Passwords: a User Guide for Lawyers and Law Firms

Passwords are often the weak link in data security. You can build the most secure system in the world, but as soon as someone sets their password to 12345, you might as well leave the front door open.

Good passwords are essential to data security, and this article has everything you need to know about creating and keeping track of good passwords.


Why Are Passwords Important?

First, why are good passwords important? In 2013, Ars Technica gave three experts an encrypted, 16,000-entry password file. The “winner” of the contest cracked 90% of the passwords. Even the loser cracked 62% of the passwords in a few hours. When a breach at a major corporation happens, hackers gain access to hundreds of thousands (sometimes millions) of hashed (encrypted) passwords. And they can crack the vast majority of them in under a day, compromising those users’ accounts on the target website and any other website with the same password.

You want to have one of the passwords that doesn’t get cracked so you don’t wake up a few days later to an email receipt because Amazon just billed you for 1,000 tins of uranium ore and shipping to someone in North Korea. Or the entire Xbox game catalog and shipping to a teenager in Nebraska.

What Makes a Good Password

A good password is unique, not found in the dictionary, long, and contains letters, numbers, and symbols.

Unique means not using the same password for multiple sites. If you reuse the same password across multiple sites, someone who gets ahold of your password for one of those sites can access your accounts on all the others. For example, if there is a security breach on the Target website, and you reused that password for your Gmail account, both have been compromised.

In practice, it is probably okay to share some passwords between sites that do not hold much personal information and that have a low potential for doing you harm if hacked. It won’t do anyone much good to have your password, for example, even if you also use it on Pinterest. But never reuse passwords for important things.

Not found in the dictionary means don’t use real words. Or real names, for that matter. When attempting to decrypt passwords, one of the first things a hacker will do is run through every word found in a dictionary, common names, known passwords, and combinations of all of those things. You can use nonsense words, or you can change some letters to symbols, like replacing L with 1, or A with @. This is probably the easiest way to get numbers and symbols into your passwords, too.

Long is sort of a moving target, but 12–14 characters is a good length. More is better — to a point. At around 22 characters, brute-force decryption apparently becomes effectively impossible.

The password scheme popularized by Randall Munro in his webcomic, XKCD, may no longer be good advice, by the way, according to security expert Bruce Schneier. Hackers are on to it, he says in his own guide to good passwords.

As Trevor Gau points out in the comments, there is a spirited debate about this in the comments to Schneier’s post. In another comment, Joseph McDaniels elaborates further. Here’s my takeaway: you can’t go wrong with long and random.

Extra Security

Scramble Your Username

Consider scrambling your username, too. Or if you must use an email address and you have a Gmail account,1 you can add a code to the email address so that your plain email address won’t work. For example, if your email address is, you could use to make it harder for someone to figure out which email address goes with your account. You could even use something simple like the domain name of the website (e.g.,, which would be easier to remember and still better than your “naked” email address.

Multi-Factor Authentication

Multi-factor authentication (usually just two factors, actually) bolsters security by pairing something you know — your password — with something you have — usually your phone. When you log in to your account, you must enter your password and a code sent to your phone or generated by an app or key fob. Some services (Clio, for example), can also send the code to your email address. With two-factor authentication turned on, a hacker needs more than just your password to access your account.

You should enable two-factor authentication for anything you care about, like your email account, password manager, and practice management software.



The current trend in authentication seems to be biometrics — fingerprints, retina scans, etc. The iPhone 5S, for example, includes Touch ID, which lets you unlock your phone (and do a few other things) with your fingerprint. While Touch ID (which is currently the most-advanced biometric system on consumer hardware) is definitely more secure than nothing, it is not particularly difficult to crack. You leave your fingerprint everywhere you go, and as the Chaos Computer Club demonstrated soon after the iPhone 5S was released, Touch ID can be fooled with basic household items like a digital camera, laser printer, and white glue.

Biometrics may be the future of authentication, but there are many problems left to solve. You cannot get new fingerprints or retinas if your old ones are “cracked,” for example. For now, biometrics are not superior to a good password, and they seem to be easier to crack if someone is motivated.

Password Managers

KeePass has a vulnerability where the user could end up downloading a malicious piece of software instead of a legitimate KeePass update, but there are steps users can take to mitigate that risk.

The best passwords are hard to remember, and even harder to type on a smartphone. And the more you are asked for your password, the more likely you are to use a shorter password that is easy to remember. So banking apps, for example, which typically demand your password every time you want to check your balances, are — perversely — discouraging you from using good passwords. One solution is to use a password manager like LastPass, 1Password, Dashlane, or KeePass. Or you could actually just write them down on paper.

Password managers encourage good-but-hard-to-remember passwords because you don’t actually need to remember them. You just need to remember one password: the one you use for your password manager, which should be really good and long and hard to crack, plus two-factor authentication. Everything else can be 22+ totally-random characters.

LastPass, Dashlane, and 1Password2 are cloud-based password managers that sync your passwords between your browser, phone, tablet, and the cloud. This makes them an extremely convenient way to get at all those good-but-hard-to-remember passwords when you need them.

KeePass is a free, open-source, and cross-platform password manager. There are even third-party KeePass apps that can import your passwords from Dropbox to your phone or tablet. KeePass is a good option, but LastPass, Dashlane, and 1Password seem to be more secure and more convenient.

Finally, writing down your passwords may seem old-school, but it is actually quite safe. Bruce Schneier recommends it, and Vox recently wrote about why it might actually be the best way to keep your passwords. Assuming you don’t lose the paper on which you wrote your passwords.

The Future of Authentication

The password is far from perfect, and many call it broken. That’s why there are several efforts underway to “kill” the password. Apple’s Touch ID is one, and The Verge recently reported on the FIDO Alliance, which includes companies like Google, Microsoft, Bank of America, and MasterCard. The FIDO alliance is pushing for zero-knowledge proof authentication — a way of authenticating you without holding onto your credentials. If it works, you could use a single device you carry with you to authenticate yourself across the web.

If FIDO catches on in the next few years, it may render this entire article obsolete. For now, make sure you are using good passwords for everything that matters.

Originally published 2014-04-18. Last updated 2015-09-24.

Featured image: “Through the Keyhole” by Peter Taylor is licensed CC BY 2.0.

  1. This tip works fine with Google Apps for Business accounts, and it may also work with non-Gmail accounts. Try it and let us know. 

  2. While both were “affected” by Heartbleed, neither was compromised because SSL was only one of multiple layers of security. Here are the Heartbleed blog posts from LastPass and 1Password


  1. Avatar Jonathan Kleiman says:

    Thanks for this. I’ve been wrestling with this same problem. I am no longer comfortable with “h4ckth4pl4n3t”

  2. Avatar Trevor Gau says:

    I’m confused by the point in the article that discourages the use of the scheme proposed by Randal Munroe in XKCD. He says:

    The password scheme popularized by XKCD is no longer good advice, by the way, according to security expert Bruce Schneier. Hackers are on to it, he says in his own guide to good passwords.

    Curious about this, I checked out the referenced guide by Bruce Schneier. He only says the following:

    Modern password crackers combine different words from their dictionaries. This is why the oft-cited XKCDscheme for generating passwords — string together individual words like “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick.

    But this doesn’t explain at all why Randall is wrong. Randall takes into account that each whole word adds log(number of english words) bits of entropy. So, once again, I clicked the sheme link to see what he’s talking about. That article actually explains why Randall is right! Looks like someone’s citing references without actually reading them…

    • Avatar Sam Glover says:

      I’m just going on Schneier’s comment. He’s widely recognized as an expert on data security, which makes him far more qualified to read and interpret the research than I am. If he says its no longer good advice, I’m going to trust him.

      • Avatar Trevor Gau says:

        There are dozens of comments on Schneier’s post by people challenging the statement about Randall’s password scheme. I understand he’s very well-qualified and has strong credentials, but I think he is mistaken about this. But if he’s not, I’d like to know about it to understand it better.

  3. Avatar Joseph McDaniels says:

    This article is providing some flawed advice when it comes to passphrases, though it was not unreasonable to do so as it referenced someone that should have been correct. Unfortunately that is not that case. I am currently employed as a computer security expert with a BS in computer forensics.

    While Mr. Schneier did make a post on this issue, he made a mistake. He did not account that a proper passphrase is randomly generated from a large dictionary. Those picked by users, such as his example “i hate hackers”, are not very secure. However with randomly generated words, each word adds a set amount of entropy.

    For example diceware (a random passphrase generator) make use of a word list that consists of 7776 words. This provides entropy of log(7776)/log(2) or 12.9 bits per word. The word list xkcd made each word worth approximately 11 bits per word.

    Mr. Schneier’s password examples provide entropy per character. The ASCII character set provides ~6.5 bits per character when randomly chosen. Maybe he thought pass phrases were supposed to provide entropy per character, I can’t be certain why he made such as.

    A large risk to this method is people making passwords based on popular phrases that are easy to remember (mama always said life was like a box of chocolates / maslwlaboc) His method is actually quite vulnerable to this. It is the same reason users picking their own passphrases is dangerous. (See example: He eludes to this by saying personal phrases, any common or easily identifiable phrase would be at risk.

    Randomly generated passphrases are not vulnerable to this. His method can be effective if the sentence being used is sufficiently unpredictable.

    The point of all of this is that a pass phrase is a secure method of authentication. 5 random words can provide 64.5 bits of entropy using diceware. Using a larger dictionary would increase this number. 250,000 words would increase this to ~89 bits of entropy.

    I would suggest adding a warning that popular phrases using Mr Schneier’s method are at risk.

    I would also advise including a section on passphrases and how to properly use them (randomly generated from a large dictionary). This method is one that will be the most easy for many to remember and can absolutely provide a high level of security.

Leave a Reply