COUNSEL, CHUBB GROUP OF
We’ve recently heard about security breaches
impacting Yahoo, Google, Apple, and other
companies. Many such breaches disclose login
information, including usernames and passwords.
For corporate counsel, avoiding these and similar
situations is important, not only because their
personal security may be jeopardized, but also because they have an obligation to keep their clients’
confidential information safe.
I have touched upon security issues before, 1
but I want to provide more detailed advice on
password management and the use of Two Factor
As the breaches mentioned above indicate, passwords can be compromised at no fault of the user.
If an ISP, cloud service, or another provider gets
hacked, your login information could be among
the casualties. In addition, some hackers may use
“brute force attacks” to access individual user accounts by trial and error, manipulating computers
to generate enormous numbers of random character combinations. As a result, until we implement
more secure access methods, you should assume
that some of your login information will periodically be stolen.
Hackers know that most people are unskilled or
lazy — utilizing the same or similar login informa-
tion for all of their accounts. That’s why stealing
the key to a “linen closet” may also give them the
keys to the “master bedroom.”
Hackers also know that many people rarely
change their passwords, even after they learn
about a breach that may affect them. In fact, some
hackers will wait months or even years after a
breach before using the login information they’ve
obtained, to lull users into a false sense of security.
This has several implications. First, you should
always use unique login information for any important account. I know that passwords in general
are a pain — to come up with, to remember, and
to input. However, you should have very different,
and very strong, passwords for any sites involving
you or your clients’ confidential data.
You should also change these more critical pass-
words regularly. I know several US-based lawyers
who change every important password whenever
daylight savings time occurs. I recommend chang-
ing your passwords at least once or twice a year,
and always immediately after one of your critical
sites has reportedly been hacked.
Third, use complex passwords with at least 10 to
12 characters that contain a random combination
of letters, numbers, and special characters. A decade ago, it may have been okay to use your dog’s
name followed by its birthday, but modern brute
force attack algorithms prioritize the combinations many people use because they are easier to
To make this more straightforward, you should
invest in a good password manager. These will
( 1) keep your passwords secure through strong
encryption; ( 2) generate long, complex passwords;
( 3) automatically and appropriately fill in your
login and user information; ( 4) handle TFA (see
below); and ( 5) allow you to do an audit of your
passwords to see which are too simple or too old.
TFA is a method of confirming a user’s claimed
identity by requiring a combination of two dif-ferent unique identifiers (i.e., requiring a PIN in
addition to an access card). In most cases today,
that second “factor” is simply a special code sent
via text to a user’s mobile phone whenever a login
attempt is made through a device not previously
authorized. In response, a hacker would not only
have to have the user’s name and password, but
also their mobile phone. My guess is that pretty
soon, TFA will become so commonplace that lawyers who don’t use it will be considered negligent.
A final word about security questions, which
are another form of TFA. The answers to many
common security questions (e.g., what high school
did you attend, what is the name of your favorite pet, etc.) are now available on Facebook or
through Google searches. Pick random answers to
those questions and store them in your password
From a cyber perspective, we live in a dangerous
world. While nothing except internet abstinence
can guarantee your security, there are some relatively simple things you can do to greatly improve
your chances. Please do them.
And as always, feel free to contact me directly if
you have any questions. ACC
1 “Safe Driving” ACC Docket, Sept. 2016: 140.
Password Management and TFA
HOW TO EFFECTIVELY USE TECHNOLOGY