12:11 PM

New Year’s resolution: Improve your passwords

Cindy Neagle1

We all experience password fatigue, that feeling when you receive yet another notification to create or change a password. The password must meet certain criteria, typically a minimum number of characters containing a combination of uppercase, lowercase, numbers, and/or symbols. Exasperated, you ask yourself, “How am I going to remember a new password?” So you take the easy route and add an additional exclamation point to your current password or use a password from a different account.

While you are more likely to remember these passwords, re-using or creating predictable passwords leaves you vulnerable to hackers. Stolen passwords, phishing, spear-phishing, and ransomware are serious threats to any internet user, but particularly so for attorneys, who are mandated to protect confidential client information.

Best Practices for Creating Strong Passwords

You know the basics of password security. Do not store your written passwords under your keyboard; do not use your username, the word “password,” qwerty, or personal/confidential information as a password; and finally, do not use a single dictionary word. So how do you protect yourself?

Stop Re-Using Pa5sw0rds! Even if you create a strong password, using it for a number of accounts increases the likelihood that it may be stolen. While it is less critical to create unique passwords for each site you visit that does not store your personal or confidential information, never use that password for any site storing such information. Most importantly, you should never re-use your email password at any online site. If your do and one of the eCommerce sites is hacked, your email account is compromised.

Longer is Better.  While many sites require a minimum of eight characters, you should create a longer password. Each additional character you add will exponentially increase your password strength. A password consisting of 15 lowercase letters offers better security than an eight-digit password containing mixed, but predictable, characters.

Even So, Mix It Up. Many users make it easier on themselves (and hackers) by placing their capital letter at the beginning and the number and/or special character at the end. Your password will be far stronger if capital letters, lower case letters, numbers and special characters are not bunched together. Mixing it up also means that you avoid easily predictable keyboard patterns such as qwerty or 1qaz@wsx.

Don’t Change So Often.  For some of us, frequent change is required by the IT department. If you have a choice, though, it is generally a better policy to create a strong password and keep it for a longer period of time. While this may seem counterintuitive, frequently changing a password makes it tougher for the user to remember, which makes the user more likely to create easily recalled passwords or to simply incrementally increase the number at the end each time a change is required.

Use a Password Manager. If you have a unique password for each site you visit, you have far too many passwords to remember which password is connected to which site. You probably are also frequently locked out of accounts or having to reset your passwords. Good news – there’s an app for that! Password managers create and store credentials for each site you use and log you in automatically. Your database of passwords is encrypted with a master password. The benefit of a password manager is that you will have unique and strong passwords for all of your online accounts. The downside is that you absolutely must remember your master password. There are numerous excellent password managers. Dashlane, KeePassX, Password Boss, and LastPass are just a few of the many options and most have both free and paid versions.

Use Two-Factor Authentication. While these password tips provide a good start to better online security, you should also enable two-factor authentication for any account that offers that option. Two-factor authentication will require that you enter a temporary code sent to your phone along with your regular password. This additional layer can help protect you from attack if your passwords are compromised. This is a particularly good idea for online banking and eCommerce accounts. You can often designate your own personal computer and phone as trusted once it is set up and can avoid the bother of having to enter a code each time you access your account from those devices.

Whether you are technologically savvy or not, these tips provide easily achievable steps to better secure your online presence. Resolve to make your 2017 more secure by putting these password systems into practice.


1 Cindy Neagle is Law Practice Management Attorney for The Missouri Bar.