[This post originally appeared on Slaw.ca on March 18, 2014]
One of the most significant threats to client confidential and private information in law firms is bad passwords. Unless lawyers and paralegals are substantially different from the general public, we’re using the same bad practices when we create and re-use passwords as everyone else.
You’ve already heard all the suggestions on using better passwords, so I will leave that dead horse alone. In fact, I’ll suggest that you forget it. If you think you can create sufficient secure passwords for all of your offline and online accounts and devices, you’re a better person than me. The rest of us should be shifting entirely to password managers because:
- they enable storing many, random, long passwords
- they can themselves be encrypted with a password
It used to be that a lawyer with poor passwords only risked his immediate systems. But we now practice in a interlinked environment where a weak password at any link in the chain can enable breakage elsewhere. Target’s customers were exploited because of an HVAC provider. Bell Canada’s small business customers were exposed because of a third party supplier. These cracks are not direct password attacks but they expose data, which may include passwords. If you are reusing a password, an exploit in one service may expose others. When sites like Adobe are exploited and release 130 million passwords into the wild, the likelihood that a password you created is now in the growing password dictionary list increases. You may already want to ask, “have I been pwned?”
There are Web-based password managers, including LastPass , Zoho’s Vault, and Roboform, among many others. To be honest, their location on the Web makes them more vulnerable than I’d prefer for my passwords. Instead, I think your password manager should be offline. Here’s how you can use a password manager like KeePass to manage your passwords.
Install KeePass. Then Use It.
KeePass is an open source password manager for Windows and Mac devices that can also run on Linux. There are also app versions for iOS (MiniKeepass, Syncpass) and Android (KeePassDroid). It can manage multiple password files, so you might have one with work-related passwords and a different one for personal passwords.
The first thing you do with KeePass is create your first password file: File, New. You can create new entries by clicking the Add Entry button. It supports folders so that you can store your passwords by category. For example, I have a folder with social media passwords and another for online shopping sites.
Then create your own password rule. This is optional but I found that I can create substantially more complicated passwords by making minor changes to the default password settings. Normally, if you want to create a new password, it will default to uppercase, lowercase, special characters, and numbers. You can also ask it to include underlines, minus signs, and make longer passwords. My default password setting looks like this:
This is set to create passwords of 20 characters because that is often the maximum number of characters that online sites will allow. There is some evidence that you don’t need 20 characters if your passwords are random. If there was some difficulty to creating longer passwords, this might make me use shorter ones. But a password manager makes long, complicated passwords easy to use.
Connect It To Your Browser
If you are like me, you are using a lot of Web-based services, whether they are cloud computing legal technology sites or social media or your local newspaper’s online comments. Mozilla Firefox and Google Chrome Web browser users can install an extension – among the many available from KeePass – to pass your credentials from your KeePass application directly to your Web browser.
This eliminates one of the big frustrations for complicated passwords: keying them into whatever login forms we have to navigate. It can handle multiple accounts for a single site, so that if you have two Google Apps accounts, you can select which one to login on. Because KeePass is not Web-based, you do not need Internet access to get to your passwords, and can paste in passwords for your local systems – Excel spreadsheets, local firm databases, etc.
Eliminate Your Bad Passwords
Unless you are about 8 days old and just getting on the Web – and pretty precocious, if you’ve already gotten as far as Slaw – you already have lots of online accounts: Facebook, Twitter, email, banks, your kids’ grades at school, and on and on. You may not have been very good about creating new, difficult passwords at each of those sites. You MIGHT even have re-used a password at more than one site, or changed the strong password the site gave you for a weak one that you could remember.
Now that you have KeePass installed, you should take a moment at each site to access the change password function in your account. Using either the little gold key that appears when you have a Web browser extension installed, or the KeePass software itself, create a new entry for this site and generate a new, strong password for it.
You can make this simpler by going into your Web browser’s password function and exporting your passwords. Google Chrome users can try this free utility and Firefox users can add an extension. Once you’ve exported your passwords in plain text, an insecure file format, you can import them into KeePass from the file menu.
But, you might say, my Web browser already remembers these passwords. Why do I need KeePass for the Web? Because a Web browser may not always protect your passwords. Use an offline password manager and turn off – and answer No to – your Web browser’s password storage feature.
I’ve done this and it’s easy to accomplish for those sites you visit all the time. If you exported your passwords from your browser, that can give you a list of sites you need to visit. In my case, I took the opportunity to close and cancel all of the accounts that I no longer used. For those that wouldn’t allow me to cancel – like Starbucks – I created a very long password with KeePass to ensure that no-one could reuse the credentials in case Starbucks is ever breached.
That’s Not Enough
Strong, unique passwords on every site aren’t enough. When you finish work, even if you leave your computer on, close your password manager. I synchronize my password file to my online storage service so that it is copied to my other PCs. I can also download an updated copy to my tablet.
We are increasingly seeing two-step authentication, which hinders exploits that use social engineering or access to your e-mail box to reset passwords. If your service offers it, use it. Short of that, make sure your passwords and password management are at a level where you can confidently say to a client that you use strong passwords and aren’t relying on security through obscurity.