

While this tale took a number of interesting twists and turns over the next few years, in the interest of time I will simply share that as a result of the initial identity theft a federal and an out-of-state tax return were also fraudulently filed in my wife’s name.  I spent over three years working to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives.  Hopefully, it’s over; but only time will tell.

Today things are different around here. My focus on computer security is viewed in a much different light by my wife, and I no longer worry about any unsightly tattoos on her forehead.  Our state of marital bliss has been restored because this time around we’re both on the same page.  Trust me, she gets it now. What’s more important, however, is do you?  Again, understand this entire saga started with someone managing to figure out a password, a password that, unfortunately for my wife and me, opened all kinds of doors that would have remained locked had she not used one password for everything.

I chose to share this story because I wanted to put a real-world spin on the problems that can arise when too little attention is given to the importance of passwords.  Every one of us in our personal and professional lives needs to abide by some sort of password policy, formal or informal, in order to try and avoid becoming yet another victim of identity theft. And heaven help you if an identity theft occurs and it turns out to be the identity of one or more of your clients because someone got into your office network.  So not good.

With this tale of woe now told, it’s time to talk about how to avoid becoming a victim.  I’ll start by identifying typical missteps. Here is a list of things no one should ever do. 1) Use the same password on multiple devices, apps, and websites. 2) Write down passwords on easily found sticky notes.  3) Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable.  They aren’t. 4) Allow computer browsers to remember passwords. 5) Choose passwords based upon easily remembered information such as birth dates, anniversary dates, Social Security numbers, phone numbers, names of family members, pet names, and street addresses.  This kind of information just isn’t as confidential as you think due to events like the Equifax breach and widespread participation in the social media space.

Knowing the common missteps, however, isn’t enough.  Such practices should be prohibited in a formal firmwide password policy that everyone at the firm must abide by.  There can be no exceptions, period.  Of course, policy provisions must also detail what to do.  The most important provision of a password policy would be to mandate the use of strong passwords defined as follows.  A password is strong if it is long, a minimum of 15 characters, and it should include a few numbers, special characters, and upper and lower-case letters if the device or application you wish to secure with a password will accept it.  Additional provisions worth including would be requiring that every application and device in use have its own unique password, requiring that passwords in use with mission critical devices and applications (e.g. banking login credentials, firm VPN login) be changed every 6 months, forbidding the reuse of old passwords, and prohibiting the sharing of user ids and passwords with anyone.  Finally, make enabling two-factor authentication for any device or application that allows it compulsory.

Of course, a password policy like this creates a new problem, which is trying to keep track of all the complex passwords now mandated.  I can share that between us, my wife and I have over 250 different passwords we need to keep track of in our personal and professional lives.  I don’t know about you, but I sure can’t remember all of that information.

Fortunately, this problem can be easily managed by using a password manager such as RoboForm, LastPass, or Dashlane.  (My wife agreed to commit to learning how to use a using password manager shortly after her kerfuffle with the credit union and it has made a world of difference!)  Such tools are often cloud-based software applications that allow users to conveniently store and manage all of their passwords. The data is encrypted and can only be accessed once a master password has been entered.  Yes, users will still need to remember a long and difficult to guess master password; but having to remember one is going to be far easier than trying to remember 250.  And again, no one should ever write down their master password.  Everyone really must commit the master password to memory or find a way to store it in some other secure manner.

ALPS Risk Manager Mark Bassingthwaighte, Esq. has conducted over 1,000 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management and technology. Check out Mark’s recent seminars to assist you with your solo practice by visiting our on-demand CLE library at alps.inreachce.com. Mark can be contacted at: mbass@alpsnet.com.