This is a transcript of a podcast on creating strong passwords to protect your law practice and client information.
Speaker Key: PB Phil Brown, DW David Whelan
PB: I’m here with David Whelan, it’s Phil Brown, and we’re going to talk a bit about password protection in the context of confidentiality and protecting client information. A lot of client information is stored these days on things like desktop computers, laptops, and smartphones. So let’s talk a little bit about password protection.
DW: Password protection is important because it’s the gateway to all of your information. If you don’t have a password on a file, people can open it up and look at it. If you don’t have a password on your computer or your email account, people can get into those devices or accounts and see, perhaps, things that you wouldn’t want them to see and, certainly, your clients probably wouldn’t want them to see.
PB: And people tend to be human and try to find, sort of, the simplest kind of password they can use.
DW: Absolutely. It’s interesting, each year goes by and there is always a new survey or a new study on the passwords or the most common passwords that are out there and, invariably, the passwords are 123456, or other things that are just crazily-obvious passwords. You really want to get away from passwords that are easy to guess.
PB: And people tend to use passwords that they’ll have a connection to; their mother’s name, their wife’s name, their pet’s name, or a pet’s name from their childhood, or something like that.
DW: Absolutely. And I think what’s interesting is that those are the sorts of questions that your bank account, your online bank account or other services that you use online are going to ask you. They’re going to ask you if you’ve lost your password, what was the name of your dog when you were six, or what street did you live on at a certain age, or what’s your spouse’s name - things like that. And if you’re using Facebook, or if you’re using other services, or if you know people who are using those services, that information may actually be out there. You may have shared it yourself, or people may be sharing it on your behalf. So it’s not a safe way to create a password even though it may feel warm and fuzzy.
PB: And there are a number of password-generating tools available for free on the internet.
DW: I really like Password Meter, passwordmeter.com, because it tells you what you’re missing. It has a number of categories and it gives you colors - green, yellow, or red - based on how good or poor your password is. And it suggests the types of characters or the types of things you should do to your password to make it stronger.
PB: And a couple of different things... I know the last time I changed my password internally I realised I had to have an alpha character and a numeric character and it had to be a certain length.
PB: And that’s getting more common. But to make passwords even stronger, it’s usually suggested that you have upper and lowercase letters as well as numerals.
DW: Right. I think that the trick to making a good password is making something that isn’t in the dictionary. And when people attack passwords or try to break them, they often start with what’s called the dictionary attack, which is, literally, they just go through all the words in the dictionary. So if you’re using a password made of up words that are in the dictionary, they have a good opportunity to find it. And if you’re using special characters or upper and lowercase, it starts to make that password less distinct, further away from what a dictionary attack can uncover.
PB: And we’re not talking about someone necessarily sitting there with a dictionary. There’s a lot of software that will do this in milliseconds.
DW: Absolutely, yes. I can’t imagine anyone sitting down with the OED and going through it.
PB: Every volume. Some of the things about passwords - and I know you and I might differ on this particular point - whether or not you write your password down in a, so-called, secure place.
DW: Right. I used to be of the mind that you shouldn’t, but I’ve come around to the idea that, really, you should write down your password. There are two good reasons for that, from my perspective. One is that I can then have a really difficult password because, if it’s written down, I don’t have to remember how many qs and how many uppercase letters or special characters are in it, and I can make it a very long password. Now, if you write down your password that doesn’t mean that you just tape it onto your computer or put it under your desk, because I think that’s where the insecurity of the password comes in. If you’ve got a difficult password and you want to keep it written down, you should really put it with other things that you value, like your credit cards, or some other environment; perhaps a safe if you really need to put it somewhere but you don’t want to carry it. But I think writing it down is not a problem. It’s the lack of security about how you take care of where it’s written down.
PB: And, similarly, in terms of changing your password, I know internally, if you’re working in an organisation, I think the standard is every 90 days or so they make you change your password to a new one. With the perspective of having a very strong password and it’s written down somewhere, would you bother changing it or no?
DW: I wouldn’t. And, in fact, I was thinking that as you said 90 days. Because I think a lot of people do this, and unless your network administrator has changed this or unless you’re forced to do it, you probably start off with password and then the number one for the first time and then, 90 days later, you change that one to a two. So you’re probably using, essentially, the same password over and over again. Because, face it, after two or three years at a company you’ve probably run out of all the good passwords that you can remember. So you might as well have a good password and not refresh it on a regular basis. I would still refresh it on at least a yearly basis, but write it down and make it a really strong one.
PB: And just in terms of writing it down, I know there’re a couple of programs out there like Password Safe and a few other programs on the internet where you can actually securely store your passwords. Good idea or no?
DW: I’ve always been leery of it. I think that your comfort level is really what you should take into account there. I don’t keep any passwords out on the web, and I’m always a little leery about saving passwords, even in my web browser. There’s an interesting tool for Firefox web browser users called Web Developer’s Toolkit, I believe it’s called. It’s an add-in and it actually... if you go to a web page and you have saved your password in the form, it will change the password from the little asterisks to what your password really is. So I think one of the things to keep in mind is that, if you’re saving your password somewhere, anywhere, you really need to be sure that’s a secure environment.
PB: And that might be another tip. If you’re sharing a computer with anyone or your computer’s accessible, don’t use the automatic form fillers.
DW: Right. When you go to a public library it warns you, but you may forget if you’re working in a firm or sharing someone’s laptop that you might have just logged in for a moment and then forgotten to get rid of the information that saved your password.
PB: And then I think this probably states the obvious, but never give out your password.
DW: Absolutely. Giving out your password is one of the worst ideas. If you have something that you want to share with a person and you need to give them access to the file in an account that you have online, take Dropbox.com for example. Say you uploaded a file to Dropbox, you’re better off giving them access to the file through sharing it through the service’s secured share folders, by putting it in a public folder if it’s not something that is confidential, but don’t give your password out to Dropbox so that they can log in and see the information in the same setting. You need to control their access and make sure that they have their own password or other access to that account.
PB: Okay. So that’s a bit about passwords, and there’ll be resources available as well you can check out after the podcast. Thanks!
DW: Thank you!