Comment 8: How I Stopped Forgetting and Love the Password Manager
The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.
The Introduction
If we could travel back in time a few decades and explain life in 2002, one thing that would likely amaze those in the past is how much time and effort we spend on entering usernames and passwords to use the various programs and services that fill our working and personal lives. That is, of course, if we even think to bring this fact up to them as ‘logging in’ has become so ubiquitous that we rarely think about it anymore. Unless, of course, the process does not work. But there is an issue much worse than having to reset a password, and that is having a weak password. This installment will examine two major, but interrelated, topics:
Why having weak passwords and reusing them across accounts is a terrible idea (that we all do).
What we can do to make our accounts more secure.
The Limited Bandwidth Problem
This is not a recommendation that your home or office needs to pay an internet service provider (ISP) for more speed, but an admission that as humans we have definable limits. I can remember in the 1980s knowing about twenty or thirty phone numbers at any given time. They ranged from numbers that I called daily to those than I rarely ever used, but I could walk up to a pay phone; plop in a quarter; and dial without giving it a second thought. Today, I can barely remember my own cell phone number. The problem here is not that I’m getting old (not completely) but that I need to know way more phone numbers than I did back then. I rely on my ‘contacts’ app to remember all the phone numbers so that I can focus my attention on other things: like all the usernames and passwords that I must keep track of.
The Reused and Weak
Since I have dozens, and dozens, and dozens of accounts that means I have a lot of usernames and passwords to keep up with. To help us with organizing all this information we all, no matter how much we shouldn’t, end up making the simplest password that the sign-up page will allow and then reuse that same password all over the place. While organizationally this helps us save some brain power by not having to remember as much, doing this also makes our accounts less secure. Given the decidedly confidential nature of information for those who practice law, this poor bit of security hygiene can prove incredibly costly…both professionally and financially. A recent article by the Indianapolis Bar Association highlights several cases where data breaches have led to suits against lawyers and firms by their affected clients.
Imagine this hypothetical. You work at a firm that employs and on-site cybersecurity professional who has the budget available to properly defend the firm’s systems and data against outside intrusion. No system is hack-proof, but it would take a lot of really good cybercriminals a lot of time to get in. When you began at the firm you had to set up new credentials for services like the enterprise email system and the computer at your desk. “Another log-in,” you silently bemoaned, “I have my personal email password memorized. That’ll be perfect.” The problem is that an attacker found out that you started at the firm and, unbeknownst to you, your personal email credentials had been compromised and he found them online. The firm’s website provides your email address. The attacker uses that along with your personal email password that they found in the hopes of getting lucky. Just like that, they have access to your firm. Now some angry clients are preparing to sue.
Not that a cybercriminal needs to search around hoping to find a compromised account to try and use. A fairly common password scheme requires: Seven characters with an uppercase, lowercase, number, and symbol. An attacker may be able to crack this password in about six minutes. While no password is technically unhackable, it may take up to five years if you used the previous scheme with ten characters. In other words, what we see here is that you want each password to be both complex (namely long) and unique to each account. But how do we remember all of this?
The Management Solution
It ends up that you can make all your accounts more secure and make it easier for you to remember your logins if you use one simple product: a password manager. This tool will help keep track of your accounts and will generate extremely complex passwords for them. Password managers are just really fancy spreadsheets. You won’t be on the hook for remembering all this information, though, as all you need to remember is the username and ‘master password’ for the password manager. From there, and depending on which service you choose, you can either copy-and-paste your credentials or it will autofill your credentials if your manager integrates with your web browser: usually through an extension. With many managers it is also possible to integrate them with multi-factor authentication tools to make things even more secure. Several also allow you to install the app and sync it across devices, so that you can use it from your phone and your computer.
There are a few things to consider when considering a good password manager, and I highly recommend researching the possibilities before choosing. While some web browsers have even begun integrating password management, they are not a very secure. There are some good free password managers but they tend to have some or all of the following issues: they are less secure, they have limited features, they are complicated to use. The paid managers, especially if you are not buying for a whole office, are incredibly reasonably priced considering the protection that they offer.
The TLDR
We have to remember too many passwords so we make them weak and reuse them. Weak and reused passwords can make you an easier target for cybercriminals and losing client information could cost you or your firm both professionally and financially. Password managers make our accounts more secure and give us less to have to remember.