Passwords: can’t live with them, can’t live without them. In this month’s Law Technology Today roundtable, we dive into the complicated worlds of passwords and password management. How does your approach to passwords compare to what our experts share? There are lots of great tips and ideas in this conversation.
The large number of participants in this discussion—we could barely fit them around the roundtable—is a testament to how important password management has become and also shows how much there is to learn about taking charge of your passwords.
In this month’s Law Technology Today Roundtable, ten members of the LTRC Board—Chad Burton( CB), Steven Embry (SE), Dennis Kennedy (DK), Sofia Lingos (SL), Britt Lorish (BL), Tom Mighell (TM), Josh Poje (JP), Mark Rausch (MR), Allison Shields (ASH) and Aaron Street (AST)—answer five questions about password management.
As always, the discussion is practical, wide-ranging and thought-provoking.
What does “password management” mean to you?
ASH: Today, almost everything we do requires a password, especially online. But passwords alone aren’t enough to keep your information safe—hacking is a daily occurrence, so it is important not only to have strong passwords, but also to have unique passwords for each different platform, tool, account, etc. It is impossible to remember all of these passwords, particularly if they’re strong passwords. Password management, to me, means all of the above: having strong passwords unique to each account, and storing those passwords in a way that makes your access to them easy, but keeps them encrypted. In other words, don’t keep a list of passwords in your desk drawer, in a file on your computer named “passwords,” on a post-it in your wallet, or anything else like that.
SL: Everything electronic these days has a “password” with varying requirements and restrictions—eight characters, numbers / letters / symbols, change every six months, never to be repeated. We have passwords we share with clients and colleagues, information that requires a higher level of security and those reused over numerous platforms. Password managers are tools that create strong, encrypted, and unique phrases to provide a higher level of protection, accessed with a master password—which is the only one you need to remember.
SE: I think of it simply as a method for storing, generating, and retrieving multiple passwords securely. It doesn’t necessarily have to be a software or online solution. Simplistically it could even be done on paper, although I wouldn’t recommend that for a whole lot of reasons. Today we typically think of password management as the software or online solutions that offer much more than secure password storage. These solutions offer other convenience features like online form fill, secure storage of other sensitive data like credit cards, social security numbers, and secure notes. These additional benefits of a password manager allow for creating strong, unique passwords for all your accounts without the inconvenience of having to know what they are, or even enter them in manually. With these solutions, the only password you need to know is your master password.
JP: Password management is about preserving your sanity. A tech-savvy lawyer can easily have hundreds of usernames and passwords spread across their digital life. I’m at 406 as of today! Following best practices in password creation/organization across all of those logins can be maddening.
AST: Password management software creates and stores complex passwords in a secure system so that you can use unique and difficulty-to-crack passwords for every site you use, without needing to remember them.
BL: To me the term “password management” refers to a software application that organizes and stores a user’s passwords and login information for other applications and websites. Those passwords are typically encrypted and protected by a master password that the user must know to gain access to the master password database. A good password manager can also generate random passwords that are very strong and difficult to crack.
CB: A process I automated—for the most part—through a password manager, so I have strong/unique passwords for different log-ins.
TM: Password management means more than just remembering two or three semi-strong passwords. Password management means understanding that the best way to protect yourself online is through the creation of complex, strong passwords—one for each site, not just the same complex, strong password for all sites. If it turns out that password wasn’t strong enough, all of your online activities are at risk.
DK: These are all good definitions. I see if as a combination of creating and maintaining good passwords and storing and accessing those passwords exactly when you need them. It’s striking how complex password management has become. We also have PINs, answers to security questions and even different user names. Multi-factor authentication and the need to regularly change passwords on some accounts add even more layers of complexity.
MR: For me, password management is a necessary evil. I’m still fooling myself into believing that I can remember all of my passwords with my superior memory powers. With a few password-creation/memory tricks I’m mostly doing OK with it. Don’t try this at home.
What password managers, strong password techniques or other account security techniques have you used or seen lawyers or firms use successfully?
MR: I absolutely believe that strong passwords are important and that different passwords for different resources are essential. One trick I use to help me create and remember strong passwords is to come up with a phrase related to the product or service I’m creating the password for and use that as my password. Throwing in the occasional capital letter or special character helps make them even stronger. I also take advantage of two-factor authentication when it’s available.
CB: I like to write down passwords on a Post-it and stick it in a bag with my driver’s license, social security card, birth certificate and credit cards. That is safe, right? Or, I use 1Password to generate and store passwords.
JP: Do post-it notes under the keyboard count? That’s probably the most common tool I see! But seriously, LastPass, 1Password, and KeePass are the tools I tend to hear the most about. LastPass was recently acquired by LogMeIn, which is a good or bad sign depending on who you ask.
TM: I think a combination of three tools is important. First, have a password manager to generate strong, complex unique passwords and securely store them so you don’t have to remember them. There are some sites where you need to remember the password, however, for those sites, I like using a pass phrase, or an acronym made up of the first letters from a sentence or song lyric. For example, one of my pass phrases is a line from one of my favorite songs. Finally, you want an extra layer of security for certain sites —email, cloud storage, other web tools where sensitive or important information is stored—and set up two-factor authentication so the bad guys can’t get into your account even if they do get your password.
ASH: I gave up trying to remember all of my passwords long ago and started using LastPass, which keeps all of my user names and passwords in an encrypted ‘vault’ which requires me to remember only the master password for my vault, rather than the hundreds of passwords I need for the accounts and programs I use regularly. It syncs across all of my devices so I always have access to my passwords and once I’m logged in, it can autofill fields if I need it to. The program will create unique, strong passwords at varying lengths and including letters, numbers and symbols based on the requirements of the site or account I’m using. I like the fact that it will also remind me periodically to change passwords on my accounts, and will prompt me to save new sites when I create new accounts. LastPass also works with multi-factor authentication for additional safety.
SL: I use 1Password as my integrated password manager which allows me to enter 1 master password for every password protected program, across all of my devices. Web browsers have password managers which you may be using without much thought, though they are not as comprehensive and secure as an integrated program. Many programs we use have an option regarding two-factor authentication which should always be activated. If you do not choose to use a password manager you should use unique passwords on all password protected sites with a combinations of letters (upper and lower case), numbers, and symbols excluding any common language terms, with at least eight characters but preferably 10 (10 Characters = 3,255,243,551,009,881,201 (3 Quintillion) Combinations). You also need to ensure you remember your password; it’s surprising how we still have to say do not write them on a sticky note in your desk.
SE: I do several things. First, I use enterprise versions of password managers. This allows for a standardized approach to password management, even if the passwords being stored are for personal accounts. Second, I try to use strong and complex passwords. This means the password must contain characters from three of the following four categories: English uppercase characters (A through Z); English lowercase characters (a through z); Base 10 digits (zero through nine); Non-alphabetic characters (for example, !, $, %, #). Third, as most of us know, the longer the password the better so I use passwords with 12 or even 16 character passwords. Next, I try to create master passwords that incorporate passphrases that are easy for me to remember. A passphrase can include all of the passwords requirements listed above, but make up actual phrases. For example the passphrase “No good deed goes unpunished!” yields a password of Ngdgu! Another security tool I use as much as possible is multi-factor authentication. This requires the use of a second factor in addition to the password to gain access to a system. The second factor could be a phone call, a text message, or a random code that’s generated by a smartphone app.
DK: I’m in the 1Password camp. The ability to store passwords in one place across several devices so I can get the password I need when I need it is truly valuable. People should count the number of accounts and passwords that they have. They might be shocked. I’m also surprised that many firms leave their personnel to manage passwords on a do-it-yourself basis.
AST: I’m only just now starting to see law firms using password management software and two-factor authentication for important accounts, despite the fact that these systems are inexpensive and easy to use. In 2015, there really is no excuse for not taking a few simple steps to keep firm and client data secure.
BL: We see some firms using Roboform, LastPass and other similar products with success. However, there appears to still be some ignorance and skepticism about them. Many lawyers aren’t aware of them at all, or if they are, they don’t really understand how helpful and secure they are.
Where in your practice, or in the legal profession, are password managers and other password management tools and techniques being underutilized?
TM: Uh, almost everywhere? Lawyers are like most people; managing passwords is an annoying chore that doesn’t always have a high priority. Despite the fact that most password managers are pretty easy to use, many lawyers still find them confusing and therefore unusable.
CB: I know too many people who still have a single password that they use for just about everything. They go with things that are easy to remember. It is no surprise that every time there is a data breach, the most commonly exposed passwords are silly like: Password, or their dog’s name.
ASH: I agree. Far too many lawyers and firms are still using weak passwords and using the same passwords across multiple devices, and often not using passwords at all to secure their mobile devices. They opt for speed and convenience over security, and firms are lax about requiring more stringent security.
SL: I believe there are very few attorneys utilizing integrated password managers, and even for those who do, they do not use them consistently across all of their devices. Firms should implement password management policies and use tools to require compliance. Additionally, I rarely see the inclusion of passwords on confidential documents as an added layer of security, especially when being transmitted electronically.
AST: I think the entire legal profession, in general, is dramatically behind in using simple best practices (strong and unique passwords, password management software, VPNs, encryption, and two-factor authentication) for keeping firm and client data secure.
BL: We are such a mobile society that I think using these products on your mobile devices is a huge benefit and largely underutilized. I can use the TouchID on my iPhone to login to RoboForm and then from there leverage all of the secure logins without having to remember them. Very helpful! On my PC, I can also use the product to keep logins to specific applications.
MR: I think password managers are underutilized generally… and admittedly, I’m kind of the poster child. I’ve also run into more than one person who’s admitted having two or three passwords that they use for everything; rotating them between sites if they’re forced to change one. Every now and then, I’ll still walk into someone’s office and see Post-Its (TM) on the side of a monitor with scribbles that sure look like passwords.
SE: Quite honestly, I generally don’t think there is enough emphasis on the use of password managers to store and generate unique passwords. Many lawyers still use passwords that get written down on sticky notes and placed under keyboards or on monitors thinking perhaps that because the office is locked and access is limited they are protected. But they forget about all those who nevertheless can get access to the password; like the cleaning crew. In many cases the same password is used for the firm’s system login as well as for all personal accounts. The breach of one password means the breach of all.
JP: Probably in any small law firm or organization without dedicated IT staffing. Bigger firms and organizations tend to enforce strong password policies through mandatory password updates or minimum password standards, but the solos and smalls are on their own where it’s easier for bad habits to creep in. A good password manager can act like your own personal info security professional.
DK: I know that I’m not using 1Password to its fullest capacities, so it worries me about how lawyers in general use these tools. Just this year, I saw another instance of the dreaded “post-it note with a password of ‘password’ stuck on a laptop” problem. We still have a long way to go.
What practical features and benefits of password managers should lawyers be look for?
TM: The first and most important is security; storing all of your passwords in one place carries some risk, and you want a password manager to encrypt the data so that it’s unreadable should anyone steal it. Next, find a password manager that has extra functionality – form fillers and secure note storage are two great additional tools that add extra value. Another nice feature of some password managers is a “Security Check” that tests the strength of your current passwords, gives you a security score and offers suggestions on how to improve them.
- Strong password generation so you don’t need to come up with your own unique passwords;
- Mobile apps that allow you access to your password manager on all of your devices
- Multi-factor authentication for additional security
- A browser extension for ease of use
- Password audits to test the strength of your existing passwords
- Automatic password capture for new apps or sites
- Ability to export your data should you wish to change password managers
DK: First of all, how did Allison speak in bullet points? I would consider usability first and foremost. The best tool is not helpful if you can’t or won’t use it. You will want to experiment with a few of the password managers to see which one is easiest for you to use consistently and fits the way you work. The second feature I would focus on is how easy it is to use the tool across multiple devices. It’s been great to be checking into a hotel and grab my rewards account number off my phone.
CB: Naturally, you want to review security protocols and see if there is a history of data breaches from the app. Also look at the user interface, easy of use and how it integrates into your workflow in general. I primarily use mobile devices (iPhone, iPad and Apple Watch) and 1Password has a solid presence on each, including Split View in iOS 9.
SL: You want a program that can automatically capture your credentials when you sign-up for a new account or log-on for the first time after installation; one that has automatic replay and a menu of password protected sites for easy access. It should be able to sync across all of your platforms and able to provide two-factor authentication. Some bonus features to look for include a digital legacy (ability to transfer all password protected accounts in the event of your death or incapacity), options to securely share passwords, ability to complete web forms with detailed personal information and provision of a secure browser.
SE: I want the following out of my password manager: ease of use, cloud syncing over the multiple devices I use (laptop, smartphone, tablet), support for multiple browsers (Internet Explorer, Firefox, Chrome, Safari), support of some form of multi-factor authentication, development by a well-known company and have a high rating. Examples include LastPass, DashLane, Stickypassword and 1Password.
JP: I’d suggest picking a manger that allows you to run an audit or security scan of your existing passwords. That’ll help you weed out the weak passwords you might have had, and if you run it periodically, it’ll help you stay ahead of evolving security risks.
AST: The best password managers (LastPass, OnePassword, Dashlane, etc) all include some version of local password database encryption, easy-to-use interfaces, good mobile apps, and simple browser plug-ins.
BL: The password generator can be a huge benefit as it will allow very difficult passwords to automatically be generated for you and then saved for future use so that you don’t have to remember them. This prevents the overuse of the same passwords by users and easily guessed passwords. Many of these products also have the ability to store secure credit card information to make purchasing online much easier. I use that feature a lot with RoboForm.
What are your best recommendations or tips for lawyers on password management and password managers?
BL: Pay for a good one that has encryption, two-factor authentication and a portable version for your mobile devices. Don’t skimp and go with one of the freebies that doesn’t include these very important features. It will cost you a lot more in the long run.
SE: To me the three most important tips are use a complex and strong master password, make sure to create a different password for every account you have and enable multi-factor authentication where available.
CB: We know you are the top “LawDawg” or “JurisAwesome”—but if you are going to use these as passwords, sprinkle numbers and unique characters throughout it.
SL: Choose a password management program, install it on all of your devices and use it consistently. Create a law firm policy and ensure that employees comply. Password protect confidential documents especially when transmitting them electronically and share passwords via a password sharing program. If you use your own password keep it complicated and over 10 characters.
JP: Find a tool and stick to it. Use different passwords for every service or website. Use pass phrases instead of passwords—they’re easier to remember and far more secure.
TM: Just start using one—get in the habit. Start with just a couple of passwords. Once you begin to instantly log in to websites without having to remember a strong password, the convenience will make it worth your while.
DK: There’s an unusual term out there called “password hygiene.” It’s useful to keep that in mind because password management does have notions of ongoing processes for safety and health. Using the same password on all of your important accounts is simply not good password hygiene. If there’s one thing that you should stop doing immediately, it’s that. I also encourage people to watch the new developments in security: biometrics, use of photos and pictures, swiping and other pattern recognition. We are definitely not at the end of the password era, but we are start to see some interesting alternatives.
AST: All lawyers (really, all of them) should be using password management software to manage strong and unique passwords for every site they visit.
If you are interested in writing for Law Technology Today or have topics for future roundtable discussions, please let us know!