Why Password Security Matters

I can’t believe I have to explain this, but the other day I was talking to a lawyer who said her password is password and she doesn’t see why that is a big deal. It made me feel like we were talking a different language. I guess we were, in a way. What’s obvious to me is impenetrable geek speak to many.

Computer security is important for the same reason locking your car doors in a bad neighborhood at night is important. And it is extra important for lawyers, who are charged with keeping client information confidential.

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.¹

Using 12345 or password as your password isn’t even an effort, much less a reasonable one. It’s like leaving your office key in the lock so you don’t have to remember it.

But since basic computer security obviously isn’t common sense for everyone, let’s go over some of the reasons why you really need to make an effort.

First, is Anyone Really Going to Try to Get Into Your Computer?

In a word, yes.

Not your computer specifically, of course. Online and offline, most computer intrusion is opportunistic. Online, malicious hackers are using scripts to scan every computer they can find connected to the Internet (if your computer is connected to the Internet, they can find it) for known vulnerabilities so they can take control. Similar exploits can be hidden in websites and email attachments. One lawyer lost $289,000 when he opened an attachment that allowed malicious hackers to take over his computer.

There are many other possible attack vectors, and they are just so easy to replicate. Anyone with an Internet connection and a little motivation can start breaking into computers. If you use the Internet, you are vulnerable.

Offline, just about everyone knows the data on your computer is probably worth more than the hardware. Why would someone just sell your laptop when they could use the information on it to clean out your bank accounts first? They will probably clean out your clients’ accounts while they are in there, and you will be lucky if that’s all they do with the data on your drive and in the cloud services your computer is pre-authorized to access.

Again, yes. People are actually, actively trying to get access to your computer. The fact that they aren’t targeting your computer specifically is all but irrelevant. It just means you’ve been lucky so far. It probably won’t hold out.

Your password isn’t the only thing that can stop them (their own incompetence is often pretty effective). In fact, it isn’t even enough on its own. But good passwords are the lynchpin when it comes to computer security.

Second, What’s the Harm if Someone Does Get Into Your Computer?

The obvious harm is identity theft. Here is what the FTC has to say about that:

The most recent figures from the Bureau of Justice statistics indicate that 11.7 million people, representing 5 percent of all people in the U.S. age 16 and older, were victims of identity theft between 2006 and 2008. Identity theft can be perpetrated using such low-tech methods as purse snatching or “dumpster diving,” or high-tech techniques like deceptive “phishing” e-mails or malicious software known as “spyware.”

Those figures are from 2006–08, by the way. It seems pretty unlikely that identity theft has gotten less common in the last six years. Also, note that identity theft does not have to involve malicious hacking. That’s because all it takes to steal someone’s identity is a few personal identifiers. A lawyer’s lost laptop is a treasure trove for an identity thief.

How much is in your bank account right now? How much is in all of your clients’ bank accounts right now? How many photos do you have stored on your computer or in your online accounts? How many of your communications with friends and family are in your email account? How much confidential information about those clients do you have on your computer right now that could help someone gain access to their online accounts — including their bank accounts?

Here’s the bottom line: do you want to be held financially and ethically responsible if someone gets into your computer and steals information about you and your clients? How likely are you to prevail in a lawsuit or ethics action against you if your password is asdfghjkl?²

No? Put in a little effort and use good passwords.

Use Good Passwords

Use long, unique, passwords that are not found in a dictionary. 12 characters should be long enough. Avoid using the same password across multiple critical services (your email and your bank account, for example). Someone who can access one website (or your computer) can access all the sites on which you used the same password. Finally, don’t use real words. A “dictionary attack” is just what it sounds like, plus a list of common variants (like @ instead of a) and well-known passwords (like 12345, password, and asdfghjkl). It’s simple but effective.

Keep your passwords in a safe place, like a paper notebook or a password safe. That will also make it easier to keep unique passwords, since it can be hard to remember all of them.

Use Two-Factor Authentication

Two-factor (sometimes called “two-step” or “multi-factor”) authentication is an easy way to drastically increase the security of your online accounts. Two-factor authentication means using something you know (your password) and something you have (usually your phone) to log into your account. When you log in, you will have to type in your password plus a code that is generated by an app or sent to you by text or email.

Because your account requires two “factors” to log in, a malicious hacker needs more than just your password. So even if your password is stolen somehow, your account should be safe.

Two-factor authentication is becoming available on an increasing number of services. At a minimum you should turn on two-factor authentication on your most critical accounts, like your email and your cloud file storage. To turn it on, just look for your security settings and follow the directions.

Encrypt Your Files

Finally, passwords are only part of the security puzzle. Take the time to encrypt your files.

I know it sounds hard and complicated, but it isn’t. It takes just a few clicks. The effort required to encrypt your files barely registers. Call it 4 calories. Maybe.

• In Windows, go to the Control Panel, click on BitLocker (or BitLocker Drive Encryption. Click Turn on BitLocker. If you don’t see BitLocker, skip down to the next heading. Windows will walk you through the remaining steps. If you want the full nitty-gritty manual, Microsoft TechNet has a tutorial that makes it look way more complicated than it is.(fn)
• In OS X, go to System Preferences, click on Security, then FileVault. Click the padlock icon to unlock the settings, then click Turn On FileVault. You can allow your iCloud account to unlock your disk if you wish, although it is more secure to use a recovery key and store in a safe place.

Once you have encrypted your files, you can go on using your computer exactly as you do right now, except that you will have to log onto your computer with a password (although you should be doing that right now, anyway). I mean that: exactly as you use it right now. You do not have to change anything.

An Ounce of Prevention …

When the cost of avoiding harm is effectively zero and the magnitude and probability of harm are considerably more than zero, it’s unreasonable not to take measures to avoid that harm. Use good passwords, turn on two-factor authentication, and encrypt your files.

Good passwords and file encryption are basic computer security. If you aren’t doing both, you need to get caught up.

Featured image: “A set of Keys insecurely left in an old cobweb covered door” from Shutterstock.

1. Rule 1.1 of the Model Rules of Professional Conduct. ↩

2. Those are the home row letters on your keyboard, if it wasn’t obvious. ↩