How to break your bad habits with passwords

Clients’ focus on security is forcing law firms to up the ante, but simple human errors with processes such as managing passwords are letting the team down, writes Brent Snow.

Have you noticed over the past couple of years that clients are demanding higher levels of security in your own firm’s systems before they are willing to sign a contract for legal work with you? And have you noticed the growing number of news articles revealing how companies have been hacked (from inside and out) and had intellectual property stolen? Then it will not surprise you to know that in Gartner’s IT Symposium in October, security was listed in the top-10 priorities for companies in 2015. Perhaps you are seeing these things and are thinking that it does not really concern you. After all, surely this is something for your technology team to handle on its own.

Getting the basics right
The rise in our clients’ demands has really changed the focus on security in law firms. While the technology group will always have a role to play in establishing good security protocols, clients are demanding more than just that. They have been going so far as to require that everyone in the firm has been through some form of basic security training. That goes way beyond IT and puts responsibility on all of us.

You may be surprised to know that most security intrusions occur because of poor internal habits involving all of us. Most breaches occur from within organisations or when hackers get a password off social networking sites, which then allows them to get into the organisation’s systems. In fact, one of the top reasons for internal and external security breaches is sloppy password use. This is an issue that cannot be solved by the IT team. It is something that all of us have to address in our use of technology. Here are some problems that are common in the sloppy password arena:

1. Using simple passwords that do not contain a mixture of numbers, symbols and upper and lower-case letters. (e.g. using ‘password’ as a default way to enter files and systems)
2. Writing down your password and putting it under your keyboard or somewhere else on your desk where anyone can get to it
3. Sharing your password with someone
4. Using your work password for external internet sites such as Facebook or LinkedIn.
5. Using your own name or family name in your password
6. Using commonly known number configurations such as 12345678, your birthday, anniversary, home address, pin number from credit cards etc.

Consider a ‘passphrase’
After having read the above list, you are probably thinking ‘how am I ever going to find a unique password that I can remember?’ Here are some tips. Our memory works on picture or object association. Take an image or memory that you already have and create a password out of that image. Use something meaningful to you so that it is easy to remember – perhaps an important event such as a birth, baptism, wedding or vacation.

A common problem with passwords is that people intentionally make them easy to guess so they can remember them. The better approach is to use a ‘passphrase’. An example would be I went 2 B@li in 2013! or 15 Nov 14 I Sky Dive*. I know they seem long, but that format is actually easier to remember. You might be surprised to see that I have added spaces in the password. In the old days, systems could not handle many characters, so spaces were discouraged, but you can use spaces effectively these days.

The other key to understand is that a longer password is more effective against cracking than a short password? A 2011 study by Carnegie Mellon University indicated that 16-character passwords were the hardest to crack. It showed that after 10 billion guesses, about 12 per cent had been cracked, whereas 22 per cent of complex eight-character passwords were cracked and almost 60 per cent of simple eight-character passwords were cracked.

Play it safe
While the password itself is an important part of security, there is more to the equation. It is also about how we keep it safe and about where we use it. There are a number of tips included in every basic security training seminar that may be helpful to you. First, keep work and personal life separate when it comes to passwords. Do not compromise your job or workplace by spreading your work password around on public internet sites.

Second, do not write your password down and leave it where anyone can get to it. Under the keyboard is the first place someone will look; the top drawer of your desk is next. It is like those movies you see in which the bad guys jump into some random car and the keys are located between the sun visor and the ceiling of the car, or right under the seat. They just haplessly fall into the new owner’s hands. If you really have trouble with passwords, there is ‘password keeper’ software available for you to use. But the same principle applies for that password. Speak to your IT department for assistance with this.

Third, do not ever share your password, even with your spouse or children. A common error is letting your children use your phone for internet access; the same phone on which you receive your work email. Furthermore, do not share a password with your colleagues to allow them to get quick access to something they need just because someone cannot be bothered waiting for IT to grant access.

Fourth, never leave your laptop or workstation without locking it first. This seems to be obvious, but just walk around your workplace and you will see how often it happens. Fifth, put passwords on your documents that contain confidential information about your firm or your client. Protecting your clients’ data needs to be a top priority for you. Finally, talk to your IT department about using Two Factor Authentication. This is where you have a random security number generated on a dongle or software program that you have to enter along with your password. The system will not let you in without both. It really enhances your password protection significantly. It is similar to how your bank will text you a code that you have to put in before completing certain transactions.

These simple measures, if made part of your normal working day, can have a dramatic impact on the level of security in your firm. Remember that security is something that begins with you, not IT. It is something that should be part of our everyday life. Getting into good security habits will not only help protect your firm, but it will help protect you and your personal information as well.

Brent Snow is director, global support and Asia-Pacific regional IT for Baker & McKenzie.
www.bakermckenzie.com