How Secure Are Your Passwords?
The two things everyone using computers is supposed to do are: back up regularly and create difficult, changing passwords. The two things that nearly everyone using computers fails to do are: back up regularly and create difficult, changing passwords. Now, the business about backing up wouldn’t apply to computers used in law offices (would it?). But it’s not so clear that all firms and lawyers in those firms have got a good password policy in place.
We’ve talked about this on Slaw a couple of times recently. John Gregory asked whether a failure to set proper — i.e. complex — passwords implies a reduced expectation of privacy. And David Bilinksky examined the Arizona State Bar’s ethics opinion on security, which provided among other things that lawyers should “assign unique randomly generated alpha-numeric names and passwords to each online client folder. . . . The password would not be the same as the client folder name.”
A proper law firm password policy is part of a larger computer security plan that should be discussed with a security expert. I’m not about to provide one here in a blog entry. But I can talk a little about what goes into making a good password and point you to various ways of creating them — just in case you or your firm have been meaning to fix things up but haven’t quite got around to it yet.
Generating a fairly secure password that’s good enough for most client work isn’t difficult: you can use one of the many random password generators around. For example, PCTools online generator can toss out one that’s anywhere from 8 to 64 characters long and that includes mixes of the available keyboard options (uppercase/lowercase; numbers/letters; punctuation). Here’s a 14 character product: Phu?!c7E&uwRub (Microsoft’s Online Safety site, a good primer on making a secure password recommends at least 14 characters.)
So making is easy. Remembering or being able to retrieve a password like this (and a unique one for each file, document, etc.) is another thing. The password generator used above also gives you a phonetic run that you might use to memorize the password. Thus, the password above is pronounced: “PAPA – hotel – uniform – Question – Exclamation – charlie – Seven – ECHO – Ampersand – uniform – whiskey – ROMEO – uniform – bravo”. Too bad there’s no way to pronounce capital letters.
Some people write them down, of course. Daft, if it’s on a sticky. But the only way, really, if you’ve got hundreds and hundreds of unique, unmemorable passwords. Except that they’ll be written to a computer drive somewhere and locked up with — a password. There has to be a memorable or accessible system for getting to the unmemorable and otherwise inaccessible keys. In a sophisticated law office system, much of this can be handled with software, allowing and denying access thanks to the computer’s infallible and deep memory. But whether at the level of the big firm or the solo practitioner’s laptop it will always come down to a password protected way into the system. The sysadmin knows.
Where you’re the sysadmin of your own small computer farm, you need to develop a practice of making and changing regularly complex passwords. The web is full of advice about how to make passwords that are difficult to crack but (relatively) easy to remember. See, for example, this WikiHow site. And doubtless, if you’re not using your brother-in-law’s name, you’ll have come up with your own cunning code. If so, test it on Microsoft’s Password Checker to see how safe it is. My own efforts range from “weak” to “medium.” But I do back up regularly.
I like the technique of using not easy to guess lines from literature or nursery rhymes combined with a number and a question mark. They are easy to remember. Here is a (not so good) example – I didn’t want to give out my good examples:
Bswltywb?IiteaJits123
But, soft! what light through yonder window breaks?
It is the east, and Juliet is the sun. 123
This example contains both upper and lower case, letters and numbers and a question mark.
I think the threat is exaggerated in most cases, especially if one has a system that closes down attempts to guess a password after a few attempts fail. So you don’t need something that will resist a dictionary attack by a computer. And a truly random character detector can get through a lot of combinations in a day or so. Are you trying to defeat the office snoop, a somewhat interested thief, or the RCMP? (Which demonstrates that all security is a threat/risk assessment.)
The more often one has to change the password, the more likely it is that one will write it down. Even Bruce Scneier, the security experr (not to say guru), has recommended writing down passwords and locking them somewhere safe. He has also written a way to keep passwords secure in a computer.
If the computer shuts down every five or ten minutes if it’s idle, and you have to enter the password to bring it up, many people will find it a nuisance to have to type in a string of 14+ random characters.
I tend to use songs rather than Ted’s nursery rhymes, and not that many characters. But there are millions of songs (just ask iTunes), and they tend to have more than one line… So Y,amtssfa – Yesterday, all my troubles seemed so far away (of course if you get the line wrong, you’d better remember your mistake consistently!) Then you can keep a clue that will not tell people the song (especially if they don’t know that you use songs…) – something on a yellow sticky (on the side of my third drawer, not on the monitor) saying Y3? can remind me, but not the thief, that I’m currently using the first letters of the words in the third line of Yesterday with a question mark at the end. YOu could use the second letter, or the last, but could you sing it along and enter the password quickly to get your screen back?
Add complications to taste – but only for the serious passwords, not to read the NY Times…
Simon:
I am a bit late to this party..but since I work on a Mac most of the time, I use the built-in utility called “Keychain” that comes with OS X to store all my passwords, etc.
You only need to remember one password – that being to get into Keychain…then it records all the other information that you need – certificates, user names ..and those pesky but secure passwords.
There is a good blog article on using the Mac Keychain here: http://www.mactipsandtricks.com/tips/display.lasso?mactip=125 that also discusses how secure the Keychain is on the Mac.
Cheers,
Dave
Greetings:
PC Tools (the maker of Spyware Doctor and PCTools Internet Security along with iAntivirus for the Mac) issued their latest e-newsletter today on this subject (you can sign up for their newsletter here):
How secure is your password?
With most websites requiring you to create an account, do you find yourself in a bit of a pickle when it comes to inventing passwords? Many people use the same password for all their online accounts and often forget the password they came up with months ago. Hands up who doesn’t feel like banging your head against the wall trying to remember the password you created months ago?
Let’s face it – everyone has problems with creating and remembering secure passwords. That’s why we decided to help.
Tips on how to create and remember your passwords:
• Use the first letters of a sentence that you will remember,e.g. “I have 3 cats: Fluffy, Furry and Shaggy” gives: Ih3c:FF&S, or “Bouncing tigers have every right to ice-cream” becomes: Bther2I-C.
• Take the name of the website and then add your personal twist, like your height or your friend’s home address (e.g. “AmazonOceanRd6’2”). Avoid using your own contact details like your phone number or house number.
• Remove the vowels from a word or phrase e.g. “I like eating pancakes” becomes: Ilktngpncks”.
• Use a phrase from your favourite book and then add the page, paragraph or chapter number.
The Do’s and Don’ts of creating passwords
Do:
• Mix letters, numbers and symbols, and use case sensitivity (upper and lower case letters)
• The longer the better. Use passwords that are longer than 6 characters.
• Change your passwords at least every 60 days, cycling the numeric values up or down makes the new password easy to remember.
• Try copying and pasting at least some of the characters in your password that way keyloggers won’t be able to track your keystrokes.
Don’t:
• Don’t use words or phrases or numbers that have personal significance. It is very easy for someone to guess or identify your personal details like date of birth.
• Avoid writing your password down, use a reputable password manager to manage all your passwords.
• Don’t use the same password for several logins, especially if they involve sensitive financial or other personal information.
• Don’t tell anybody your password.
• When registering on websites that ask for your email address, never use the same password as your email account.