Protect Your Firm with a Better Password Policy

By Joshua Poje

Heartbleed. Compromised online retailers. Hacked social media accounts. Every day seems to bring a new headline about a security breach that could put your—or your clients’—data at risk.

Protecting your firm or organization in the digital era requires a comprehensive security strategy addressing everything from the physical security of your equipment to the terms of service for companies that host or access your data.  But in all aspects of the firm’s technology, no security procedure is more crucial than having strong passwords.

Passwords are the first, and sometimes last, line of defense when it comes to protecting your valuable business and client data.  Here are 10 simple guidelines to making sure your passwords – and your firm – are as secure as possible:

Use Long Passwords
Avoid passwords that are shorter than 8 characters. In fact, most experts recommend passwords that are 15 characters or longer. Why? Longer passwords are generally less vulnerable to brute force attacks, where hackers randomly generate possible passwords in hopes of stumbling on the right combination of letters and characters.

Make Passwords Complex
Try to include a variety of character types, including upper and lower case letters, numbers, and special characters (like &, % or @).  Again, this adds to the complexity and makes the password significantly more difficult to guess.  A growing number of sites make complexity a requirement when setting a new password.

Avoid Common Words
Do not use a single dictionary word or common phrase as your password. One of the most basic attacks involves cycling through dictionary words or through well-circulated lists of common passwords.  Even character substitutions (e.g. replacing “a” with “@” or “s” with “5”) may not be enough to protect you: more sophisticated attacks will try these variations as well.

Consider Pass Phrases
Pass phrases, which combine multiple common but unrelated words into a lengthier password, can be extremely secure. For example, you might take the last four street names you’ve lived on and add some punctuation: “Oak 12th Franklin Main!” That pass phrase is over 15 characters, includes upper and lower case characters, numbers and special characters (both the spaces and the exclamation point), but it’s considerably easier to remember than a gibberish password like fe@3d?!ERc1#.

Mix Up Your Passwords

Use different passwords for different services/devices. One common hacker strategy involves targeting minimally secured sites to obtain a list of email addresses and passwords. They then take those stolen credentials to more secure websites, like web mail or banking sites, and use them to access more valuable data. Using different passwords insulates you from that type of exploit: even if a hacker gets access to one of your logins, they don’t automatically gain access to all of your accounts.

Change Passwords Regularly
Some security breaches earn major headlines and TV news coverage, but most aren’t so well publicized.  And unfortunately, many scammers hold onto stolen passwords for a time before trying to use them to help avoid detection.  That means a breach that happened months or even years ago can still lead to you being compromised today. Protect yourself against a “quiet” security breach by periodically changing your passwords.

Security Questions Are Vital
The security questions you answer when setting up a new account (e.g. What’s your mother’s maiden name?) are helpful when you need to recover a forgotten password, but they’re also one of the easiest ways scammers can break into your account.  Often the information used to answer security questions is public record or easily obtainable through social media sites like Facebook. All a scammer has to do is click the “forgot your password?” link, answer your security questions using the information they’ve looked up, and reset your password.  Avoid this by choosing security questions that are less ordinary, or consider answering the security questions with memorable—but false—information.

Is That the Right Web Site?
Be careful where you log in. Another popular trick by fraudsters is to set up fake login pages for popular sites like Facebook, Twitter, and the various web mail services. The pages look real, but when you enter your information and click “login,” you’re actually compromising your account. To protect yourself, make a habit of looking at the URL whenever you login—does it really say… or does it start with something else? Does your browser show a secure connection, usually indicated by a closed lock icon? If you complete the login process and find you aren’t actually logged in, it’s a good idea to go to the real site and change your password ASAP.

Use Password Managers, Not Sticky Notes
Never write down your password in an unsecure location. The classic mistake is the sticky note on the monitor with the user’s passwords written on it, or nearly as bad, an unencrypted text document on the computer’s desktop filled with the passwords for all of their accounts. If you need help keeping track of your passwords, use a password management tool designed for that purpose like LastPass or KeePass.  With those tools, you can maintain a portfolio of unique passwords for all of your various sites and you only need to remember the single password for the password manager itself.

Use Two Factor Authentication When Available
Two factor authentication is an added level of security designed to ensure that it’s really you trying to log into a service.  One of the more common arrangements involves a special code that’s sent to your mobile phone when you attempt to log into a website.  As a user, you log into a website as usual, and once your username and password is verified, the code is sent to the smartphone.  You then type the result from your smartphone into the website and you’re provided access.  The extra step can be frustrating, but far less frustrating than being hacked.


About the Author

Joshua Poje is the director of the ABA Legal Technology Resource Center.

Send this to a friend