It’s a basic tenet of personal and professional data security: You need strong passwords, if you want to better secure your private information. Even as that is a well-known proposition, the most common passwords are easily cracked. Part of the challenge, especially for businesses, comes in establishing effective password regimes. The following guest blog post addresses the establishment and maintenance of those effective password regimes. The author is Michael Doherty, founder and president of Mikrodots, Inc., a Boston technology firm providing outsourced IT services exclusively to mid-sized New England law firms. Since 1996, Michael has been helping law firms to navigate technology, IT governance, risk and compliance. Michael is happy to provide specific insights into your law firm’s IT security policies. You may contact him via email at firstname.lastname@example.org.
. . .
Lawyers understand that protecting law firm data is of the highest importance. Still, they tend to struggle with one of the most beneficial and basic security measures available for protecting themselves, and their data: strong passwords. There’s no debate that strong passwords are a reasonable security measure; yet, in many law firms, no data security policy exists, or the existing policy is broken by end-user workarounds. (Firms of all sizes should adhere to a Written Information Security Plan (WISP), that defines overall information security policy, controls and responses to breach; the use of strong passwords would be one component of the overarching policy.) Workarounds can include: the writing down of passwords on sticky notes; the overriding of security policies by managing partners; and, the sharing of credentials. Lawyers have a duty to maintain clients’ information in a confidential manner; building a strong password regime is one method to help you to comply with that dictate.
Of course, lawyers also want to be efficient in progressing through their work. So, balancing expedience and data security can generate a great deal of stress; and, the fact that password management slows down law firm processes is one the most common complaints I hear. And, I get it: You have to change your password every 90 days. It needs to be reasonably complex — difficult to type, hard to remember. It’s an impediment to logging onto your devices.
While I can’t make all the pain go away, I can offer these seven tips to help make the application of strong passwords less painful.
(1) Understand why strong passwords are so important. If you come to understand the essential importance of strong passwords, it can take a little bit of the sting out of using them. Strong passwords are not a whimsical requirement, created in a dark and cold server room by some pocket-protected geek, as a passive aggressive way to express his power to annoy the hell out of everyone.
Strong passwords are important for the following reasons:
-Strong passwords provide the foundation of cyber security. You’ll want to get your AAA card: Passwords Authenticate users, Authorize access and create Accountability.
-Strong passwords protect the law firm’s data and reputation.
-Strong passwords mitigate the law firm’s financial exposure in the event of a breach.
-Strong passwords protect your clients’ confidences and reputations.
(2) Read your law firm’s data security policy. Studies show that lack of training and understanding is the main reason for low adoption of and noncompliance with business policies addressing data security. In particular, there’s a lot more to strong passwords than meets the eye; and, understanding the bigger picture will help you to select new passwords more easily. A strong password policy will define the following:
-Password History (e.g. Don’t repeat any of your last 5 passwords.)
-Maximum Password Age (e.g. Change your password every 90 days.)
-Minimum Password Age (e.g. Keep new passwords for at least 3 days.)
-Minimum Password Length (e.g. Use at least 12 characters.)
-Account Lockout Threshold (e.g. 5 failed login attempts result in a lockout.)
-Account Lockout Duration (e.g. The lockout remains in place for 15 minutes.)
-Blacklisted Passwords (e.g. 12345678, Password, P@ssword1, qW3RTY, admin)
-Complexity Requirements (e.g. Passwords must contain uppercase and lowercase letters, and special characters.)
(3) Know the rules. There are other rules about passwords that you need to know and follow, in order to continue on as a card-carrying member of AAA. Those rules include:
-Never sharing your password — IT doesn’t need it.
-Never writing your own password down anywhere.
-Never using someone else’s password. (You can still send an email for the managing partner without one.)
-Applying the law firm’s security policies to everyone, without exception.
-Providing all employees with unique credentials. Everyone, including your temporary receptionist, has unique credentials.
-Using different passwords for different accounts.
-Always logging out of any account that is not in use.
(4) Change your passwords before they’re due to be changed. Don’t wait until the ninetieth day to change your password; procrastinating just creates more problems and stress for everyone. Instead, change your password when you receive the first notification to do so, in order to avoid:
-Contacting IT support because you’re locked out — again.
-Waiting in the queue, because IT is deluged with requests from everyone else who waited too long.
-Panic and more stress, when you can’t pull the files you need for a court hearing that morning.
-Suffering through a night or weekend without access to work resources — well, maybe that’s not so bad.
(5) Know your devices. Everyone uses multiple devices. You need to know how to change your passwords on each of them. You should:
-Know who’s responsible for altering passwords: Is it you? Is it IT support? Is it your 10-year-old nephew?
-At least learn how to change your email password on your smartphone, especially if you’re out of the office regularly.
-Attempt a ‘dry run’ before your password expires; coordinate it with IT support
-Find instructional YouTube videos about your device and application security, and watch those.
(6) Create memorable passwords. Remembering strong passwords can be a challenge; but, with simple formulae and a little practice, it’s remarkably easy to create extremely complex passwords that are not hard to remember. Here is my five-step formula:
-Use memorable phrases. (e.g. park the car in Harvard Yard)
-Remove the spaces. (e.g. parkthecarinHarvardYard)
–Camel notate — capitalize the first letter of each word. (e.g. ParkTheCarInHarvardYard)
-Change a letter to a number. (e.g. ParkTh3CarInHarvardYard)
-Change a letter to a special character. (e.g. P@rkTh3C@rInH@rv@rdY@rd)
(7) Make it (relatively) fun. Add your own style; use whatever phrases you like. Vernacular and purposefully misspelled words are perfect for passwords; and, including punctuation marks makes already-strong passwords that much stronger. Be creative. Here are a few examples to inspire you:
–Go Red Sox!!! = G0R3dS0x!!!
-Wicked Pissa! = W1ckedP1$$a!
-Boston Bruins Are #1 = 8o$ton8ruin$Are#1
-Love That Dirty Water = LoveThatDir+yWa+er
–Numba 4 Bobby Orr! >> Nu^^6a4Bo66yOrr!
If you’re struggling to come up with your own phrase, use: song lyrics, lines of poetry, movie quotes, your favorite Linux command — whatever floats your boat.
Strong passwords are here to stay — and two- and three-factor authentication is on the way — so, you may as well make the best of it.