chevron-down Created with Sketch Beta.

ARTICLE

Legal Cybersecurity Tips and Secrets, Part II

Michael Andrew Iseri

Summary

  • Being vigilant and taking proactive measures to protect sensitive information are crucial in safeguarding lawyers’ and their clients’ sensitive information against an evolving landscape of cyber threats.
  • To do so, it is important to define these threats. Read on to learn about common cyberattack vectors to be alert for.
Legal Cybersecurity Tips and Secrets, Part II
Oscar Wong via Getty Images

Following up on the first article in this series, which discusses fundamental rules for cybersecurity, in this second article, I discuss password security and practices for effective password management. Platform-specific tips for maximizing efficiency and productivity will be offered in the third article.

Essential Password Practices for Security

In the digital age, when data breaches are increasingly common, the importance of robust password protocols cannot be overstated, especially in the legal profession where sensitive data are commonplace. A strong password is the first defense against unauthorized access to critical information. Here are some recommended practices for password creation and management:

  1. Complexity and unpredictability: Passwords should never be simple or predictable. They must be complex enough to withstand standard cracking techniques and should not be easily guessed.
  2. Regular updates: There is some debate over the practice, but generally it is recommended to change passwords every 30 to 90 days, particularly following a major exploit. This helps mitigate risks associated with password breaches over time.
  3. Strict confidentiality: Passwords should never be shared except under the strictest circumstances and with utmost control. Even then, sharing should be minimized and handled with caution.
  4. Separate passwords for sensitive data: Different passwords or personal identification numbers (PINs) should be used for accessing distinct types of sensitive data, such as financial information, major email accounts, and critical legal or business services. This segregation ensures that a breach in one area doesn’t compromise other data.
  5. Personal information exclusion: Passwords should not contain information that is personal to the creator, such as a father’s middle name, to avoid easy guesses through social engineering tactics.
  6. Security questions: Whenever possible, users should enable security questions for an additional layer of security. However, the answers to these questions should not be based on actual, easily discoverable information about the user. This practice helps prevent incidents similar to the high-profile breach experienced by Paris Hilton, where personal knowledge of her dog’s name led to unauthorized online account access.

Furthermore, avoiding standard and easily guessed codes is crucial when considering PINs, especially for mobile devices. Studies show that the top 20 most common mobile phone PINs account for 26 percent of all cracked phones, which are 0000, 1004, 1010, 1111, 1122, 1212, 1234, 1313, 2000, 2001, 2222, 3333, 4321, 4444, 5555, 6666, 6969, 7777, 8888, and 9999. Avoiding these standard PINs can significantly enhance the security of your devices.

Adhering to these password and PIN protocols is not just a technical necessity but a fundamental aspect of practicing safe and responsible legal ethics. In the legal field, the confidentiality and integrity of data are paramount.

An Overview of Password Cracking

The sophistication of password-cracking techniques has reached unprecedented levels, making understanding and implementing robust password protocols a critical aspect of cybersecurity. This section analyzes password vulnerabilities and the estimated time frames for cracking various password complexities using brute-force methods.

The brute-force approach, a method by which a password-cracking program sequentially tests every possible combination of characters, has evolved significantly. Modern password-cracking strategies rely on this method and incorporate more nuanced techniques. These include targeting commonly used passwords, exploiting dictionary-word patterns, leveraging known encryption or hashing algorithm weaknesses, and applying probability theories such as birthday attacks.

Here, we present an illustrative list of passwords, juxtaposed with the estimated time frames for their compromise through brute-force attacks in 2022:

Types of Passwords and the Time It Takes to Crack Them

  • Simple numeric password: “9234567890”—Approximately 3 seconds to crack.
  • Primary alphabetic password: “abcDEF”—Roughly 6 seconds to crack.
  • Alphanumeric with special character: “abcDEF!”—Around 3 hours to crack.
  • Enhanced complexity: “abcDEF!1”—Estimated 25 days to crack.
  • Further complexity: “abcDEF!10”—Approximately 6.5 years to crack.
  • High complexity: “abcDEF!10*”—Roughly 610 years to crack.
  • Extreme complexity: “abcDEF!10*A”—About 57,337 years to crack.
  • Ultra-complex password: “8@MoVing!VaCant#HUmble244”—An estimated 241,111,914,873,899,690,000,000,000,000,000,000 years to crack.

An important note on common patterns: The password “asdfjkl;” represents the default hand resting position on a keyboard. While it may seem unique, its predictability renders it vulnerable and useless. A sophisticated password-cracking program could decipher it in less than a second. This highlights the critical need for awareness of common phrases and dictionary words in password creation, such as “password1,” “letmein,” “avocad0,” or “il0vey0u,” which are prime targets for advanced cracking programs.

Please be advised that more competent password-cracking programs would first go through the commonly used passwords, use dictionary-word password algorithms, use any known encryption/hashing algorithms exploits, apply birthday attacks probability theory, and much more.

This analysis underscores the imperative for legal professionals to adopt robust and complex passwords, steering clear of predictable patterns and common phrases. As technology continues to advance, so too must our strategies for protecting sensitive information, ensuring that our practices remain competent and exemplary in cybersecurity.

Tips for Implementing Effective Password Management

Effective password management is a critical component of cybersecurity. There are two primary methods recommended for maintaining strong and secure passwords.

The first method involves utilizing a password management system, such as Bitwarden. These systems offer a secure and efficient solution for storing and managing a variety of passwords. One of the key advantages of using such systems is the ability to implement system-wide administration. This feature is particularly beneficial in an organizational setting, allowing for centralized control over password management among users. While advanced features of these systems often come with a cost, the investment is justified by their enhanced security and convenience.

The second method is the creation of code-based passwords incorporating entropy characters to increase complexity. This approach involves writing a series of words or phrases and replacing each with a predetermined code known only to the user, combined with random entropy characters. For instance, a simple code might be the following:

  • Written Code: “Apple + Life + City + FavD”
    • Memorized Decryption Key:
      • Apple → Pie
      • Life → 42
      • City → LALALAND
      • FavD → Wall-E
    • Resulting Password: “Pie42LALALANDWall-E”

Code-based passwords can be written down and stored. As long as the user protects the code usage and decryption, then written-down code-based passwords would not be cracked.

However, it is crucial to avoid storing passwords in web browsers like Chrome, Edge, or Firefox. Passwords saved in these browsers are often stored in plain text, making them susceptible to easy retrieval. A straightforward online search can reveal instructions on how anyone can access saved passwords in these browsers even without knowing the user’s password.

Legal professionals can greatly improve their cybersecurity posture by adopting these password management techniques. Whether through sophisticated password management systems or the creation of complex code-based passwords, it is essential to ensure that the methods for creating and storing passwords align with the highest cybersecurity standards. A commitment to robust password management is a critical step in safeguarding sensitive information and upholding the integrity of legal practice in the digital age.

    Author