Let’s talk about passwords.


Most people’s idea of a good password is one which is easy to remember, and which meets the absolute minimum requirements of their business systems and IT policy. Over the years, between constant reminders from the information technology community and constant news reports about major security breaches, we have all begrudgingly accepted that our passwords need to be a little longer, a little more complex and a little more inconvenient for us to use.

Hashcat Will Eat Your Passwords (image: NYPL Public Domain)

The technology used by cybercriminals to crack passwords is always improving, however, and even a 52-character password made up of obscure words and phrases, such as “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1″ can be brute-force cracked in an ever-shrinking amount of time.

Thankfully, the tools and defenses standing between a hacker and your systems include more than just a strong password. In addition to older, more common practices such as password complexity requirements and temporary account lockouts after a certain number of attempts, more and more organizations are adopting more innovative — and secure — measures.


The government and other high-security facilities have long used biometric authentication, which involves a fingerprint or other unique piece of physiological data about a person being used in place of, or in addition to, a password. Biometric measures are becoming cheaper to implement, but they are still often difficult and expensive to integrate with existing systems.


Perhaps more exciting, and certainly faster growing, is the use of two-factor authentication, which is a system where, in addition to their traditional password, the user is asked to enter a second piece of data, which is randomly generated for them at the time of logon, on a physical device that only they should have access to. A simple example of this would be an online service texting you a code before allowing you to change your account’s password. This means that in addition to compromising your password, a would-be intruder would also need to steal your authentication token or smartphone, and sometimes need to know a special PIN number as well. For the user, this involves the minor inconvenience of entering two passwords instead of one, but since one of these is not a static password, this can prove an insurmountable obstacle for a hacker.


Any kind of security measure, from locks on your front door to thumbprint scanners on your keyboard, provides you with protection at the cost of a loss of convenience. In today’s high-risk computing world, allowing users to continue using simple, easily remembered passwords is increasingly equivalent to leaving the office’s front door unlocked at night.


*Hashcat is a password decryption tool widely used by both password cracking criminals and the security community.


Download our recent article for more advice on countering the “Top 5 Cybersecurity Threats Facing Law Firms.”


This is the first post in a five-post series on hardening your law firm against cybersecurity threats. The second post, on maintaing your cybersecurity software solutions can be found here.