Building a Better Password
By Wayne Nitti
Passwords, intended to protect our privacy and our most sensitive data, are these days almost as reviled as they are ubiquitous. By one estimate, reported by Security Magazine in 2017, the average business user has an astonishing 191 passwords. Couple that with continuing demands from financial and other institutions that customers routinely change the unique string of characters required to gain access to their accounts, and it’s no wonder that many now regard passwords as an evil necessity.
As the founder and CEO of an online legal case management system with thousands of independent user accounts (most held by attorneys like myself), I’ve tracked the evolution of password protocols. I’m alarmed that 81 percent of confirmed data breaches can be linked to weak password choices, and I’m concerned by the mounting threats of cybercrime, which the data and analytics firm Cybersecurity Ventures has labeled as the single biggest problem facing companies across the globe.
Regrettably, there are no failsafe protections. That said, Case Anywhere deploys two-factor authentication, which ensures that if a password is stolen, it can’t be reused. We also recommend that attorneys and professional staff who use our litigation and arbitration hubs review their passwords in light of the most recent guidance from the National Institute of Standards and Technology, or NIST.
Back in 2003, NIST recommended long, complex passwords—strings of letters, numbers, and special characters—as the best defenses against intrusions into internet accounts. Not long ago, however, the federal agency changed course. “Complex password rules actually drive us to create predictable, easy-to-guess passwords,” NIST explained in an official blog on its updated Digital Identity Guidelines. “In practice, all those rules had made it easier for the bad guy, and harder—and less secure—for the user.”
Instead, NIST now suggests that users come up with short “passphrases” that have unique and personal significance. The agency advises users to choose a unique passphrase for each important account, and advocates choosing “a phrase you can picture in your head . . . so it’s easy to remember but hard to guess.”
Among other things, NIST’s new framework for password management recommends that users and network administrators:
- Drop requirements for periodic password changes.
- Require a minimum of eight characters and up to 64.
- Abandon demands for the use of special characters.
- Restrict sequential numbers, repeat letters, and context-specific terms.
- Screen passwords against frequently used and previously breached phrases.
For legal professionals and law firms, there’s abundant cause to double down on password protections. In its 2017 Technology Report, the American Bar Association found 22 percent of law firms surveyed had suffered data breaches. And just last month, the ethical hackers at Independent Security Evaluators disclosed serious vulnerabilities even among some of the most popular password managers.
Unless and until industry leaders require more robust features such as two-factor authentication or fingerprint and face- or voice-recognition software, passwords will remain something of a double-edged sword. In the meantime, if you’re in the market for an online legal case management and e-service provider, I hope you’ll contact us. We’re committed to your success, and at Case Anywhere, security is always top of mind.