When Passwords Fail – A Personal Story

Password

Sometimes married couples see things differently and the only way to resolve the tension is by finally deciding to agree to disagree. That’s how things played out in our home for a number of years on the issue of passwords. My wife seemed to view my focus on computer security and passwords as something approaching mild paranoia. I, on the other hand, viewed her insistence that the use of one easily remembered password for everything in her life was like tattooing the words “victim here” on her forehead. The only way for us to move forward on this issue was to agree to disagree and that’s just what we did.

This state of marital bliss started to crack a few years later after I received an email from one of our sons letting me know my wife’s email account had been hacked and a bunch of crap was being sent out using her email address. I did what one normally does to remedy that situation and hoped all would be good. Sadly, it wasn’t to be. Our marital bliss abruptly ended a few months later after we received written notice from a credit union on the opposite side of the country telling us that they were most displeased with my wife. Apparently credit unions don’t like it when someone gets a new credit card, immediately maxes it out, and then fails to make any payments. Makes sense to me. Problem was she wasn’t the one who walked into that credit union and applied for a card in her name.

While this tale has many more interesting twists and turns, in the interest of time I will simply share that as a result of this identity theft a federal and state tax return were also fraudulently filed in her name. I spent over three years working to get everything cleaned up; but the one thing I can’t do, and honestly no one can, is ever get her identity back. That’s been taken and we’ll have to deal with the ramifications of that for the rest of our lives. Hopefully, it’s over, but only time will tell.

Today things are different around here. My focus on computer security is viewed in a much different light and my wife needn’t worry about any unsightly tattoos on her forehead. While we’ve returned to a state of marital bliss, this time around we’re both on the same page.

Now understand that this entire saga started with someone managing to figure out a password and that password opened all kinds of doors that were supposed to be locked. I chose to share this story because I wanted to put a real world spin on the problems that can arise when too little attention is given to the importance of passwords. I don’t care if you are just a solo practitioner as opposed to the managing partner of a 50 attorney firm. Everyone needs a password policy, formal or informal, in order to try and avoid becoming yet another victim of identity theft, and heaven help you if the identity theft turned out to be the identity of one or more of your clients because someone got into your office network. So not good.

Let’s start by talking about bad habits. Here are the kinds of things you should never do. Use the same password on multiple devices or applications. Write down the computer password on a sticky note and hide it in your laptop so no one can see it if it’s closed. Believe that passwords like “qwerty”, “password”, “1234567”, or “letmein” are clever and acceptable. They aren’t.

The better approach is to develop a policy that everyone in your office, including you, will abide by. It should mandate the use of a strong password, which is currently defined as one that is a minimum of 14 characters long and includes numbers, special characters, and upper and lower case letters if the device or application you wish to secure with a password will accept it. In addition, every application and device in use should have its own unique password and, at least with mission critical devices and applications (e.g. banking login credentials), these passwords should be changed every 6 months. Never recycle old passwords and never share your user ids and passwords with anyone. Finally, always use two-factor authentication for any device or application that allows it.

Yes, keeping track of all these complex passwords can create its own problem. Fortunately, this problem can be easily managed with the help of a password manager such as RoboForm, LastPass, or Dashlane. Products like these can generate complex passwords and store them for you in an environment far more secure than a piece of paper hidden in your desk somewhere. In fact, my wife joined me in using password managers shortly after her kerfuffle with the credit union and it has made a world of difference. She still only needs to remember one password, albeit a strong one, to open the password manager and that’s it. Compliance with our home password policy has never been easier for her, and speaking frankly, she fully agrees that compliance isn’t optional. Trust me, she gets it now. The interesting question is, do you?

All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.

This entry was posted in Guest Bloggers, Technology and tagged ALPS, Mark Bassingthwaite. Bookmark the permalink.

Enjoy our blog posts with lunch! Enter your email address and we'll send you an email each time a new blog post is published.

2 comments on “When Passwords Fail – A Personal Story

  • This is one of the best ways to underline the importance of password security. Another aspect that you didn’t cover here though is to remember the tiers of sites for which having good security is the most important.

    Most important – e-mail
    E-mail password should be your strongest because e-mail is the weak link someone can use to get into accounts that are generally tied to your e-mail. If the login on a site is your e-mail all someone needs to do to gain access is to hack your e-mail and then say “I forgot my password” and since they are now in your e-mail they can access tons of sites with ease.

    Second important – banking sites
    This is obvious. Someone who can hack into your bank can transfer money out of it. But again even if you have good security on the bank if your e-mail is not secured they can still sometimes gain access.

    Third important – Popular social media ties
    I list these as number 3 because these are the sites that people are going to assume you have an account on and the sites that are easy to verify your account’s existence. Twitter, Facebook, Google (though covered in e-mail) are all easy targets.

    Beyond these big three, passwords are important but not as essential. Even better, many sites tie logins now with one of the previously listed accounts, so you can leave the security up to Google not to your small web site you need to create an account on.

    Of course if you are using Lastpass then your lastpass master password also needs to be secure. Thankfully many sites like Google and Last Pass have taken password security to another level now and will pop up with warnings telling you that a login session was not recognized and ask you to verify it.

  • I don’t think you proved your wife’s use of one password caused any of the problems described. Doesn’t make your advice wrong.

Comments are closed automatically 60 days after the post is published.