Your Passwords S****
One of the most significant threats to client confidential and private information in law firms is bad passwords. Unless lawyers and paralegals are substantially different from the general public, we’re using the same bad practices when we create and re-use passwords as everyone else.
You’ve already heard all the suggestions on using better passwords, so I will leave that dead horse alone. In fact, I’ll suggest that you forget it. If you think you can create sufficient secure passwords for all of your offline and online accounts and devices, you’re a better person than me. The rest of us should be shifting entirely to password managers because:
- they enable storing many, random, long passwords
- they can themselves be encrypted with a password
It used to be that a lawyer with poor passwords only risked his immediate systems. But we now practice in a interlinked environment where a weak password at any link in the chain can enable breakage elsewhere. Target’s customers were exploited because of an HVAC provider. Bell Canada’s small business customers were exposed because of a third party supplier. These cracks are not direct password attacks but they expose data, which may include passwords. If you are reusing a password, an exploit in one service may expose others. When sites like Adobe are exploited and release 130 million passwords into the wild, the likelihood that a password you created is now in the growing password dictionary list increases. You may already want to ask, “have I been pwned?”
There are Web-based password managers, including LastPass , Zoho’s Vault, and Roboform, among many others. To be honest, their location on the Web makes them more vulnerable than I’d prefer for my passwords. Instead, I think your password manager should be offline. Here’s how you can use a password manager like KeePass to manage your passwords.
Install KeePass. Then Use It.
KeePass is an open source password manager for Windows and Mac devices that can also run on Linux. There are also app versions for iOS (MiniKeepass, Syncpass) and Android (KeePassDroid). It can manage multiple password files, so you might have one with work-related passwords and a different one for personal passwords.
The first thing you do with KeePass is create your first password file: File, New. You can create new entries by clicking the Add Entry button. It supports folders so that you can store your passwords by category. For example, I have a folder with social media passwords and another for online shopping sites.
Then create your own password rule. This is optional but I found that I can create substantially more complicated passwords by making minor changes to the default password settings. Normally, if you want to create a new password, it will default to uppercase, lowercase, special characters, and numbers. You can also ask it to include underlines, minus signs, and make longer passwords. My default password setting looks like this:
This is set to create passwords of 20 characters because that is often the maximum number of characters that online sites will allow. There is some evidence that you don’t need 20 characters if your passwords are random. If there was some difficulty to creating longer passwords, this might make me use shorter ones. But a password manager makes long, complicated passwords easy to use.
Connect It To Your Browser
If you are like me, you are using a lot of Web-based services, whether they are cloud computing legal technology sites or social media or your local newspaper’s online comments. Mozilla Firefox and Google Chrome Web browser users can install an extension – among the many available from KeePass – to pass your credentials from your KeePass application directly to your Web browser.
This eliminates one of the big frustrations for complicated passwords: keying them into whatever login forms we have to navigate. It can handle multiple accounts for a single site, so that if you have two Google Apps accounts, you can select which one to login on. Because KeePass is not Web-based, you do not need Internet access to get to your passwords, and can paste in passwords for your local systems – Excel spreadsheets, local firm databases, etc.
Eliminate Your Bad Passwords
Unless you are about 8 days old and just getting on the Web – and pretty precocious, if you’ve already gotten as far as Slaw – you already have lots of online accounts: Facebook, Twitter, email, banks, your kids’ grades at school, and on and on. You may not have been very good about creating new, difficult passwords at each of those sites. You MIGHT even have re-used a password at more than one site, or changed the strong password the site gave you for a weak one that you could remember.
Now that you have KeePass installed, you should take a moment at each site to access the change password function in your account. Using either the little gold key that appears when you have a Web browser extension installed, or the KeePass software itself, create a new entry for this site and generate a new, strong password for it.
You can make this simpler by going into your Web browser’s password function and exporting your passwords. Google Chrome users can try this free utility and Firefox users can add an extension. Once you’ve exported your passwords in plain text, an insecure file format, you can import them into KeePass from the file menu.
But, you might say, my Web browser already remembers these passwords. Why do I need KeePass for the Web? Because a Web browser may not always protect your passwords. Use an offline password manager and turn off – and answer No to – your Web browser’s password storage feature.
I’ve done this and it’s easy to accomplish for those sites you visit all the time. If you exported your passwords from your browser, that can give you a list of sites you need to visit. In my case, I took the opportunity to close and cancel all of the accounts that I no longer used. For those that wouldn’t allow me to cancel – like Starbucks – I created a very long password with KeePass to ensure that no-one could reuse the credentials in case Starbucks is ever breached.
That’s Not Enough
Strong, unique passwords on every site aren’t enough. When you finish work, even if you leave your computer on, close your password manager. I synchronize my password file to my online storage service so that it is copied to my other PCs. I can also download an updated copy to my tablet.
We are increasingly seeing two-step authentication, which hinders exploits that use social engineering or access to your e-mail box to reset passwords. If your service offers it, use it. Short of that, make sure your passwords and password management are at a level where you can confidently say to a client that you use strong passwords and aren’t relying on security through obscurity.
I have always been a bit concerned with LastPass web location as well. Thanks for the alternative, if other independent sources rate Keepass as safe and secure as can be, I will be a new adopter as well.
I’m a huge fan of the cloud and cloud-based managers are probably fine for most people. But since the passwords are so key, I feel more comfortable with them offline or at least under my control, as much as that’s possible. I like Keepass because, like other open source apps, there is a technical community who can look at it more closely than I have the expertise to, and determine if it’s secure or not.
I use 1Password and love it. I found this article about their security and what it takes to crack into their vault. Basically if you’re using a phrase, the amount of time to crack the password would render the task useless. It’s worth taking a look at to find out a bit more about encryption and how to create strong passwords.
@David: Given Heartbleed are you reconsidering the security of open source software?
I’ve been looking at cloud-based and computer based programs recently, and tending towards a certain skittishness about things like cloud based legal accounting. I’m curious, though, that you mention backing up keepass via an online storage system. I’d worry that something like Dropbox would add the same –or an even higher — level of insecurity to the process as would using an online password manager in the first place.
@ Anne V
sorry for the tardy response. No, neither Heartbleed nor even the weirdness surrounding Truecrypt has impacted my feeling about open source. I might think differently if I didn’t get a weekly security patch Tuesday from Microsoft, but all software has problems. Open source at least is accessible to communities who will take care of it. OpenSSL has received some much needed attention and I expect will be stronger for it, with funding for developers.
When I backup the Keepass file, it is closed and encrypted. It is then wrapped in Dropbox’s encryption. For me, a Web-based password manager is decrypted with the login password, which might be susceptible to OpenSSL or OAuth or other bugs. I prefer not having the master password for my passwords stored on any site.