- Learning Centre
- New Lawyer Resources
- Lawyer Programs
- Key Resources
- Legal Practice
- Continuous Improvement
- Cultural Competence & Equity, Diversity and Inclusion
- Lawyer-Client Relationships
- Practice Management
- Professional Conduct
- Professional Contributions
- Truth and Reconciliation
- Well-Being
- Sole Practitioner Resources
- Student Resources
- Public Resources
- Request a Presentation or Resource
- Home
- Resource Centre
- Key Resources
- Practice Management
- Password Managers: Locking the Barndoor with Better Passwords
Last updated: February 2023
Joe stared at his computer screen and wondered, “Why am I locked out of my own account?“ He knew he had not done anything wrong, but the message on his screen told him otherwise. His account had been breached and he knew he had to take action.
If criminals gain access to your data or online accounts, there could be significant financial and professional ramifications. One way of protecting your data is to employ strong and robust passwords across your digital accounts. Poor password habits have become a target for cybercriminal activity, instead of a line of defense. There are practical things you can do to restore the protective function of our passwords.
The Problem with Passwords
Despite the risks, people continue to use — and re-use — weak passwords. The reason? It is simply not practical to create and remember a unique and complex password for every account we own.
As a consequence:
- An audit of the dark web in 2020 found over 15 billion passwords were revealed online.
- In 2021, the most common passwords used in Canada included 123456, password, qwerty, abc123, password1, testing, hockey and iloveyou – any of which take cyber criminals mere seconds to crack.
- As many as 81 per cent of data breaches are due to poor password security.
To leverage the full protective capabilities of passwords, strong passwords are a must.
What Makes a Good Password?
Password safety requires two things:
- A password that is robust in design; and
- The use of unique passwords for each account a user owns.
The first element – password design – looks at the content of the password itself. The more complex the password, the better.
Complexity can mean a longer password, using random text, numbers and special characters. Best practices also advise against using personal information. Names, dates and places are important to us, but hackers can quickly find such details from publicly available sites.
The second element — unique passwords — guards against the danger of using the same password across multiple accounts. Re-using passwords, or using minor variations based on a pattern or a root word, is an open invitation to hackers wanting to access your records.
If a shared password is compromised, all your accounts become compromised, and the damage multiplies. Of course, creating complex and unique passwords is all well and good. But to memorize them for every account we own? That might prove to be an impractical — if not impossible — task.
This is where password managers come in.
What Are Password Managers and How Do They Work?
Password managers are digital tools or software that act as a secure “vault” where users can record their login credentials. Users only need to remember one password — the “master password” — to unlock their “vault”, and the password manager then lets them create complex passwords for account they own.
The result? Robust and unique passwords for each individual account, with the practical advantage of only needing to remember one master password to access all of these records.
Most password managers combine convenience and security with the following features:
- Random password generators: A tool that quickly creates random passwords for users to apply to their existing or new account logins. The tool lets users specify the desired password length or inclusion/exclusion of certain letters, numbers, symbols, or special characters, to generate a random password.
- Multi-device access: Users can log into their password manager across any platform and desktop and mobile operating systems – Mac, Windows, Android, and iOS. Adding or modifying a password on one device updates and syncs the information across all platforms.
Other features include:
- Payment information and document storage: The ability to store credit card information, online banking information, passports, health records and other secure files.
- Sharing capabilities: The ability to share passwords and documents with other trusted users such as family members or team members at work. This feature is not always available with free versions but is common with paid versions.
- Emergency access/account recovery: The ability to recover access to the password vault if a user forgets their master password or is unable to login. This can be through additional security questions or permissions to access granted to another trusted user.
- Dark web monitoring: The user’s email addresses across various accounts are monitored against a database of known breaches. If an account is known to have been compromised, the password manager alerts the user to the breach and triggers them to change their login credentials.
Zero Knowledge Security Architecture
One of the ways password managers guard against this risk is by using what is called zero knowledge security architecture.
This means that data is only readable by the end user. When the data is stored and transmitted to and from the password manager’s servers, it remains fully encrypted.
The result is that even the company operating the password manager has “zero knowledge” of the information stored within the tool.
If their servers are ever hacked, the perpetrators would only obtain encrypted records which would be gibberish without the individual customers’ master passwords to decrypt the information.
Multi-Factor Authentication
Cyber-security experts now view multi-factor authentication (MFA) as an essential step in maintaining cybersecurity.
MFA is a process that requires users to verify who they are by using a combination of steps (or factors) – in addition to a password – before they are granted access to their data.
The name sounds complicated but the process it describes is not.
The first factor is the password the user creates for themselves.
The additional factor can take various forms and can usually be completed within a few seconds.
Biometric verifiers (fingerprints or retina scans) are one option.
Another is a passcode — typically a four or five digit number — sent by text message to the user’s cell phone. The user then enters the code, together with their password, into whatever webpage they are trying to access.
A third option is push-to-authenticate verifiers, which send a message directly to the user’s device, telling them that an authentication attempt is taking place. Users can then approve or deny access with a simple click of a button. This technique is gaining popularity because it provides a simple means to authenticate users, especially if used without passwords.
Ultimately your password manager is not simply secured by a master password alone, but by other factors that require verification before allowing access to your vault.
The greatest risk to the use of password managers is often the user themselves. A study conducted in 2019 revealed that many users of password managers store their master password in a plain text document somewhere on their computer, meaning it could be accessed by hackers without difficulty.
By following a few simple practices, you can play a role in ensuring that your password vault remains as secure as possible.
- Never save your master password where someone could access it without your knowledge or permission. Just as you should not leave your password on a Post-It note stuck to the side of your computer, you should not keep your password in an unsecured document or email within your computer either.
- Do not leave your password manager running in the background, even if it is locked. Exit the tool completely once you retrieve the password you were looking for.
- Set up multi-factor authentication wherever possible since this significantly limits a hacker’s ability to breach your computer.
- Never re-use your passwords. Always use a distinct password for each of your distinct accounts and avoid password clones that vary by only a single character or digit.
- Consider refraining from integrating your password manager with your web browsers, if possible, as the browser extensions/plugins can create issues. While you will have to launch your password manager instead of auto-populating credentials, this is a simple step that only requires a few seconds to complete. The resulting improvement in your online security is well worth the minor delay.
Take Action
In today’s digital world, cybersecurity has become increasingly important. One simple and obvious line of defense against data breaches – a good password – is key to protecting confidential and sensitive information. Multi factor authentication is quickly becoming a standard requirement as well.
Password managers do not provide foolproof protection against every potential security risk. However, most experts view them favorably and strongly recommend their use, especially if the alternative means using weak passwords, reusing passwords, storing passwords in an unsecured computer document or spreadsheet or writing them down on paper where they could easily be seen or exposed.
Combining password managers with multi-factor authentication in a lawyer’s digital routine could significantly help to enhance the security of confidential data and information within their practice.