Password security protocols are crucial to protect your data – but some popular security measures can be risky business for family law firms.
By Diana Shepherd, Divorce Financial Analyst and Editorial Director
You already know that you need strong, secure passwords to protect your data from being accessible to anyone, anywhere, anytime. However, if your family law firm has a password expiration protocol in place – which forces you to change your password(s) every few weeks – you may be at even greater risk of being hacked than if you left it unchanged. (Wait – that can’t be right, can it? Read on and form your own conclusions.)
Password Security for Family Lawyers
Should You Change Your Password Every 2–3 Months?
Let’s start with a favorite password security protocol for many law and financial firms: password expiration.
Some companies require employees to change/update their password(s) every 60 or 90 days. If you have done it, you know it’s irritating, inconvenient, and everyone hates it – but some law firms deem it necessary to protect client data.
So, why would Microsoft consider this “security” feature to be “obsolete” and of “very low value”?
In May 2019, Microsoft dropped the password expiration policies in its security configuration baseline settings for Windows 10. They no longer force a periodic password change. “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value,” explains Aaron Margosis, a Microsoft principal consultant.
You have more than one password – possibly dozens of them. Since almost no one can learn dozens of new passwords every few weeks without slipping up, most people make “remembering” them easier by creating “cheat sheets”. However, a list you keep in your desk drawer or (even worse) on a Post-It stuck to your laptop defeats the purpose of changing your passwords regularly, making it easier to hack, especially when laptops and smartphones are prone to being lost or stolen.[1]
The other popular “cheats” are to reuse an older password or to add one letter or number to a previous password. Neither practice makes your password more secure, defeating the purpose of password expiration.
Now let’s look at the other password security measure that has been gaining popularity: two-factor authentication (“2FA”).
What Could be Wrong with Two-Factor Authentication (2FA)?
Nothing – until a human being has to use it. Say the words “two-factor authentication” to someone who has experienced it and they will groan, roll their eyes, or tell you how much they hate it.
Time-based One-time Password (“TOTP”) is often combined with 2FA to make it even more user-unfriendly. TOTP is a complicated algorithm that safely generates a single login password each time a user authenticates.
You have probably experienced it. For example, some financial institutions and online stores will ask you to input a code after you’ve typed in your password. That code is often sent to a specific cell phone via text message; the code is unique, time-limited, attached to one account, and for a one-time use only. If you share an account with anyone, and that code is sent to their cell phone, you will have to call them to ask for the code and then hope you can input it before it expires. That’s an extra layer of pain. And if that phone dies, you are really up the creek.
We manage Google Pay Per Click (PPC) advertising campaigns for clients. Just this month, we had to ask a client to turn off their 2FA associated with their advertising account so that we don’t need to wait for the client to give us a new security code every single time we login to manage the account. In this case, 2FA is simply not workable.
Password Hardware vs. Software
One other possibility is to use devices that are not connected to any network which allows you to securely log into your accounts by generating one-time passwords. It can also store static passwords for websites that do not support one-time passwords. One such example is YubiKey: a hardware authentication device (similar to a USB flash drive) and the Universal Second Factor (U2F) and FIDO2 protocols developed by the FIDO (“Fast IDentity Online”) Alliance. If you’re looking for a reliable third-party endorsement, Facebook employees use YubiKey, and Google supports it for both employees and users. The potential downside: lose the device, and you lose the stored passwords.
Your browser can store your login credentials, but that’s a security risk and it doesn’t cross over to other Apps. Which brings us to password manager apps.
Password Manager Apps
A password manager app is by far the simplest way of handling passwords. You’ll only need to remember one Master password in order to access all your passwords. Type that into the password manager (or use fingerprint or face authentication if using a smartphone), and it unlocks a vault containing all your passwords.
Note: there’s a lot riding on that master password, so make sure it’s a strong one!
Password managers are not one-size-fits-all, but the good news is that there are many very good choices out there. For example, Dashlane, 1Password, and LogMeOnce do a very good job at keeping you protected (and sane at the same time).
Personally, I like LastPass, which offers free, teams, and enterprise plans. You can install it on your computer and mobile devices, and some browsers offer it as an extension. LastPass offers to generate and securely store a strong password each time you sign up for a new service.
The business/enterprise versions of LastPass are easy to implement and manage for your family law firm. An important aspect of your company’s security, the app offers reassurance that everyone is following best practices when it comes to passwords and logins. Each team member has their own vault, and you can easily manage and administer everything in regards to security and access.
Other plans that may be of interest include a personal version and one for families with up to five members. As the plan administrator, you can control, reset, and monitor your children’s online activity using this app.
If a website storing your password is hacked (think Yahoo, which suffered a breach of 3+ billion accounts), your password may be compromised even if you’re using a password manager. However, all good password managers have tools to alert you to a potentially compromised password; they also make it easier and faster for you to change that potentially compromised password.
4 Quick Tips for Better Online Security
- Keep your system and software up to date. Your browser, Windows/MacOS, Office, Slack, Zoom, TimeSolv, LawPay, and any other software you use on your computer. If you don’t have a dedicated IT person/department, assign the most tech-savvy person in your company to look out for and read important update information. Remember: every online tool could be a gateway to your organization.
- Delete old, inactive email accounts. Most of us have more than one email account, which might include an older one that we haven’t opened in years now (like an MSN, AOL, Hotmail, etc.), and they should be deleted.
- Check to see if any of your email accounts have been hacked. Over the years, many systems have been hacked or their user’s data has been compromised. If you used an old email address to sign up for another service 10 years ago, and most likely you used the same password, you are exposed. A good place to start is to check https://haveibeenpwned.com. Simply type in all of your email addresses and this database shows you if that address has been affected by any breach over the years. This doesn’t necessarily mean your email passwords have been hacked; it could mean that your email address has been exposed publicly. This is one way spammers gather email addresses to bombard you with stuff of no interest to you.
- Strengthen the security on your mobile devices. Your mobile phone, tablet, or the smartwatch that measures your sleep cycles, heart rate, how far you walk (which could be transmitting very specific data: like which aisles you spend the most time in while shopping at Costco) are also vulnerable.
Safe and Secure
There is an infinite number of threats these days, and one of the first steps you should take to prevent being hacked is to ensure secure storage of strong passwords – for you and everyone in your firm.
A system is only as strong as its weakest link. If someone from your organization has exposed their password to an outsider, it’s safe to assume that everyone in the organization is at risk. Using a hardware authentication device or a password manager will help. As you can see there are many options with pros and cons. You should be updating and implementing solutions continuously because technology is always changing – and because fraudsters do not sleep.
[1] The Shocking Statistics Regarding Lost and Stolen Laptops and Cell Phones
- One laptop is stolen every 53 seconds.
- 97% of the stolen laptops are never recovered.
- 70 million smartphones are lost each year, and only 7% recovered.
- 4.3% of company-issued smartphones are lost or stolen every year.
- 80% of the cost of a lost laptop is from data breach.
- 52% of devices are stolen from the office/workplace, and 24% from conferences
– Statistics from a Kensington study, Cited in “Mobile Device Security: Startling Statistics on Data Loss and Data Breaches” by Elaine J. Hom.
Originally published in Family Lawyer Magazine (2021)