Vermont Bar Journal, Vol. 40, No. 2 Vermont Bar Journal, Summer 2019 | Page 33

by Mark Bassingthwaighte, Esq. Password Insecurity - Lessons from a Personal Story Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagree.  That’s how things played out in our home for a number of years on the is- sue of passwords.  My wife viewed my fo- cus on computer security and passwords as something approaching mild paranoia.  I, on the other hand, viewed her insistence on using one easily remembered password for everything in her life the equivalent of tattooing the phrase “victim here” on her forehead.  The only way for us to move for- ward was to reach an accord. We agreed to disagree, and things were good, at least for a while. A few years later, after receiving an email from one of our sons, our accord began to crumble. I was informed that my wife’s email account had been hacked and was actively being used to send out spam email. Of course, I did what one normally does to remedy that situation and hoped all would be good. Sadly, it wasn’t to be. Our accord abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife.  Apparently, credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments. Unfortunately, given that my wife wasn’t the one who applied for and received that credit card, we had a new problem. While this tale took a number of inter- esting twists and turns over the next few years, in the interest of time I will simply share that as a result of the initial identi- ty theft a federal and an out-of-state tax return were also fraudulently filed in my wife’s name.  I spent over three years work- ing to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives.  Hopefully, it’s over; but only time will tell. Today things are different around here. My focus on computer security is viewed in a much different light by my wife, and I no longer worry about any unsightly tat- toos on her forehead.  Our state of mar- ital bliss has been restored because this time around we’re both on the same page. Trust me, she gets it now. What’s more im- portant, however, is do you? Again, under- stand this entire saga started with some- one managing to figure out a password, a password that, unfortunately for my wife and me, opened all kinds of doors that would have remained locked had she not used one password for everything. I chose to share this story because I wanted to put a real-world spin on the problems that can arise when too little at- tention is given to the importance of pass- words. Every one of us in our personal and professional lives needs to abide by some sort of password policy, formal or informal, in order to try and avoid becoming yet an- other victim of identity theft. And heaven help you if an identity theft occurs and it turns out to be the identity of one or more of your clients because someone got into your office network.  So not good. With this tale of woe now told, it’s time to talk about how to avoid becoming a vic- tim. I’ll start by identifying typical missteps. Here is a list of things no one should ever do. 1) Use the same password on multiple devices, apps, and websites. 2) Write down passwords on easily found sticky notes. 3) Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable.  They aren’t. 4) Al- low computer browsers to remember pass- words. 5) Choose passwords based upon easily remembered information such as birth dates, anniversary dates, Social Se- curity numbers, phone numbers, names of family members, pet names, and street ad- dresses. This kind of information just isn’t as confidential as you think due to events like the Equifax breach and widespread participation in the social media space. Knowing the common missteps, howev- er, isn’t enough. Such practices should be prohibited in a formal firmwide password policy that everyone at the firm must abide by. There can be no exceptions, period. Of course, policy provisions must also de- tail what to do. The most important provi- sion of a password policy would be to man- date the use of strong passwords defined as follows. A password is strong if it is long, a minimum of 15 characters, and it should include a few numbers, special characters, and upper and lower-case letters if the de- vice or application you wish to secure with a password will accept it.  Additional pro- visions worth including would be requiring that every application and device in use have its own unique password, requiring that passwords in use with mission critical devices and applications (e.g. banking log- in credentials, firm VPN login) be changed every 6 months, forbidding the reuse of old passwords, and prohibiting the sharing of user ids and passwords with anyone.  Final- ly, make enabling two-factor authentication for any device or application that allows it compulsory. Of course, a password policy like this cre- ates a new problem, which is trying to keep track of all the complex passwords now mandated.  I can share that between us, my wife and I have over 250 different pass- words we need to keep track of in our per- sonal and professional lives. I don’t know about you, but I sure can’t remember all of that information. Fortunately, this problem can be easi- ly managed by using a password manager such as RoboForm, LastPass, or Dashlane.  (My wife agreed to commit to learning how to use a password manager shortly after her kerfuffle with the credit union and it has WANTED: LEGAL FICTION Fancy yourself a fiction writer? The next Grisham? The Vermont Bar Journal is not just for scholarly legal dissertations! Call it a fiction contest or an active solicitation for your works of fiction, either way, if we love it, we may print it! Submit your brief works of legal fiction (6,000 words or less) to [email protected]. Our next deadline is September 1, 2019. www.vtbar.org THE VERMONT BAR JOURNAL • SUMMER 2019 33