Recently, several highly publicized security breaches resulted in the theft of password databases containing from tens of thousands to millions of passwords. Some of these password collections have been publicly disclosed and they provide a wealth of insight into the typical passwords chosen by consumers. It’s not a pretty picture.
Based upon the analysis of these real world passwords, there is general agreement in the IT security community that 98% of all passwords are woefully inadequate and can be cracked in short order with simple software and a $500 computer. The password collections also reveal that despite extensive reporting of the dangers, many people use the most obvious passwords (e.g., “password,” “12345”) that provide almost no protection. Also well documented is a thriving black market for lists of passwords (known as “rainbow lists”) used by “brute force” hacking systems to speed up the cracking process by trying known, commonly used, passwords first. Here’s the bottom line–If you do not take reasonable care in selecting the passwords used to secure access to your confidential client information, then it’s like leaving your office door unlocked at night—in both cases you are providing open access to your client files.
So what is necessary to fulfill the duty of reasonable care in choosing passwords? The ABA and numerous Bar Advisory Committees have opined that a lawyer should use “strong” Passwords. For starters this means having a password of at least 8 characters- longer passwords will generally be better. It should be obvious that use of any easy to guess derivations of your name, alma mater, phone number, Zip Code, street address, birth-date, etc., should be avoided. The more variation in letters, capitalization, numbers, and punctuation marks/symbols, the more secure your password is likely to be. It is also important to use different passwords (i.e., don’t use the same password for all of your accounts), and definitely use unique passwords for “high security” sites and accounts. Consider using an encrypted password keeper App to manage all these passwords. [PC iPad].
While randomly generated characters are the generally best choice for passwords, they are typically difficult to memorize. Common dictionary words, either with or without numbers are easy to remember but also easy to crack. One way to find a compromise password (and it is indeed a compromise) that is hard to crack, but easy to remember is to use a password generator that produces combinations of non-sequitur words, with variations in capitalization, symbols and numbers. See e.g. Simple Password Generator. If the password generator provides a password you find reasonably memorable, then you can test the strength of the password using Microsoft’s secure password checker, which will indicate the strength of the proposed password, but not retain a record of the password. If it is not strong enough, add a symbols or punctuation marks until it the tester indicates that it is “strong.”
While reasonably strong, but memorable passwords can be constructed from dictionary words, they will not be as secure as a password made up of randomly generated numbers, characters and symbols. If you would like to go this route, there are many random password generators available. For now, I am satisfied with the adequacy of my nine digit, machine generated, verified strong, memorable word combination passwords. However, hacking innovations could quickly change my view and bear watching.
We welcome your comments or questions.