Vermont Bar Journal, Vol. 40, No. 2 Vermont Bar Journal, Summer 2019 | Page 33
by Mark Bassingthwaighte, Esq.
Password Insecurity -
Lessons from a Personal Story
Sometimes married couples see things
differently and the only way to resolve the
tension is by finally deciding to agree to
disagree. That’s how things played out in
our home for a number of years on the is-
sue of passwords. My wife viewed my fo-
cus on computer security and passwords as
something approaching mild paranoia. I,
on the other hand, viewed her insistence
on using one easily remembered password
for everything in her life the equivalent of
tattooing the phrase “victim here” on her
forehead. The only way for us to move for-
ward was to reach an accord. We agreed
to disagree, and things were good, at least
for a while.
A few years later, after receiving an email
from one of our sons, our accord began
to crumble. I was informed that my wife’s
email account had been hacked and was
actively being used to send out spam email.
Of course, I did what one normally does to
remedy that situation and hoped all would
be good. Sadly, it wasn’t to be. Our accord
abruptly ended a few months later after we
received written notice from a credit union
on the opposite side of the country telling
us that they were most displeased with my
wife. Apparently, credit unions don’t like
it when someone gets a new credit card,
immediately maxes it out, and then fails to
make any payments. Unfortunately, given
that my wife wasn’t the one who applied
for and received that credit card, we had a
new problem.
While this tale took a number of inter-
esting twists and turns over the next few
years, in the interest of time I will simply
share that as a result of the initial identi-
ty theft a federal and an out-of-state tax
return were also fraudulently filed in my
wife’s name. I spent over three years work-
ing to get everything cleaned up; but the
one thing I can’t do, and honestly no one
can, is ever get her identity back. That’s
been taken and we’ll have to deal with the
ramifications of that for the rest of our lives.
Hopefully, it’s over; but only time will tell.
Today things are different around here.
My focus on computer security is viewed
in a much different light by my wife, and
I no longer worry about any unsightly tat-
toos on her forehead. Our state of mar-
ital bliss has been restored because this
time around we’re both on the same page.
Trust me, she gets it now. What’s more im-
portant, however, is do you? Again, under-
stand this entire saga started with some-
one managing to figure out a password, a
password that, unfortunately for my wife
and me, opened all kinds of doors that
would have remained locked had she not
used one password for everything.
I chose to share this story because I
wanted to put a real-world spin on the
problems that can arise when too little at-
tention is given to the importance of pass-
words. Every one of us in our personal and
professional lives needs to abide by some
sort of password policy, formal or informal,
in order to try and avoid becoming yet an-
other victim of identity theft. And heaven
help you if an identity theft occurs and it
turns out to be the identity of one or more
of your clients because someone got into
your office network. So not good.
With this tale of woe now told, it’s time
to talk about how to avoid becoming a vic-
tim. I’ll start by identifying typical missteps.
Here is a list of things no one should ever
do. 1) Use the same password on multiple
devices, apps, and websites. 2) Write down
passwords on easily found sticky notes.
3) Believe that passwords like “qwerty”,
“password”, “1234567”, or “letmein” are
clever and acceptable. They aren’t. 4) Al-
low computer browsers to remember pass-
words. 5) Choose passwords based upon
easily remembered information such as
birth dates, anniversary dates, Social Se-
curity numbers, phone numbers, names of
family members, pet names, and street ad-
dresses. This kind of information just isn’t
as confidential as you think due to events
like the Equifax breach and widespread
participation in the social media space.
Knowing the common missteps, howev-
er, isn’t enough. Such practices should be
prohibited in a formal firmwide password
policy that everyone at the firm must abide
by. There can be no exceptions, period.
Of course, policy provisions must also de-
tail what to do. The most important provi-
sion of a password policy would be to man-
date the use of strong passwords defined
as follows. A password is strong if it is long,
a minimum of 15 characters, and it should
include a few numbers, special characters,
and upper and lower-case letters if the de-
vice or application you wish to secure with
a password will accept it. Additional pro-
visions worth including would be requiring
that every application and device in use
have its own unique password, requiring
that passwords in use with mission critical
devices and applications (e.g. banking log-
in credentials, firm VPN login) be changed
every 6 months, forbidding the reuse of old
passwords, and prohibiting the sharing of
user ids and passwords with anyone. Final-
ly, make enabling two-factor authentication
for any device or application that allows it
compulsory.
Of course, a password policy like this cre-
ates a new problem, which is trying to keep
track of all the complex passwords now
mandated. I can share that between us,
my wife and I have over 250 different pass-
words we need to keep track of in our per-
sonal and professional lives. I don’t know
about you, but I sure can’t remember all of
that information.
Fortunately, this problem can be easi-
ly managed by using a password manager
such as RoboForm, LastPass, or Dashlane.
(My wife agreed to commit to learning how
to use a password manager shortly after
her kerfuffle with the credit union and it has
WANTED: LEGAL FICTION
Fancy yourself a fiction writer? The next Grisham? The Vermont Bar Journal is not just for
scholarly legal dissertations! Call it a fiction contest or an active solicitation for your works of
fiction, either way, if we love it, we may print it!
Submit your brief works of legal fiction (6,000 words or less) to [email protected].
Our next deadline is September 1, 2019.
www.vtbar.org
THE VERMONT BAR JOURNAL • SUMMER 2019
33