When Passwords Fail – A Personal Story

//When Passwords Fail – A Personal Story

When Passwords Fail – A Personal Story

Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagree. That’s how things played out in our home for a number of years on the issue of passwords. My wife seemed to view my focus on computer security and passwords as something approaching mild paranoia. I, on the other hand, viewed her insistence that the use of one easily remembered password for everything in her life was like tattooing the words “victim here” on her forehead. The only way for us to move forward on this issue was to agree to disagree and that’s just what we did.

This state of marital bliss started to crack a few years later after I received an email from one of our sons letting me know my wife’s email account had been hacked and a bunch of spam was being sent out using her email address. I did what one normally does to regain control of the email account and hoped all would be good. Sadly, it wasn’t to be. Our marital bliss abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife. Apparently credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments. Makes sense to me. Problem was she wasn’t the one who walked into that credit union and applied for a card in her name.

While this tale has many more interesting twists and turns, in the interest of time I will simply share that as a result of this identity theft a federal and an out-of-state tax return were also fraudulently filed in her name. I spent over three years working to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives. Hopefully, it’s over; but only time will tell.

Today things are different around here. My focus on computer security is viewed in a much different light and my wife needn’t worry about any unsightly tattoos on her forehead. While we’ve returned to a state of marital bliss, this time around we’re both on the same page.

Now understand that this entire saga started with someone managing to figure out a password and that password opened all kinds of doors that were supposed to be locked. I chose to share this story because I wanted to put a real-world spin on the problems that can arise when too little attention is given to the importance of passwords. I don’t care if you are just a solo practitioner as opposed to the managing partner of a 50-attorney firm. Everyone needs a password policy, formal or informal, in order to try and avoid becoming yet another victim of identity theft; and heaven help you if the thieves swipe the identity of one or more of your clients after gaining access into your office network. That would be so not good.

Let’s start by talking about bad habits. Here are the kinds of things you should never do. Use the same password on multiple devices or applications. Write down the computer password on a sticky note and hide it in your laptop so no one can see it if it’s closed. Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable. They aren’t.

The better approach is to develop a policy that everyone in your office, including you, will abide by. It should mandate the use of a strong password, which is currently defined as one that is a minimum of 14 characters long and includes numbers, special characters, and upper and lower case letters if the device or application you wish to secure with a password will accept it. In addition, every application and device in use should have its own unique password and, at least with mission critical devices and applications (e.g. banking login credentials), these passwords should be changed every 6 months. Never recycle old passwords and never share your user ids and passwords with anyone. Finally, always use two-factor authentication for any device or application that allows it.

Yes, keeping track of all these complex passwords can create its own problem. Fortunately, this problem can be easily managed with the help of a password manager such as RoboForm, LastPass, or Dashlane. Products like these can generate complex passwords and store them for you in an environment far more secure than a piece of paper hidden in your desk somewhere. In fact, my wife joined me in using password managers shortly after her kerfuffle with the credit union and it has made a world of difference. She still only needs to remember one password, albeit a strong one, to open the password manager and that’s it. Compliance with our home password policy has never been easier for her, and speaking frankly, she fully agrees that compliance isn’t optional. Trust me, she gets it now. The interesting question is, do you?

Print Friendly, PDF & Email
By | 2017-07-24T15:21:40+00:00 May 17th, 2017|Law Tech|0 Comments

Authored by:

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management and technology. Mr. Bassingthwaighte is a member of the ABA and the Montana State Bar Association. He received his J.D. from Drake University Law School.