Password Managers can improve Legal firms’ security

Do you have to remember more and more passwords for work? Do you find it is a burden on yourself and fellow colleagues?

Employees are more often having to remember numerous passwords (not just their own either) and being told not to re-use them or write them down – but what is the best way to remember them all but keep them secure from cyber attackers at the same time?

Firstly, an important way to lessen the password burden is to only implement passwords when you absolutely need to. Systems and services that do not have security requirements should not require passwords. Technical solutions (such as single sign-on and password synchronisation) can also minimise the use of passwords. However, this solution may have additional costs incurred but it far outweighs the benefits it brings to the whole system security.

One solution to protect all your passwords is to use Password Managers, which are management software (or services) that provide appropriate facility for staff to generate, store and input additional passwords when required. Most importantly, it provides an authorised mechanism to help users manage their passwords, whilst deterring users from implementing insecure methods to manage copious passwords.

Benefits of Password Managers

  • It is much easier to have different passwords stored for every website users use
  • Improved productivity as staff are not trying to recall passwords or other users
  • Reduces user frustration as pasting passwords prevents typing errors during logins
  • Makes it very simple to generate long and complex passwords

Password Managers (PM) can offer better protection for your firm than if you were storing your passwords in an unprotected document on your computer. If you did not have a PM it would be near impossible to remember all the passwords, to deal with this without the PM software you would end up choosing the following bad practices:

  • Re-use the same passwords on different websites
  • Choose very simple (easily guessed) passwords
  • Handwriting passwords in places that are easy to find (such as your notepad or post-it notes next to your screen!)

The National Cyber Security Centre (NCSC) stated that a study within a Scottish NHS trust found that 63% of its users admitted to re-using passwords.

How are passwords discovered?

Cyber attackers use a variety of sophisticated techniques to try and discover passwords. Those approaches are as follows:

  • social engineering e.g. phishing
  • manually guessing passwords e.g. using users’ personal information
  • capturing a password as it is communicated over a network
  • watching someone typing their password while at their desk, known as ‘shoulder surfing’
  • installing a keylogger to intercept passwords when they are entered into a device
  • hacking into an enterprise’s IT infrastructure for electronically stored password information
  • automated guessing of large numbers of passwords until they find the correct one
  • retrieving passwords which have not been stored safely, e.g. handwritten on a notepad or hidden close to the computer
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.

Disturbingly, NCSC research found that, on average, 75% of each business’ employees had passwords that appeared in the 1,000 top password list – this figure grew to 87% in the top 10,000.

The complexity of cyber criminality within the legal sector is extensive and growing exponentially. Shockingly, many businesses are still guilty of using very simple generic and predictable passwords which makes the fraudsters job extremely easy. It is vital, therefore, that law firms adopt good practice in this area to deter or even stop fraudulent attempts to steal data.

Do you use password managers? What practices do you have in place to deter cyber attacks?