The two things everyone using computers is supposed to do are: back up regularly and create difficult, changing passwords. The two things that nearly everyone using computers fails to do are: back up regularly and create difficult, changing passwords. Now, the business about backing up wouldn’t apply to computers used in law offices (would it?). But it’s not so clear that all firms and lawyers in those firms have got a good password policy in place.
We’ve talked about this on Slaw a couple of times recently. John Gregory asked [1] whether a failure to set proper — i.e. complex — passwords implies a reduced expectation of privacy. And David Bilinksky examined [2] the Arizona State Bar’s ethics opinion on security, which provided among other things that lawyers should “assign unique randomly generated alpha-numeric names and passwords to each online client folder. . . . The password would not be the same as the client folder name.”
A proper law firm password policy is part of a larger computer security plan that should be discussed with a security expert. I’m not about to provide one here in a blog entry. But I can talk a little about what goes into making a good password and point you to various ways of creating them — just in case you or your firm have been meaning to fix things up but haven’t quite got around to it yet.
Generating a fairly secure password that’s good enough for most client work isn’t difficult: you can use one of the many random password generators around. For example, PCTools online generator [3] can toss out one that’s anywhere from 8 to 64 characters long and that includes mixes of the available keyboard options (uppercase/lowercase; numbers/letters; punctuation). Here’s a 14 character product: Phu?!c7E&uwRub (Microsoft’s Online Safety site [4], a good primer on making a secure password recommends at least 14 characters.)
So making is easy. Remembering or being able to retrieve a password like this (and a unique one for each file, document, etc.) is another thing. The password generator used above also gives you a phonetic run that you might use to memorize the password. Thus, the password above is pronounced: “PAPA – hotel – uniform – Question – Exclamation – charlie – Seven – ECHO – Ampersand – uniform – whiskey – ROMEO – uniform – bravo”. Too bad there’s no way to pronounce capital letters.
Some people write them down, of course. Daft, if it’s on a sticky. But the only way, really, if you’ve got hundreds and hundreds of unique, unmemorable passwords. Except that they’ll be written to a computer drive somewhere and locked up with — a password. There has to be a memorable or accessible system for getting to the unmemorable and otherwise inaccessible keys. In a sophisticated law office system, much of this can be handled with software, allowing and denying access thanks to the computer’s infallible and deep memory. But whether at the level of the big firm or the solo practitioner’s laptop it will always come down to a password protected way into the system. The sysadmin knows.
Where you’re the sysadmin of your own small computer farm, you need to develop a practice of making and changing regularly complex passwords. The web is full of advice about how to make passwords that are difficult to crack but (relatively) easy to remember. See, for example, this WikiHow site [5]. And doubtless, if you’re not using your brother-in-law’s name, you’ll have come up with your own cunning code. If so, test it on Microsoft’s Password Checker [6] to see how safe it is. My own efforts range from “weak” to “medium.” But I do back up regularly.