Comment 8: An annual reminder for law students and the legal community to protect themselves and make life easier

Posted on Posted in Comment 8

Despite what the weather has been telling us, fall is coming. It’s around this time of year that I choose to plead with you all to start using a password manager. Get ready for the rant.

Why do I need one?

Our modern society has developed around the need for logging into devices and services multiple times a day. On an average day, I’m logging into something well over a dozen times a day. That’s a lot to remember for me, just as I’m sure it is for you. To help lessen the strain on our memories we’ve all (yes, all) developed a nasty habit of reusing log-ins (i.e. usernames/passwords). While this is a useful way to not memorize dozens of credentials, this also puts our accounts at greater risk.

Why is this risky?

There are two reasons why this is risky. First, say you use the same credentials for NYT Online and your bank. One day something happens and the user and password information ends up being exfiltrated and ends up for sale on the darkweb. Now it’s just a matter of time before a hacker gets access to your bank account. A very short matter of time. What other accounts did you use those recycled credentials for? Those are just waiting to be taken over by cybercriminals.

Second, if you are worried about remembering your sign-ins then you’ll like make your password simple and easy to remember. This leads to passwords that are either easy to brute force (using a computer to guess passwords super fast) or too easy to guess or figure out. Think the day your child was born, the street you grew up on, or the day you got married are safe passwords? All those things are discoverable in public records.

How can a password manager fix these risks?

Password managers (PMs) are designed specifically to minimize the risks above. Because the PM remembers your credentials for you, you are free to use complex and unique passwords for every account you have. Want to use a 25 character long password that utilizes upper and lower case letters, numbers, and symbols? Done, as long as the site/app allows you to do that.

Quick caveat: Just like providers will set minimum password requirements, many also set maximum limits and other restrictions. For example, many sites will set a sixteen character limit and restrict certain symbols like ‘;’. There are technical reasons for this, but they’re unimportant for you other than being aware.

Want a unique username for every site/app that allows it? Done. You see how we’re minimizing risks left and right. Honestly, after you get it up and running, all you’ll need to remember is the credentials for the PM!

Sounds inconvenient.

Actually, the opposite is true. PMs will connect to the URL or app and autofill the information with ease. ALmost all of them have extensions for major browsers which allow you to access your saved credentials from anywhere, either by syncing through encrypted connections or by carrying a copy for your PM’s database (which is less convenient but technically safer).

Further, if you are in a managed environment (work, school, etc) you won’t need to contact IT if you find yourself forgetting an important password the moment you need it. Because now a computer is remembering it for you.

This…is sounding pretty good. Which one should I get?

I know, right? But here’s the part that might frustrate you: I rarely give recommendations. There are lots of “best of” review lists that will give you all the information. A google search will help you know if any PMs have been compromised in the past and how badly. Finally, I will give you some important things to consider:

1) Do not, I repeat, do not use free password managers. An old axiom says: If you’re not paying for the product, then you are the product. PMs are cheap and worth every penny. The PM I use is $3/mo. If you are a techie person you’re probably saying, “I know x,y,z free password managers that are great!”. I agree with you completely, but they tend to be a little more complex for the average person.

2) Don’t jump on an app store and start using a PM without doing the research discussed above. Cybercriminals will create apps that appear to work as advertised but are really designed to steal your credentials and infect your device. Select a PM from a company that you trust.

3) Do not use the PMs built into your web browser. They are notoriously unsafe even when they are encrypted.

4) Try asking your friends, family, colleagues, or the IT at your work or school if they have recommendations. There’s a great chance they’ve done some of the same leg-work and can help you decide.

As law students and law professionals, you are busy and your brains are overworked. Use PMs to free up some of your memory for that hard work you do.

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu  with “Comment 8” in the subject.

Share