Post-It-Note-PasswordThe subject of passwords is one that is both fascinating and frustrating to me. We know that it’s getting easier and easier for hackers to crack our passwords; just three years ago, a nine-digit password would take 44,530 years to crack, but today that same password can be cracked in less than a day, according to Passfault. And yet, when I mention this in speeches that I give, lawyers invariably give a heavy sigh, roll their eyes, and promptly tune out. I know what they’re thinking: “12 digit password?  It’s hard enough for me to remember the name of my dog and the numbers 123!” The idea of coming up with a different, really complicated password for every site we visit is just too overwhelming for most people – so they continue to use the same short, repetitive, simple passwords they have used for years.

So we shouldn’t be surprised to find out that the retailers where we set up our passwords are acting as enablers, allowing us to continue this practice of weak password-setting.  In a new report out from password manager service Dashlane, the company found some pretty amazing practices among the Top 100 online retailers.  Among the findings:

  • 55% of the stores still accept notoriously weak passwords like “password” and “123456″ (seems like if the other 45% don’t allow it, this should be a simple problem to fix)
  • 51% still allow you to keep trying out password after password even after 10 unsuccessful attempts. What this means is that the “brute force” hacker can keep beating away on the lock, until it finally finds a password that will unlock the door.
  • 61% do not provide any guidance when setting a password, and 93% do not provide a password strength assessment. I would guess that those Password Strength meters are able to shame at least some people into setting a stronger password.

Interestingly, most of the sites mask your password as you enter it, which actually does very little to secure it – as a general rule, the password blank on a website is not unsecure, unless someone is looking over your shoulder as you enter it.

Security Expert Steve Gibson of Gibson Research Corporation took the data and put it into this great spreadsheet. Take a look and see how your favorite online retailer fared. Spoiler alert: it doesn’t look too good for Amazon, Walmart, or Dick’s Sporting Goods.

There’s no good solution to this problem yet, but it’s not for lack of trying. Google declared last year that “Passwords are Dead,” and companies are already using fingerprints, pictures, and even winking to avoid password-based access, with mixed results. Google talks about eventually moving to hardware token-based authentication, but we’re not there yet. Two-factor authentication is also a good way to secure access to websites – but try telling that to a lawyer who already has to remember a complex password. “Now you want me to use a 6-digit number on top of a password?”

So what do lawyers do now? I’ll come back to the best, easiest way to create and manage secure, complex passwords: the password manager. There are several password managers out there, including:

I’m not going to spend time comparing these tools with one another – although I’m partial to LastPass and 1Password, all of them will do a good job helping you to select and manage passwords. Just pick one and start using it.

In the next post, I’ll show how I use LastPass, so you can see how the workflow is easy and fast once you get the hang of it.  In the meantime, let me know what you think – is this an issue that’s being blown out of proportion? If you don’t use a password manager, why not? Share your thoughts in the comments.

 
  • James Brashear

    Some big firm lawyers may not use password managers because their IT security folks don’t authorize those applications on the firm’s devices. Other lawyers may not use password managers because they don’t want to invest the time to learn new software or think they have to separately enter their credentials – and don’t appreciate how convenient password managers can be.

  • James Brashear

    One feature I’d like to see in password managers is an automated way to periodically change passwords.

  • TomMighell

    I agree that for most lawyers it’s a matter of education. But I can’t believe that law firm IT wouldn’t allow a simple extension in a web browser. Granted, I am continuously surprised at what IT in law firms will and won’t allow, but I would think a browser extension would be a minor issue.

  • Hadley V. Baxendale

    My Nymi is coming soon and thus, the answer to this problem. Until then, I faithfully rely on LastPass.

  • TomMighell

    I was not aware of the Nymi, but it looks interesting. I see that it helps with access to devices, but does it also work with individual websites you access in a browser? Does it wirelessly transmit the password to your device?

  • Hadley V. Baxendale

    Tom, my understanding is that Nymi will transmit your biorhythm, not a password, so I suspect that it will work on individual websites if the websites are set up to require authentication.

  • Pingback: Why are passwords so hard for lawyers? | Third Apple

  • http://www.green-transportations.com/rates-reservation.php Taxi Berkeley

    If this is what can happen to someone using good passwords, what do you think can happen to you when you use crappy passwords?

  • Green Taxi Berkeley

    If the threat of losing irreplaceable photos of your family isn’t enough
    to frighten you into good password practices, then how about a
    potential malpractice suit? I haven’t researched it, but I bet it isn’t
    too hard for a judge or jury to conclude that a lawyer is negligent for
    using an easily hackable password that leads to disclosures harmful to a
    client’s financial interests.

  • Pingback: Why are Passwords So Hard for Lawyers? (Inter-Alia) | Oregon Legal Research Blog

Blog Categories

Inter Alia Archives