Click here to go back to the Law Practice Management Section Home Page
Click Here for Marketing Resources Click Here for Management Resources Click Here for Technology Resources Click Here for Finance Resources
Law Practice Nameplate

Tips & Tricks | Don't Be Passé With Passwords: Best Practices for Staying Safe

You’re careful with the keys that open your front door and the ones that start your car, of course. But what about your computer passwords, the keys that “unlock” your information systems? Are they safe?

FROM: July / August 2005, PAGE 27 BY: Dan Pinnington

We all have more passwords than we can remember. This tends to make us a bit lazy. We use obvious and easy-to-remember ones—even the word “password” itself. Or worse, we don’t use passwords at all. Bad password habits are often the weakest link in data security schemes.

So for this issue, here’s a nudge to use passwords more effectively. Let’s review the steps you can take to create passwords that are harder to crack and to otherwise protect the confidentiality of your passwords from others’ prying (and not-so-prying) eyes.

How to Create Strong Passwords

You can’t just use any old password. It shouldn’t be anything that’s obvious and easy to guess, such as your name, your mother’s or father’s name, your pet’s name or so forth.

Why?

Password-cracking software tools continue to improve, and the much more powerful computers we have today only assist them. Some password-cracking tools use dictionary attacks. They simply try a list of words—such as, for example, commonly used English words and names.

In addition, there are automation-type tools that try every possible combination of letters and other characters. Given enough time, the automated method can crack any password. Consequently, passwords that once took weeks to break can now be broken in hours by the best cracking tools on a fast computer. So you need to get more crafty and cunning.

You have to pick a password that is hard to break because it isn’t obvious or hackable. This is called a “strong” password. For a password to be strong, it should meet the following criteria:

  • Not be a common word or name
  • Not contain your name or your computer-user name
  • Be significantly different from any passwords you have used previously
  • Be at least seven characters long—and longer is even better
  • Contain at least one character from each of the following four groups:
    • Uppercase letters (A, B, C …)
    • Lowercase letters (a, b, c …)
    • Numerals (0, 1, 2, 3 …)
    • Symbols, meaning all characters not defined as letters or numerals (including ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : “ ; ‘ < > ? , . /)
  • Have at least one symbol character in a position other than the first and last spot

Can You Keep a Secret?

Even the strongest passwords don’t work if they aren’t secret. Unfortunately, people get careless and don’t always keep their passwords confidential. Here are the things you can do to keep your passwords secret.

Don’t tell anyone your passwords, under any circumstances. And make sure no one is looking over your shoulder when you’re typing in a password. If more than one person knows about something, it isn’t a secret anymore. We all learned that lesson in third grade.

Never write down your passwords, especially on little notes posted to your monitor. Is this not the same as leaving your car keys in the ignition? Of course, there are no notes on your monitor. But take a walk around your office and see how many passwords you find on little notes taped up in plain sight. You will find some, I guarantee it.

Okay, I’ll be realistic here. If you absolutely have to write down some of your passwords to remember them, don’t write them out exactly. Write them out so they have to be translated in some way. Add or delete a character, transpose letters, or vary them in some other consistent way that only you can figure out.

And don’t save them on your hard drive. It is not uncommon for people to have a Word or WordPerfect file with all their passwords in it. But this file is dead easy for others to find—especially if it’s called password.doc or otherwise contains the word “password.”

Okay, more realism. If you must store passwords on your computer, use a password manager utility like RoboForm (www.roboform.com) or Password Manager XP (www.cp-lab .com). These programs store your passwords in an encrypted form so that they can’t easily be accessed.

Other Warning Shots

No, I’m not done yet! I have just a few more admonitions for you. Don’t use the same password for everything. This is just so tempting, but so dangerous. Anyone who figures out your password gets easy and instant access to your entire system. Use different passwords for different programs, especially for very sensitive things like your network log-on, remote access to networks or bank account log-ons.

If you even suspect that a password has been compromised, change that password immediately. In addition, you should change all important passwords every 60 to 90 days as a matter of course. This will foil a lurker that has your password (or passwords) unbeknownst to you.

And be wary of dialog boxes that present an option to save or remember your password. These can appear in your Web browser and in dialog boxes for remote access or telephone connections. By selecting this option, you give unchallenged access to these things to anyone sitting down at the computer.

In sum, take care with your passwords. They are key to protecting your confidential personal and practice information.

LAW PRACTICE MAGAZINE TIPS TEAR-OUT

To protect the confidentiality of your passwords:

  • Don’t let anyone see you type in a password, and don’t tell anyone your passwords.
  • If you absolutely have to write down passwords, write them out so they have to be translated in some way.
  • Don’t save passwords on your hard drive unless you use a password manager utility.
  • Use different passwords for different programs, and especially for very sensitive things.
  • Change any compromised password immediately, even if you only suspect it has been compromised.
  • Change important passwords every 60 to 90 days.
  • Don’t let Windows cache your passwords.

To create strong passwords:

  • Don’t use a common word or name—especially your own name.
  • Make them significantly different from passwords you have used previously.
  • Make passwords seven or more characters long—using a mix of uppercase and lowercase letters, plus numerals and symbols.
  • Have at least one symbol character in a position other than the first and last.

—Dan Pinnington

Dan Pinnington (mrtechtips@gmail.com) heps lawyers avoid malpratice claims and looks for good tech tips in Toronto, ON. He is a member of the ABA TECHSHOW Board and an editor of the Law Practice Today Webzine.