It seems that hardly a week passes without there being some new revelation about a password leak or widespread data breach, putting often thousands of login details at risk. Just before Christmas the press was carrying details of a 225 million passwords leak that had been uncovered by the National Crime Agency (NCA) whilst shortly after Christmas, password management company LastPass reported that the master passwords of some of its users had been compromised.
Passwords are an essential part of our everyday lives. From bank accounts to social media profiles, they are what prevent us from being scammed, robbed, impersonated and possibly even harmed. Yet despite this, many treat passwords without the care and attention they should demand and are slipshod in how they create, record and share them.
An article in the Daily Telegraph on 11th January this year reported that Which? had revealed that several of the major banks were ignoring basic internet security guidance and allowing customers to use passwords that were easy to guess, and which could allow imposters to gain access to their money. The article revealed that these included “ethical bank Triodos allowing customers to have passwords such as “12343567” and “password”, while HSBC, NatWest, Santander, Starling, the Co-operative Bank, and Virgin Money all allowed customers to use the first names of family and friends”. Hardly surprising then that, as the article states, “close to 42,000 victims lost money to online banking scams in the first half of 2021 alone, almost double the number of cases over the same period the prior year, according to figures from the banking trade body UK Finance”.
The problem is that, despite them being absolutely essential to the security of information and to confidentiality, almost no one likes using them. They are difficult to remember, they get in the way of accessing information and services and they keep needing to be updated. To those who have not experienced a data breach, or had their bank account or email hacked, they are just a nuisance and slightly unnecessary. It is only when things go wrong that regrets at not having stronger passwords set in, which of course is inevitably too late.
Even those organisations that rely on passworded online accounts are not fans of the password. Online security provider Beyond Identity recently reported that online retailers are experiencing a loss of business as a result of users not proceeding with transactions as a result of not remembering their passwords and logins. They reported that 84% of online consumers reported what was described as “password fatigue” from account creation whilst 12% of online consumers will abandon their shopping cart when asked to make an account before purchasing an item.
The Need for Strong Passwords
A password is only secure if no one, apart from the owner of the password, knows what it is. For that reason, a password that is easy to guess is almost useless. Despite this, many people still persist in using passwords that any self-respecting hacker could work out easily.
A report by the National Cyber Security Centre (NCSC) in 2019 revealed that less than half of cyber users have strong passwords and that many use regularly used passwords that feature in hackers lists of common passwords. These include “123456” which is used by over 23 million people as their password, “qwerty” which is used by around 3.8 million people and the old favourite “password” which apparently 3.6 million people think will keep a cybercriminal out of their account. Even musicians and football teams feature too often to be regarded as a secure solution with over 280,000 people using “Liverpool” and over 285,000 using “Blink182”.
Social media is another way in which insecure passwords can be found. If you post on your Facebook account about your cat Tiddles, and your password is “Tiddles123”, then you can be fairly sure that at some point someone is going to make the connection.
The problem with strong passwords is that they can be difficult to remember. The recommendation that you use a mixture of at least 12 randomly selected upper and lowercase letters, numbers and symbols is all well and good until it comes to remembering which random sequence applies to which account. You should not use the same sequence for all of your accounts because if it were compromised for one account it would be for all of your accounts. You should not write them down in case the place they are written falls into the wrong hands. Even the previous good advice of using a password manager, where one really complicated password can manage all of your other complicated passwords, may have been called into question with the news from LastPass. That said, they do still represent one of the best ways to manage passwords – especially if you have a large number of passwords – and there are a number of providers of the service from which to choose.
One solution that may help is to use three random words as a password – for example “hammer.fellow.truly” – especially if used with a period or other punctuation between the words. As the company What3Words found, simply combining three words (in their case to denote 3m squares on the earth’s surface) gave them 64 trillion word combinations. That particular word combination is a part of a field in Shandong, China. As the Guardian reported in August 2021, this is the preferred method of the NCSC who take the view that a three-word system creates passwords that are easy to remember, but whose “unusual combinations of letters, … means the system is strong enough to keep online accounts secure from cybercriminals … [whilst] … more complex passwords can be ineffective as their makeup can often be guessed by criminals using specialist software”.
Another solution is to think of a phrase that means something to you (and which does not feature on your Facebook posts!) and to use the first letters of that phrase. It might be a song that means something to you or a quotation. An example might be a line from an Ed Sheeran song or a quotation from Wordsworth (though preferably not involving daffodils and lonely clouds). Thus, for example, “Fyhpfswtl” which is from the opening line of Wordsworth’s “Tintern Abbey” could be matched with the numbers from the registration of your first car to create a strong password.
Avoid patterns that criminals might be able to guess. For example, simply replacing the letter “O” with a zero, an “S” with a five or the number “1” with an exclamation mark is not going to make a weak password strong.
Not Sharing Passwords
The other important feature of a password is that it should be a secret that is not shared. A strong password that is known to others is not an effective one. For that reason, you should never write passwords down where they can easily be found (e.g. on the back of coaster on your desk or stuck to the inside of a cupboard with a post-it note). If the password is for something that can be accessed from a mobile device, you should never store it on the device – even as a pretend phone number. It goes without saying that you should not share passwords with colleagues and friends and definitely never, ever give them out by email or over the phone since you cannot be sure who else is listening, that the message has not been intercepted or even that the person with whom you are speaking or emailing is who they say they are.
If you must give someone a password then you should do so in person, use two separate forms of communication to break it down (e.g. an email and a text message) or use a system whereby the details can be accessed only once – for example using the web-based https://onetimesecret.com/.
In particular, be wary of what are known as phishing and vishing attempts where, for example, you are contacted by someone either by email or phone, and asked to reveal a password and/or username. Be especially suspicious if they claim to be from your bank, email provider or some other official organisation as they will almost certainly be a cybercriminal. Also, do not let yourself be intimidated into revealing information to the “alleged” senior partner or anyone who says “don’t you know who I am?”.
The Need for Password Awareness
Law firms must be particularly aware of the importance which they, and their staff, must assign to passwords. Client information, funds on completion or other sensitive data could easily fall into the wrong hands if the firm’s IT systems are able to be breached because usernames and passwords have been revealed. This would not only be negligence on the part of the firm and the people involved but would also be likely to be a breach of the SRA Standards and Regulations.
In particular paragraph 6.3 of both of the Codes of Conduct requires that firms “keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents” whilst section 2 (“Compliance and Business Systems”) of the Code of Conduct for Firms and Section 3 (“Service and Competence”) of the Code of Conduct for Solicitors RELs and RFLs, requires that you operate systems which will prevent such a breach.
Firms are therefore advised to have a comprehensive password policy in place which is not only brought to the attention of all personnel, but which is actually enforced in practice. Training should also be provided to all partners and staff and systems checked regularly to make sure that they are adequately ensuring password security.
Infolegal subscribers have access to comprehensive information relating to password security, including draft policies to adopt within the firm and, very shortly, cyber-awareness training which will cover the issue of passwords.