Are You Leaving the Keys Under the Mat?
Published on June 15, 2012
LinkedIn, the professional networking site, was in the news last week when it was revealed that 6.5 million of it’s users’ passwords were stolen and posted on the internet. According to the test site that password security company LastPass established, mine wasn’t one of them, but the incident made me think about password security and I’ve changed all of my passwords as a result.
The purpose of the password has changed over the course of legal technology. Passwords in the law office were originally used, like locked file cabinets, to keep unauthorized employees or wandering clients from accessing information they didn’t need access to. The locks didn’t need to worthy of Fort Knox, they just had to be serious enough to keep honest people honest. As more and more information in the law firm has moved out of those cabinets and onto internet-connected computers or into the cloud, passwords are now needed to keep out not snooping allies but true enemies who are intent on stealing data, usually for financial gain, and have the skills and tools to do so. This is why it’s so important for lawyers to use strong passwords, and to change them regularly.
Most of us use weak passwords because they’re easy to remember. We use things like 1-2-3-4, our birthday, our spouse’s initials or the cat or dog’s name. There are two problems with passwords like this. First, if the potential intruder knows anything about you (and they can find a lot of stuff through social media sites these days) “personalized” passwords are easy to guess. Second, even if the person who stole your computer or is trying to break into your online information doesn’t have any personal knowledge of you or your life, and this will more likely be the case, passwords like this are quite easy for automated password cracking programs to break. These programs can try thousands and thousands of letter and number combinations in a matter of minutes and if you’ve used a date or a word that’s in the dictionary chances are that it won’t take a professional thief long to get into your confidential data.
Instead of a password, consider using a pass phrase, and include upper and lower case letters as well as numbers and symbols in the pass phrase. As an example, you can easily remember “Stuff Happens To Me” but expressed as “$tu##_Ha@@ens_2_me!” it’s a much stronger password, although according to an interesting article last year in The Atlantic on the hacking of Gmail accounts, newer cracking software is now taking substitutions like this into account.
It’s also a good idea not to use the same password for more than one application or web site. If everything has the same password and one login is compromised, especially if your user name is an easily-discoverable email address, all of your apps and sites are at risk, plus you have to go to the trouble to change all the passwords at once. But if everything has its own password, or variation on a password, the compromise of one app or web account won’t put all of your confidential information at immediate risk. And it’s a good idea to require everyone in your office to change their passwords not less than every 90 days and to prohibit the reuse of old passwords for at least a year, if not permanently.
Take a few minutes today to think about and implement stronger passwords. It could save you a lot of time and trouble later on.