Computer passwords are the keys that “unlock” our computer and network systems. We all have more passwords than we can remember. This tends to make us a bit lazy. We use obvious and easy-to-remember passwords – even the word “password” itself. Or worse: we don’t use them at all. Bad password habits are often one of the weakest links in data security schemes. Cyber criminals know and exploit this fact.
For this reason it is critical that all lawyers and staff in a law office use passwords, and use them properly. This article reviews the steps you need to take to protect the confidentiality of your passwords, and how you can create passwords that are harder to guess or determine.
Many of the password best practices mentioned in this article are very easy to implement – review them with your lawyers and staff.
Passwords don’t work if they aren’t secret. Unfortunately, people get careless and don’t always keep their passwords confidential. These are the things you can do to keep your passwords secret.
Never ever tell anyone your passwords: This includes your IS support person (they can force a reset if they really need to access your account). And, make sure no one is looking over your shoulder when you are typing a password. If more than one person knows about a password, it isn’t a secret anymore.
Never write down your passwords, especially on your monitor: Is this not the same as leaving the keys for your car in the ignition? Take a walk around your office and see how many passwords you can find on little notes taped to monitors or keyboards. If you absolutely have to write down some of your passwords to remember them, don’t write them out exactly. Write without an obvious reference to the account they apply to, and so they have to be translated in some way. Add or delete a character, transpose letters, or vary them some other consistent way which only you can figure out.
Don’t save passwords on your computer hard drive: It is not uncommon for people to create a document with all their passwords in it on their computer. This file can be located in seconds with a hard drive search, especially if it is called password.doc or if it contains the word “password” or other related terms like “username.”
Use a password manager: If you must store passwords on your computer or smartphone, use a password manager. These handy programs remember and enter passwords for you and they are stored in an encrypted form so that they can’t easily be accessed. Widely used password managers include 1Password, LastPass, and Robo- Form. Some password managers let you sync and use your passwords on multiple platforms and devices across the web. Very convenient, but depending on your personal preference and the work you do, you may want to be cautious about putting your passwords in the cloud. Make your password manager password extra complex! (And make sure you don’t forget it.)
Use biometric scanners: Some laptops and the most recent iPhone have built-in biometric scanners that give you access to a device or other logins with a swipe of your finger or by facial recognition. These scanners help you avoid the need to remember passwords.
Don’t use the same password for everything: This is very tempting, but is also very dangerous as anyone that figures out your password can get easy and instant access to all your other accounts. Use a unique password for each program, especially for very sensitive things like your network logon, remote access to networks or bank account logons. You also shouldn’t use the same passwords for home and work purposes or on the administrator and user profiles on the same computer.
Change passwords on important accounts on a regular basis: For critical things like your computer and bank account, you should change your password every 60 to 90 days. This will foil a lurking hacker that has your password unbeknownst to you.
Change any compromised password immediately: Do this even if you only suspect a password has been compromised. Again, this is to foil a lurking hacker.
Don’t use the “remember password” feature: Be wary of dialogue boxes that present you with an option to save or remember your password. These can appear in your web browser and for remote access. By selecting this option you give unchallenged access to accounts to anyone sitting down at your computer.
Use two-step authentication
Using two-step authentication on sites that offer it will help to increase the security of your online information. Two-step authentication is a process involving two stages to verify the identity of someone trying to access online services.
You are already using two-step authentication if you withdraw money from an ATM. To access an ATM, you need two things: the ATM card and a personal identification number or PIN. If you lose your ATM card, your money is still safe; anyone who finds the card cannot withdraw money if they do not know your PIN. The same is true if someone knows your PIN and does not have the card. This second layer of security is what makes two-step authentication more secure.
More and more websites are offering two-step authentication, including Google, Facebook, Apple, Dropbox, Twitter, Microsoft, Amazon, Evernote, WordPress and Yahoo! Mail. You should enable two-step authentication if you are using one of these services.
Many of these sites have also added a feature that notifies you by email or text message if your configuration has been changed. In some cases you have to confirm the change for it to remain in effect. This protects you in the event a hacker gets into your account. If the hacker changes your password or other settings on the account, you get an email or text message notifying you of the change and you have the ability to prevent it from happening. Enabling this feature on any of your accounts that have it will help prevent those accounts from being taken over by a hacker.
This article appeared in the December 2013 “Cybercrime and Law Firms” issue of LAWPRO Magazine. All Magazine articles can be found at www.lawpro.ca/magazinearchives.
About the Author
Dan Pinnington is the Vice President of Claims Prevention at practicePRO. This article first appeared in the December 2013 issue of LawPro magazine. Reprinted with permission. For more cyber safety tips, visit www.lawpro.ca.