Implementing NIST 800-171 to Manage & Measure Cybersecurity Efforts Read more
We can’t function without passwords. So much of the internet is built on the concept of a username plus a password that the concept is core to users’ internet experience. It’s a clever but imperfect system that could certainly be improved upon, but until a game-changing replacement comes along, we have to play the game.
There’s a lot that doesn’t work very well about this system, and many people have questions about what password management best practices are. To that end, here’s a Q&A about passwords and password management.
What’s the biggest problem with how people use passwords?
The biggest problem with internet passwords is password management. Users have dozens if not hundreds of username/password combinations that they need for personal and business use. The problem with this is that nearly no one can reliably remember one hundred unique passwords. Many users, then, select overly simple (and easy to guess) passwords, or they reuse passwords across many sites.
What’s wrong with reusing passwords?
We live in a world of data breaches. When (not if) someone hacks favorite retailer or hotel chain, it’s embarrassing for those companies, but probably doesn’t affect your life too much. If the culprits gain access to your username and password for those sites, it’s a nuisance, but the amount of damage they can do is limited.
But when your hotel rewards password is the same as your credit card password and your banking password, you could have a mess on your hands. Scammers know that at least 51% of people reuse passwords, and you can bet they’ll try those stolen passwords on other, more valuable sites.
What makes a strong password?
A strong password is one that neither human nor machine can guess easily. Forbes compiles an annual list of the worst passwords being widely used, and it’s topped with gems like password, 123456, and qwerty. These are terrible because they’re just about the first things a human might guess. Other bad choices on the human front are the names of people, pets, or places that everyone knows are meaningful to you.
On the machine side, the shorter and simpler the password, the easier to hack. Make your password harder to brute-force by adding length, capital letters, numbers, and symbols. A password of 12 to 16 characters that mixes all these character types is generally considered a strong password.
I just keep my passwords on a sticky note. What’s wrong with that?
In short, everything. A sticky note hidden under your keyboard isn’t exactly a state secret. Think about who might have momentary access to see that sticky note. Clients? The cleaning crew? Maintenance personnel? Who else? This is especially disconcerting In the legal world, where those passwords could give a bad actor access to confidential materials that are under attorney/client privilege.
How can I remember passwords like j#%3M82*mRz!+?
Truthfully, you probably can’t. While that’s a tough password to crack, it’s not very useful for you. A better approach is to take a phrase that you can remember (perhaps one that relates in some tangential way to the site you’re on), and then make the phrase longer and more complex.
For example, iloveturtles is an easy phrase to remember, but it’s not that challenging to guess or to crack. Mix up the phrase by adding replacement characters, like <3iL0v3TurtleS<3, and neither your office mate nor a computer will easily guess or break your password.
Admittedly, this method has limits. Your own memory can be an obstacle, and sites vary with which characters they’ll allow in passwords.
I can’t remember 100 unique, complex passwords. What are my options?
Passwords need to be complex, and you shouldn’t reuse them from site to site. This creates a problem: Who can remember them all? One option that’s gaining a lot of traction in both the personal and enterprise markets, including in the law and legal tech fields, is using a password management tool. You’ve likely seen these advertised as “the last password you’ll ever need” or “one password to rule them all”; stuff like that. Password management tools are a reliable, secure way to generate and remember unique, complex passwords for all the sites and accounts you have.
How does a password management tool work?
Password management tools vary a little bit in terms of functionality, but at the core the services are similar.
After you’ve completed these steps, you’ll have just one password to remember—the password to your password management tool. It will store the rest of your credentials in a secure, encrypted vault and use them to log you into whatever account you need.
Are password management tools secure?
Yes. The companies offering these tools would be sued out of existence if not. Don’t believe us? Check out what a panel of experts has to say on the topic.
If you have additional questions about implementing a password management tool in your law office, contact us today. We’re here to help.