Do passwords still matter? Isn’t it true that if an attacker really wants to, they can crack any password? Many lawyers have been asking this in recent years, frustrated by ever-changing advice on what constitutes a “safe” password. Yes, passwords do matter. Now is not the time to throw in the towel and become “low hanging fruit” for hackers.
Lawyers should take reasonable steps to create and use secure passwords to protect client confidentiality and safekeep client property. (Rule 1.6 Confidentiality of Information, Rule 1.15 Safekeeping Property, SCRPC.) In 2012, ABA Model Rule of Professional Conduct Rule 1.1, Comment 8 was amended to advise that lawyers also maintain competence by keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Since, then at least 37 states have followed suit with similar amendments.
It’s true that there are such things as “bad” passwords. There are numerous lists of most hacked or “worst” passwords on the internet, including one by the UK National Cyber Security Centre https://tinyurl.com/rrgycfk. “123456” consistently tops all lists as the most commonly used password, followed closely by “qwerty” and “password.”
Many online accounts force certain requirements on users – a minimum number of characters, an uppercase, a lowercase, a symbol, a number. This requirement can offer limited protection if you use a password like “trustno1” or “v3r!Fy.” Password crackers know to look for common substitutions for letters.
Hackers use data from frequent corporate and website data breaches to perform “credential stuffing” – where hackers use stolen username and password credentials and try to login to other websites with those same credentials. Often, they are successful.
Keeping in mind that what constitutes a strong password changes without warning and can even vary depending on the situation, here are a few tips:
- Use Passphrases as Passwords – We listed some examples of problematic passwords above. A better password solution involves entropy, which is a lack of order or predictability, using passphrases – not a recognizable quote, but a string of words or text you can remember. Gary likes the “Diceware” method, which uses dice to come up with passphrases. A person rolls a set of five dice, each of which produces a random number between 1 and 6, and then matches the dice roll results with a list of predetermined words. The method is described in this Medium.com post: https://tinyurl.com/w4n9y7a. Courtney prefers to make up her own unique passphrases.
- Never Reuse Passwords – In a February, 2019, Google/Harris poll of three thousand adults, sixty-five percent of the respondents reuse a password for one or all of their online accounts. As noted earlier in this article, hackers use information from breached web sites to perform “credential stuffing” to access accounts on other online web sites. You should never reuse a password for any online site. In late 2019, Google announced “Password Checkup,” a new Chrome extension that warns you if the username and password you’re using were stolen in any data breaches and then prompts you to change them if they were.
- Ideally Use a Password Manager – The best solution as far as organizing your password security is to use a password manager. Password managers are software applications that allow users to generate, store, and retrieve secure passwords for various online sites. Most password managers allow the generation of passphrases as well. Many password managers have smartphone apps and browser plug-ins so that you can easily retrieve a password. You only need to remember your master password to access the password manager. PCMag.com does an annual roundup of password managers. Most have a very reasonable annual fee. There are free versions available, but most limit the number of passwords you can save, and the terms and conditions can vary. As a general rule, Courtney recommends that lawyers not use free software or apps, but buy the pay version. Gary likes 1Password https://1password.com, and Courtney uses LastPass https://www.lastpass.com.
- Use Two–Factor Authentication Whenever Possible – Two-factor authentication is the means of using two different types of information to login to an online account, such as a password, a PIN sent by text message or authenticator app, or a fingerprint/biometric. Most people are already familiar with two-factor authentication with online banking or cloud-based storage web sites. Enable two-factor authentication whenever possible with your online and cloud-based providers. Visit Two Factor Auth https://twofactorauth.org for a list of websites that do and do not support two-factor authentication.
Ronald Rotunda, in his February 2018 article for Justia “Lawyers, Passwords, and the Obligation to Keep Clients’ Secrets” https://tinyurl.com/vz9mess, summed up password security: “When we take these precautions, the modern-day equivalent of a deadbolt, we will know what to say when the client asks, “What are you doing to keep my information secret?””
By: Gary Moore
Assistant Dean for Academic Technology
University of South Carolina School of Law
SC Bar Technology Committee
Courtney Troutman, Director
SC Bar Practice Management Assistance Program
Liaison to the SC Bar Technology Committee.