No doubt, at this moment, armies of hackers are dreaming up diabolical new ways to cash in on our identities, crash our sites and disrupt our favorite pastimes. (“Smishing!”) But really, the biggest threat to your online security is … you. Yes, you, with the “1234” passcode for your iPad and Post-it festooned monitor. You, with the cleverly disguised “Vital p-word information” emails-to-self.
You, who absent-mindedly clicked the email link from your bank’s “Costumer Service.”
So Let’s Get a Little Smarter with Passwords
Since we’re stuck with passwords (for now), might as well attempt outsmarting the bogeymen. So what’s the best way to deal with passwords — and remember them all? We asked digital forensics and information security experts Sharon Nelson and John Simek to dispense some commonsense advice to help reduce our online security risk.
1. Under attack? Now what? The first thing to do when you receive notice that a password has been exposed? If it’s an email notification, don’t click anything until you verify that the notice is valid and not a phishing attack, warns Simek. “Check the website of the provider or contact their support group to make sure the notice is authentic. If so, then follow the instructions they provide to reset and change the password.” If client data has been exposed, he says, you must comply with your state’s data breach notification laws, and you should contact your insurance carrier if you have cyberinsurance coverage.
As for dealing with Heartbleed, Nelson says: “Lawyers could not have avoided Heartbleed, no matter how strong their passwords. The flaw was in the OpenSSL, used by much of the Internet to provide Secure Socket Layer functionality. We were at the mercy of bad code that went undiscovered for at least two years.” Yes, you should still change your password, but before you do, check to make sure the site’s vulnerability has been patched. (CNET has a good list, as does Mashable.) Nelson’s post at Ride the Lightning, “The Heartburn of Heartbleed,” also has more information and several useful links.
2. Best tip for creating strong passwords? “Make your password at least 14 characters, upper and lower case, numbers and special characters (for example, Attorney@Work2014!),” says Nelson. You can use a password generator utility to create complex passwords of 14-plus characters, symbols and numbers (use spaces too).
3. Recommended app or software to best manage passwords? “Our favorite is eWallet by iLium Software. It synchronizes across multiple platforms and devices but never goes to the cloud,” says Nelson. The data is held in an encrypted vault, explains Simek: “Consider it a digital wallet that can hold passwords, medical data, hotel rewards numbers, frequent flyer numbers, passport data, membership data — and pretty much anything else you can think of.” Software is available for both Windows and Mac OS X computers, as well as most mobile devices (iOS, Android, BlackBerry, Windows Mobile, Windows 8).
4. Stupid password trick? The most common mistake is storing all passwords on your device in a file labeled “passwords” — something Nelson says they find often in their computer forensics work. But the worst is having no password at all. “We had one attorney that was upset he had to use a password to log on to a new laptop we had configured for him,” says Simek. “Second would be taping the password to the bottom of the laptop, which we’ve seen on multiple occasions. ”
5. Passwords R.I.P.? Despite rumors of their impending death, says Nelson, passwords probably won’t die — but they may need a partner to survive. Two-factor authentication (something you know, plus something you have) is the future, says Simek. “Biometrics are a temporary solution. I think tokens will be the second factor, along with passwords.” Tokens could be wearable technology such as fitness bands or watches or your ID badge. Or they could be smartphones, USB fobs or digital tokens such as the SecureID card.
“Biometrics won’t cut it,” adds Nelson. “Despite the true believers, once the electronic representation of your fingerprint is compromised, you are toast. You can’t go get a new finger.”
Bonus Tips and Resources
As Joseph Heller said, “Just because you’re paranoid doesn’t mean they aren’t after you.” Simek’s best advice: “Use strong passwords, implement two-factor authentication where available, and encrypt everything you can.” Here are a few more things to contemplate.
- To quickly check the strength of your password, Nelson recommends Microsoft’s password security checker.
- To test your password’s entropy, Simek recommends GRC’s brute force search space calculator, which indicates the likelihood of your password being broken.
- Sick of the entire online security and privacy game? You can delete yourself from the Internet. In just nine steps.
- LawPro magazine’s recent issue on cybercrime includes Dan Pinnington’s excellent, informative article, “Protecting Yourself from Cybercrime Dangers.”
Joan Feldman is Partner/Editorial at Attorney at Work and a Fellow of the College of Law Practice Management. Follow her on Twitter @joanhfeldman.