ILNews

Start Page: Protecting those pesky passwords is necessary evil

Kim Brand
January 4, 2012
Back to TopCommentsE-mailPrintBookmark and Share

StartPageBrand.jpgYou are bad at managing passwords. You may be a good attorney – but you share your passwords with other people, you use the same password on multiple systems, your password is too short or too simple or written on a Post-it note under your keyboard. The truth is: you don’t like passwords or complicated password policies and you don’t think a secure password is worth the trouble.

That was, until the consequences of a data breach made it worth the trouble. That day has come. In fact, that day came long ago. You’ve just been lucky.

Some data breaches are not the result of compromised passwords. Faulty software can expose private data. Your PC can get infected with a virus that delivers your files into the clutches of a server operated by organized crime. Your laptop can get stolen or an emBrand-010612.gifployee may lose your backup on the “thumb drive” he keeps with his keys. All these troubles may lead to data leaks – but cracked passwords are too common and indefensible; you can actually “fix” this source of leaks if you set your mind to it.

By changing your password often you can prevent someone who had access to your account today from having it tomorrow. Passwords that last forever may outlast relationships. Pick a cycle: change of seasons, start and end of school, national holidays or some other easily memorable way to mark the passage of time and use that event as a reminder to change your password.

Complex passwords don’t have to be complicated. With a few simple tricks you can make up passwords that are nearly impossible to guess but easy to remember.

• Use a mix of capital and lower case letters

• Use at least eight characters

• Use numbers and punctuation marks

• Use symbols: %, $, @, etc.

Tech Tip: you can substitute symbols that have a similar appearance:

@ = a

$ = s

0 (zero) for o (oh)

! or 1 for i

3 for e (note that it is just backwards, like: z for s

• Don’t use a word you could find in a dictionary

• Don’t use your name or anyone else’s

• Don’t use a sequence of numbers or letters: 1234 … or abcd … or a phone number

There are 70 times more combinations of nine characters than eight – so pick a longer password if possible.

Analysis of a data breach at a web services provider with millions of users uncovered that the most popular password used was “123456” – the second most popular: password. Don’t be a statistic!

One simple scheme to create a complex password is to join common words separated by special characters. The first part might be “Winter,” “Summer,” “Football,” or “Baseball.” The “season” will be obvious based on the time of year. Then separate them with a special character. For added security, substitute symbols for letters. Here is an example:

W!nter$2o12 – This substitutes 1 for i and o for 0.

If you use the same password everywhere then someone who guesses it will have access to everything. One trick is to add a prefix to identify which device or service the password is for. This way you don’t need to remember lots of passwords, but each one will still be unique.

• For your email: EMail#W!nter$2o12

• For your bank: Bank#W!nter$2o12

• For your computer: PC#W!nter$2o12

• For your Facebook account: FB#W!nter$2o12


Other password strategies include using the first initial of words in a short phrase or breaking up a phrase into parts. Here are five passwords based on a common phrase:


N!tTime4 Now is the time for

Allg00d$ All good

M3n2C0m! Men to come

2the@id0F To the Aid of

The1rC0untry Their Country

Safeguard your passwords. We’ve seen passwords written on whiteboards and collected in spreadsheets shared by everyone in a firm. The problem with shared passwords goes beyond information that may be shared with the wrong people. If someone has your password they can pretend to be you. One of our customer’s email accounts was hacked simply for the purpose of sending tens of thousands of messages that appeared to come from him.

Use a strong password for every system. Even a compromised Facebook account can lead to embarrassing consequences. If you employ people who use passwords make sure they comply with these rules too; and that goes double for IT consultants and other contractors that touch your systems.

Bill Gates famously decreed in 2004 that passwords were dead. There have been inroads made by so-called “two factor” solutions – those that combine something you “know” like a password and something you “have” like a digital “token” (the Yubi Key is my favorite) or something you “are” like a fingerprint – but logins and passwords remain ubiquitous and probably will for a long time.

Make a New Year’s resolution to create a simple password policy that protects your reputation and confidential materials – before you regret it!•

__________

Kim Brand is a technology expert and president of Computer Experts Inc., a 27-year-old IT services company in Indianapolis. He has presented to local and state bar audiences and written for West Publishing and the ILTA. Kim contributed to the “On-Premises” section of the recently released ILTSO.org legal technical standards, and he is the inventor of the FileSafe Server used by many law firms. He may be reached at Kim@ComputerExpertsIndy.com or by phone at 317-833-3000. The opinions expressed are the author’s.

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by

facebook - twitter on Facebook & Twitter

Indiana State Bar Association

Indianapolis Bar Association

Evansville Bar Association

Allen County Bar Association

Indiana Lawyer on Facebook

facebook
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. I like the concept. Seems like a good idea and really inexpensive to manage.

  2. I don't agree that this is an extreme case. There are more of these people than you realize - people that are vindictive and/or with psychological issues have clogged the system with baseless suits that are costly to the defendant and to taxpayers. Restricting repeat offenders from further abusing the system is not akin to restricting their freedon, but to protecting their victims, and the court system, from allowing them unfettered access. From the Supreme Court opinion "he has burdened the opposing party and the courts of this state at every level with massive, confusing, disorganized, defective, repetitive, and often meritless filings."

  3. So, if you cry wolf one too many times courts may "restrict" your ability to pursue legal action? Also, why is document production equated with wealth? Anyone can "produce probably tens of thousands of pages of filings" if they have a public library card. I understand this is an extreme case, but our Supreme Court really got this one wrong.

  4. He called our nation a nation of cowards because we didn't want to talk about race. That was a cheap shot coming from the top cop. The man who decides who gets the federal government indicts. Wow. Not a gentleman if that is the measure. More importantly, this insult delivered as we all understand, to white people-- without him or anybody needing to explain that is precisely what he meant-- but this is an insult to timid white persons who fear the government and don't want to say anything about race for fear of being accused a racist. With all the legal heat that can come down on somebody if they say something which can be construed by a prosecutor like Mr Holder as racist, is it any wonder white people-- that's who he meant obviously-- is there any surprise that white people don't want to talk about race? And as lawyers we have even less freedom lest our remarks be considered violations of the rules. Mr Holder also demonstrated his bias by publically visiting with the family of the young man who was killed by a police offering in the line of duty, which was a very strong indicator of bias agains the offer who is under investigation, and was a failure to lead properly by letting his investigators do their job without him predetermining the proper outcome. He also has potentially biased the jury pool. All in all this worsens race relations by feeding into the perception shared by whites as well as blacks that justice will not be impartial. I will say this much, I do not blame Obama for all of HOlder's missteps. Obama has done a lot of things to stay above the fray and try and be a leader for all Americans. Maybe he should have reigned Holder in some but Obama's got his hands full with other problelms. Oh did I mention HOlder is a bank crony who will probably get a job in a silkstocking law firm working for millions of bucks a year defending bankers whom he didn't have the integrity or courage to hold to account for their acts of fraud on the United States, other financial institutions, and the people. His tenure will be regarded by history as a failure of leadership at one of the most important jobs in our nation. Finally and most importantly besides him insulting the public and letting off the big financial cheats, he has been at the forefront of over-prosecuting the secrecy laws to punish whistleblowers and chill free speech. What has Holder done to vindicate the rights of privacy of the American public against the illegal snooping of the NSA? He could have charged NSA personnel with violations of law for their warrantless wiretapping which has been done millions of times and instead he did not persecute a single soul. That is a defalcation of historical proportions and it signals to the public that the government DOJ under him was not willing to do a damn thing to protect the public against the rapid growth of the illegal surveillance state. Who else could have done this? Nobody. And for that omission Obama deserves the blame too. Here were are sliding into a police state and Eric Holder made it go all the faster.

  5. JOE CLAYPOOL candidate for Superior Court in Harrison County - Indiana This candidate is misleading voters to think he is a Judge by putting Elect Judge Joe Claypool on his campaign literature. paragraphs 2 and 9 below clearly indicate this injustice to voting public to gain employment. What can we do? Indiana Code - Section 35-43-5-3: Deception (a) A person who: (1) being an officer, manager, or other person participating in the direction of a credit institution, knowingly or intentionally receives or permits the receipt of a deposit or other investment, knowing that the institution is insolvent; (2) knowingly or intentionally makes a false or misleading written statement with intent to obtain property, employment, or an educational opportunity; (3) misapplies entrusted property, property of a governmental entity, or property of a credit institution in a manner that the person knows is unlawful or that the person knows involves substantial risk of loss or detriment to either the owner of the property or to a person for whose benefit the property was entrusted; (4) knowingly or intentionally, in the regular course of business, either: (A) uses or possesses for use a false weight or measure or other device for falsely determining or recording the quality or quantity of any commodity; or (B) sells, offers, or displays for sale or delivers less than the represented quality or quantity of any commodity; (5) with intent to defraud another person furnishing electricity, gas, water, telecommunication, or any other utility service, avoids a lawful charge for that service by scheme or device or by tampering with facilities or equipment of the person furnishing the service; (6) with intent to defraud, misrepresents the identity of the person or another person or the identity or quality of property; (7) with intent to defraud an owner of a coin machine, deposits a slug in that machine; (8) with intent to enable the person or another person to deposit a slug in a coin machine, makes, possesses, or disposes of a slug; (9) disseminates to the public an advertisement that the person knows is false, misleading, or deceptive, with intent to promote the purchase or sale of property or the acceptance of employment;

ADVERTISEMENT