Risk Management Password Insecurity – Lessons from a Personal Story by Mark Bassingthwaighte Sometimes married couples see things differently, and the only way to resolve the tension is by deciding to agree to disagree. That’s how things played out in our home for a number of years on the issue of passwords. My wife viewed my focus on computer security and pass-words as something approaching mild paranoia. I viewed her insistence on using one easily remembered password for everything in her life the equivalent of tattooing the phrase “victim here” on her forehead. We agreed to disagree. Our accord abruptly ended when we received written notice from a cred-it union on the opposite side of the country telling us that they were most displeased with my wife. Apparently, credit unions don’t like it when some-one gets a new credit card, immediately maxes it out, and then fails to make any payments. Of course, my wife wasn’t the one who applied for and received that credit card. Over the next few years, as a result of the initial identity theft, a federal and out-of-state tax return were also fraud-ulently fi led in my wife’s name. I spent three years working to get everything cleaned up, but honestly, we can never get her identity back. That’s been stolen, and we’ll have to deal with the ramifi ca-tions of that for the rest of our lives. Today, my focus on computer secu-rity is viewed in a much different light by my wife, and I no longer worry about any unsightly tattoos on her forehead. The entire saga started with someone managing to fi gure out a password, a password that, unfortunately for my wife and me, opened all kinds of doors that would have remained locked had she not used one password for every-thing. With this tale of woe now told, it’s time to talk about how to avoid becom-ing a victim. Here is a list of things no one should ever do: www.vsb.org 1. 2. 3. 4. 5. Use the same password on multiple devices, apps, and websites. Write down passwords on easily found sticky notes. Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable. They aren’t. Allow computer browsers to re-member passwords. Choose passwords based upon easi-ly remembered information such as birth dates, anniversary dates, Social Security numbers, phone num-bers, names of family members, pet names, and street addresses. This kind of information just isn’t as confi dential as you think due to events like the Equifax breach and widespread participation in the social media space. Knowing the common missteps, however, isn’t enough. Such practices should be prohibited in a formal, fi rm-wide password policy that everyone at the fi rm must abide by – no exceptions. And the most important provision of a password policy would be to mandate the use of strong passwords: a minimum of 15 characters, including a few num-bers, special characters, and upper and lower-case letters. Additional provisions worth including would be requiring that every application and device in use have its own unique password, requiring that passwords in use with mission critical devices and applications (e.g. banking login credentials, fi rm VPN login) be changed every six months, forbidding the reuse of old passwords, and pro-hibiting the sharing of user IDs and passwords with anyone. Finally, make enabling two-factor authentication for any device or application that allows it compulsory. Of course, a password policy like this creates a new problem, which is trying to keep track of all the complex passwords now mandated. Between us, my wife and I have over 250 different passwords we need to keep track of in our personal and professional lives. Fortunately, this problem can be easily managed by using a password manager such as RoboForm, LastPass, or Dashlane. Such tools are often cloud-based software applications that allow users to conveniently store and man-age all of their passwords. The data is encrypted and can only be accessed once a master password has been entered. Yes, users will still need to remember a long and diffi cult to guess master password. But having to remember one is going to be far easier than trying to remem-ber 250. And again, no one should ever write down their master password. Everyone really must commit the master password to memory. One side note here, because lawyers are sometimes hesitant to place pass-words in the cloud: Avoid allowing such a concern to become an excuse for not making any changes at all. As I see it, those of us who use password manag-ers are far more secure than those who simply write everything down on a piece of paper or sticky notes. Further, given Password continued on page 44 Mark Bassingthwaighte , ALPS risk manager, has conducted more than 1,000 law fi rm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management and technol-ogy. His webinar on Best Practices for Client Selection in the ALPS CLE library is at http://alps.inreachce.com. He can be contacted at: mbass@alpsnet.com. Vol. 67 | December 2019 | VIRGINIA LAWYER 43