On 26 February 2013 I wrote about Information Security for Lawyers. In that blog I suggested a password protocol recommended by StaySmartOnline.gov.au. Two readers were kind enough to post comments providing criticism that that recommendation. David referred me to two 2 cartoons from xkcd.com, one of which I reproduce below
Alex Muentz more directly said
“Good advice, except for the passwords. Passwords like these end up on stickynotes.
Why not multi-word passwords? Easier for language oriented folks like lawyers to remember and a large enough password-space to make brute-forcing inefficient. Tools like hashcat permit 2 dictionaries, but doing 3 or 4 word passphrases is a lot of entropy”.
While I am not sure how the thermodynamic concept of entropy has become a measure of password strength, multiword password protocols are a viable alternative and should be considered.
Any password policy is a compromise between complexity and ease of use:
- A 24 character multiword password can be difficult to type correctly, particularly as the password is often hidden and where your typing skills could be less than perfect.
- Whilst it may be easy to remember multiword passwords, it may not be that easy to remember many multiple multiword passwords you will need for different websites.
Cartoons can be very informative. My son Alex referred me to another very relevant XKCD cartoon on “Password Reuse”. I reproduce it below.
Even if the website is not evil, not all websites, even highly respected websites do not always store passwords and other private information securely. See Sean Buckley’s article Microsoft Store hacked in India, passwords stored in plain text, and Michael Lee’s article Qld govt department stores credit card recordings unencrypted.
The same password should not reused to logon onto different websites. Unless you are a lot smarter than I, you should use a password manager to record and store passwords. I use eWallet from Ilium Software, Inc. Versions are available for Windows PC, iPhone, iPad, Windows 8 Metro, Android and Blackberry. It is not available on the Windows Phone 8, (Ilium Software Please Fix:eWallet to Go, just does not get there) l The data file is encrypted and can be synced between devices. The file can also stored to dropbox or skydrive to make syncing irrelevant between devices.
Internet Facing Devices
Password strength is more important for internet facing devices and websites. Most law firms may not be as concerned to securely protect network access from locally connected workstations. Microsoft’s Windows 8 Operating system recognises this and provides the option for a 4 digit pin code alternative to password logons. Whilst some may consider this could reduce security, I do not believe that to be the case. Pin Code Logons can provide convenient network access for devices known to be secure and simultaneously requiring complicated passwords when external access is required.
Another alternative could be to use Two Factor Authentication. This is become very popular for a lot of websites. It can be introduced very inexpensively. Phone Factor, a company which has been purchased by Microsoft, offers free (if you are small) or relatively inexpensive solutions (if you are larger). You can learn more about them here. I will talk more about Two Factor Authentication in a future post.
JDC 10 June 2013.