THESE DAYS it seems like a week doesn’t go by without hearing some story of hackers breaking into an online retailer or other institution, stealing credit card or other information that is personal to us. Last year Adobe reported the theft of 38 million personal records, which seems like a big number—until you consider that only a few months later, Target suffered a data breach affecting more than 110 million of its customers.
When these data breaches occur, security experts invariably rush to examine the passwords being used by those unlucky enough to have their records hacked. And just as predictably, the lists of passwords demonstrate a shameful truth to which many of us should confess: We are lazy when it comes to our passwords. Passwords are just too hard, people say; it’s just too overwhelming to select good, unbreakable passwords. As a result, people use passwords such as “123456,” “123456789” and the ever-popular “password.” These were the top three passwords used by Adobe customers whose records were hacked. Nearly 3 million customers used these passwords.
And online retailers are not helping any. A recent survey by Dashlane, a password management service, found that more than 55 percent of the top 100 online stores accept those types of weak passwords. It also found that 51 percent won’t lock you out if you enter the wrong password more than a couple of times. That means a determined hacker can keep pounding away with your login credentials until he or she finds the right one.
And yet most people—lawyers included—get uncomfortable when it comes to the notion of making our passwords more secure. I talk about setting strong passwords in speeches and presentations all the time, to little effect. I’ve had lawyers tell me, “No, I don’t use the same password for all my websites; I alternate between two different passwords.”
So what’s the solution? The iPhone now lets you use your fingerprint instead of a password, and Android devices allow you to draw a design on the screen to gain access to your phone. Google has declared that “Passwords are dead” and is rumored to be working on a hardware device that we can carry around with us. Many sites are now using two-factor authentication, which is a terrific security tool but makes using passwords twice as complicated for most users. So what’s the solution?
WELCOME TO PASSWORD MANAGERS
My recommendation is nothing new, but something many lawyers either don’t know about or are hesitant to use: the password manager. Password managers provide multiple functions, but their primary purpose is to store your passwords in a secure location so that you can access them whenever you need them. Even better, these tools offer to remember your passwords for you—which means you can set a complicated password that will take even a respectable hacker several hundred million years to crack. Most password managers will also store secure notes, where you can keep information on software licenses, bank accounts, membership information, passports and much more. They will even fill in forms for you, which will save all kinds of time when you shop online or register for a new Web service.
The first password manager I used was RoboForm, which is still around and is a good option. But in recent years it has been eclipsed by more robust, powerful tools. My password manager of choice is LastPass, which provides amazing password support in an easy-to-use framework. Here’s how I use it in my daily practice.
First, I installed it. LastPass is free to use but you’ll want to upgrade to the Premium account (a mere $12 per year) so you can install the app on your iOS, Android, Windows phone or BlackBerry mobile device. When you download the product, LastPass detects the browser(s) installed on your computer and offers to install plug-ins for each browser. Make sure you do this, because you want to be able to access your passwords no matter which browser you are using. Installation is simple, and it installs a button on your toolbar that gives you immediate access to your passwords. It’s called LastPass because you only need to know one password—the master password you use to access the system.
Before you get started, take a moment to open LastPass, go to Form Fills, and add a Profile. The profile form contains all of the information you might need to use when surfing the Web—contact details, credit card information, etc. Fill it in with relevant information to make LastPass work harder for you.
Now let’s say you visit a website that’s asking you to register. You come to a form that needs filling. LastPass is one step ahead of you, automatically knowing which fields will contain your username and password—it inserts tiny dropdown menus in those fields to help you out. Just click on the first menu, select Form Fills, and then the name of the profile you just created. The registration form is completely filled out with all the correct information.
All, that is, except for the password. You’ll notice another type of dropdown menu in the password field—click on it, and LastPass will help you generate the complex password of your choice. You can select a password length up to 100 characters, with lowercase and capital letters, numbers and symbols. Once you select the length and complexity of the password (which takes about three seconds), press the circular arrow, and a new password is generated. Don’t like that password? Press the arrow again and another is generated. Press Use Password, and it’s automatically pasted into the blanks. A new button pops up that says Save Password—press it, and then press Save Site. LastPass now remembers your username and password and will insert it anytime you want to log in to that site.
I just described the basic steps of using LastPass to show how easy it is to use. You can create complex passwords that you don’t have to remember, in literally a few seconds, and you can create a different password for every website you visit on a regular basis. Now that LastPass has your password, it will insert that password on any computer or device where you use LastPass—your desktop, laptop, phone or tablet. Your passwords are synchronized in the cloud and are available to you anywhere, anytime.
THE CLOUD ISSUE
I already know what you’re thinking. Why would I trust my passwords to the cloud? That’s a really good question, one that the folks at LastPass (and at many of the other password manager sites as well) appear to have thought about a lot. LastPass came up with a good solution: All encryption and decryption of passwords happens on your computer. When you send information to LastPass, it’s encrypted, so all they can see is gibberish. It’s only made visible on your computer, right when you need to use it. LastPass will never ask you for your master password, which also makes it incredibly important that you remember it!
Those of you who are still skeptical may now be asking, “What happens if LastPass goes down or is otherwise unavailable? How do I get to my passwords?” There are a couple of options here. If you set your LastPass browser plug-in to remain logged in, an encrypted copy of your data remains cached on your computer, safe and sound. You can also use the LastPass Pocket to download your entire password database to a USB drive. Problem solved.
This column may read like a love letter to LastPass, but in truth a number of great alternatives exist. LastPass just happens to be the tool I use and with which I am familiar. One of the better options is 1Password (https://agilebits.com/onepassword). For those of you who aren’t convinced the cloud is a good place to store your passwords, 1Password gives you an option. You can use the cloud or save your passwords to another location, such as a synced Dropbox folder or even an encrypted USB key you carry around with you. And Dashlane, the company that conducted the survey mentioned above, is also a good password manager. And I know many lawyers who still swear by RoboForm and another old standby, KeePass (keepass.info). If LastPass doesn’t appeal to you, any of these tools will likely be better than the password system you use right now.
With the right tools, passwords don’t have to be hard. So it’s time to pull down the Post-it notes from your monitor, stop using your daughter’s name (plus a 1 or 2) as your main password and start taking advantage of the ways technology and the cloud can help you be more secure when working online.
What do you think? If you’re not persuaded by my argument, or if you are a steadfast user of a password manager, I’d like to hear from you. Let’s continue the conversation online. Send me a tweet @TomMighell, a message on Google+ at +TomMighell, or an email at firstname.lastname@example.org. I’ll compile all your comments and post them on the Law Technology Today blog (lawtechnologytoday.org).