State Bar News, 0619 UTBJ, Vol. 32, No. 3. 44

AuthorMark Bassingthwaighte, ALPS
PositionVol. 32 3 Pg. 44

State Bar News

Vol. 32 No. 3 Pg. 44

Utah Bar Journal

June, 2019

May, 2019

Password Insecurity – Lessons from a Personal Story

Mark Bassingthwaighte, ALPS

Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagree. That’s how things played out in our home for a number of years on the issue of passwords. My wife viewed my focus on computer security and passwords as something approaching mild paranoia. I, on the other hand, viewed her insistence on using one easily remembered password for everything in her life the equivalent of tattooing the phrase “victim here” on her forehead. The only way for us to move forward was to reach an accord. We agreed to disagree, and things were good, at least for a while.

A few years later, after receiving an email from one of our sons, our accord began to crumble. I was informed that my wife’s email account had been hacked and was actively being used to send out spam email. Of course, I did what one normally does to remedy that situation and hoped all would be good. Sadly, it wasn’t to be. Our accord abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife.

Apparently, credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments. Unfortunately, given that my wife wasn’t the one who applied for and received that credit card, we had a new problem.

While this tale took a number of interesting twists and turns over the next few years, in the interest of time I will simply share that as a result of the initial identity theft a federal and an out-of-state tax return were also fraudulently filed in my wife’s name. I spent over three years working to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives. Hopefully, it’s over; but only time will tell.

Today things are different around here. My focus on computer security is viewed in a much different light by my wife, and I no longer worry about any unsightly tattoos on her forehead. Our state of marital bliss has been restored because this time around we’re both on the same page. Trust me, she gets it now. What’s more important, however, is do you? Again, understand this entire saga started with someone managing to figure out a password, a password that, unfortunately for my wife and me, opened all kinds of doors that would have remained locked had she not used one password for everything.

I chose to share this story because I wanted to put a real-world spin on the problems that can arise when too little attention is given to the importance of passwords. Every one of us in our personal and professional lives needs to abide by some sort of password policy, formal or informal, in order to try and avoid becoming yet another victim of identity theft. And heaven help you if an identity theft occurs and it turns out to be the identity of one or more of your clients because someone got into your office network. So not good.

With this tale of woe now told, it’s time to talk about how to avoid becoming a victim. I’ll start by identifying typical missteps. Here is a list of things no one should ever do. (1) Use the same password on multiple devices, apps, and websites. (2) Write down passwords on easily found sticky notes. (3) Believe that passwords like “qwerty,” “password,” “1234567,” or “letmein” are clever and acceptable. They aren’t. (4) Allow computer browsers to remember passwords. (5) Choose passwords based upon easily remembered information such as birth dates, anniversary dates, Social Security numbers, phone numbers, names of family members, pet names, and street addresses. This kind of information just isn’t as confidential as you think due to events like the Equifax breach and widespread participation in the social media space.

Knowing the common missteps, however, isn’t enough. Such practices should be prohibited in a formal firmwide password policy that everyone at the firm must abide by. There can be no exceptions, period. Of course, policy provisions must also detail what to do. The most important provision of a password policy would be to mandate the use of strong passwords defined as follows. A password is strong if it is long, a minimum of fifteen characters, and it should include a few numbers, special characters, and upper and lower-case letters if the device or application you wish to secure with a password will accept it. Additional provisions worth including would be requiring that every application and device in use have its own unique password, requiring that passwords in use with mission critical devices and applications (e.g. banking login credentials, firm VPN login) be changed every six months, forbidding the reuse of old passwords, and prohibiting the sharing of user ids and passwords with anyone. Finally, make enabling two-factor authentication for any device or application that allows it compulsory.

Of course, a password policy like this creates a new problem, which is trying to keep track of all the complex passwords now mandated. I can share that between us, my wife and I have over 250 different passwords we need to keep track of in our personal and professional lives. I don’t know about you, but I sure can’t remember all of that information.

Fortunately, this problem can be easily managed by using a password manager such as RoboForm, LastPass, or Dashlane. (My wife agreed to commit to learning how to use a password manager shortly after her kerfuffle with the credit union and it has made a world of difference!) Such tools are often cloud-based software applications that allow users to conveniently store and manage all of their passwords. The data is encrypted and can only be accessed once a master password has been entered. Yes, users will still need to remember a long and difficult to guess master password; but having to remember one is going to be far easier than trying to remember 250. And again, no one should ever write down their master password. Everyone really must commit the master password to memory or find a way to store it in some other secure manner.

One side note here because lawyers are sometimes hesitant to place passwords in the cloud. Try to avoid allowing such a concern to become an excuse for not making any changes at all. As I see it, those of us who use password managers are far more secure than those who simply write everything down on a piece of paper or on sticky notes that are always close at hand. Further, given the robust encryption in use, these applications are also going to be more secure than keeping a list of passwords in an Excel or Word file. But here’s the real value. The use of a password manager provides robust security when compared to relying on easily remembered weak passwords, using the same password on multiple devices or websites, allowing browsers to remember passwords, not changing passwords and re-using old passwords, all of which is what so many do by default.

Pro Bono Honor Roll

The Utah State Bar and Utah Legal Services wish to thank these volunteers for accepting a pro bono case or helping at a free legal clinic during February and March. To volunteer call the Utah State Bar Access to Justice Department at (801) 297-7049 or go to to fill out our Check Yes! Pro Bono volunteer survey.

Bankruptcy Case

Jory Trease

Bountiful Landlord-Tenant/ Debt Collection

Kirk Heaton

Jon-David Jorgensen

Joseph Perkins

Katie Secrest

Keil Myers

Community Legal Clinic – Ogden

Ali Barker

Jonny Benson

Gary Wilkinson

Community Legal Clinic – Sugarhouse

Skyler Anderson

Jonny Benson

Dan Black

Michael B. Brown

Brent Chipman

Craig Ebert

Sergio Garcia

Lynn McMurray

Mel Moeinvaziri

Katherine Pepin

Brian Rothschild

Paul Simmons

Kate Sundwall

Reid Tateoka

Mark Williams

Russell Yauney

Debtor’s Legal Clinic

Tami Gadd

Tony Grover

Ellen Ostrow

Brian Rothschild

Paul Simmons

Nate Williams

Enhanced Services Project

Roberto G. Culas

Mark Emmett

David Leta

David Miller

Shauna O’Neil

Zakia Richardson

Estate Planning

Nick Angelides

Expungement Law Clinic

Matt Cloward

Kate Conyers

Brandon Dalley

Josh Egan

Derek Ferguson

Josie Hall

Mary Ann May

Grant Miller

Stephanie Miya

Ian Quiel

Family Justice Center

Geidy Achecar

Elaine Cochran

Thomas Gilchrest

Shaynie Hunter

Brandon Merrill

Nizhane Meza

Samuel Poff

Babata Sonnenberg

Nancy Van Slooten

Family Law Case

Jamila Abou-Bakr

Emily Bean

Marco Brown

Brent Chipman

Matthew Christensen

Angilee Dakic

Seth Daniels

Carolina Duvanced

Bryce Froerer

Randall Gaither

Ryan Gregerson

Danielle Hawkes

Rori Hendrix

Adam Hensely

Robin Kirkham

Chad McKay

Stacy McNeill

Eric O’Brian

Cecilee Price-Huish

Jessica Read

Alison Satterlee

Jonathan Wentz

Cade Whitney

Family Law Clinic

Stewart Ralphs

Derek Smith

Linda F. Smith

Leilani Whitmer

Family Law Pro Se Calendar

Kyle Adams

Mark Andrus

Melissa Bean

Matthew Bell

Jason Boren

Marco Brown

Matthew Bury

Bradley Carr

Heather Carter-Jenkins

Jess Caser

Harry Caston

Lori Cave

Brent Chipman

Deven Coggins

Greg Constantino

Emy Cordano

Mary Corporon

Scott Cottingham

Jessica Couser

Seth Daniels

Beau Dean

Anita Dickinson

Sharon Donovan

Braden Ellis

Dean Ellis

Angela Elmore

Seith Ensign

Taryn Evans

Jennifer Falk

Nonnie Ferguson

Allison Fresques


To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT