EDITOR'S NOTE: This article is from the NJSBA's PracticeHQ, a free benefit available to all NJSBA members. Access articles, comparison charts, videos and more created for the sole purpose of helping you manage your law practice more efficiently and effectively. Find out more about PracticeHQ resources here.
By Paul J. Unger, Esq. ([email protected])
“Change your password every 30 days” … “Use numbers, letter & characters” … “Use 12 digits” … “Oh wait, now you should only use phrases!” … so which is it?! What should you do?!! Here are my top 3 tips:
Multi-Factor Authentication is Critical
Putting in place two-factor (or multi-factor) authentication (also known as 2FA) is more important today than changing passwords or using unique passwords. I still think unique passwords is important, but changing passwords every 30 days has become seen as a waste of time. Indeed, in this article Microsoft itself acknowledges that 2FA is critical and changing passwords is not very important anymore: https://www.cnet.com/news/microsoft-admits-expiring-password-rules-are-useless/.
2FA is most important because, without the second measure of authentication, a cybercriminal possessing your username and password remains unable to login to an important account.
These second factors protections come in two forms: a text message to your cell phone or a rotating code provided via a registered smartphone app. Unless that code is provided in addition to your username and password, the attempted login is rejected.
A third form of 2FA, in addition to text messages and app codes, is the biometric security, like Face ID or Touch ID, provided by many modern devices. This form of 2FA is most often utilized by on-device apps. While any 2FA security in a tremendous enhancement over none, hierarchy of secure 2FA methods is app codes and biometrics tied for first, then text messaging. If the service or app provides a choice between methods, go with app codes or biometrics.
Visit https://2fa.directory to get an idea of which services you use offer two factor authentication.
Use an Encrypted Password Manager
I think everyone should be using encrypted password managers. Affinity recently purchased Roboform accounts for everyone in our company (https://www.roboform.com) because we feel so passionately about this topic. Password managers do the following:
- Secures all your passwords, credit cards, personal notes in a highly secure encrypted cloud-based vault that is accessible via your PC, laptop, tablet, smartphone, Apple device, or all of the above … for the same low price.
- Before password managers, many of us allowed Chrome, IE, Firefox, or our browser of choice “save” the login information for us. Having your password manager do that is much safer, and, isn’t impacted when you get a new computer, clear out your cookies, or simply start using another browser. Further good news is that many password managers can import your saved logins from your browser.
- Generates and updates strong passwords for you.
- If desired and appropriate, these vaults allow sharing of certain passwords with co-workers, your spouse, or your team.
- Look at programs like 1Password (https://1password.com), Dashlane (https://www.dashlane.com), LastPass (https://www.lastpass.com), and Roboform (https://www.roboform.com).
Check out the Password Manager Comparison Chart available through the bar’s PracticeHQ site (https://tcms.njsba.com/PersonifyEbusiness/Resources/PracticeHQ/ComparisonCharts.aspx) for additional details on available password managers and features.
Draft a Policy and Educate your Users
Finally, I think it is critical that you have a cybersecurity policy within your organization and educate your users about how to be safe. Password security is only one small part of safe computing and guarding client and personal data/information! Have a company that specializes in cybersecurity come out and evaluate your practices to help you design that cybersecurity roadmap.