Strong passwords and ethical obligations

October 2015 | EXPERT BRIEFING | RISK MANAGEMENT

financierworldwide.com

Day in and day out lawyers use laptops, tablets, smartphones and other portable drives and computer accessories to work on, store and manage confidential client data. With ever decreasing prices for storage mediums and media, vast amounts of data can now be carried around on these devices, and, as shown by the recent surge in large data breaches, hackers’ ability to circumvent these devices has created a constantly changing landscape that can easily surpass a lawyer’s ability to understand the threats and the types of safeguards that should be in place to help prevent unauthorised disclosure. So, with the rise of the number of laptops and smartphones being stolen, or even left in taxis, it is extremely important to review security procedures. While there are many ways to enhance law firm security, such as encryption, this article suggests the use of strong passwords.

Under various regulations, in the US, lawyers have an ethical obligation to take reasonable steps to protect confidential client information from unauthorised or unintentional disclosure. For example, the American Bar Association’s Model Rules of Professional Conduct states that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorised disclosure of, or unauthorised access to, information relating to the representation of a client”. See Model Rule 1.6 (c) Confidentiality of Information. According to the comments to Rule 1.6, a lawyer must “act competently” to safeguard this client information, and would be in violation if the lawyer did not “make reasonable efforts to prevent the access or disclosure”. Determining whether reasonable efforts have been taken depends on a number of factors, such as: the sensitivity of the information, the likelihood of disclosure if safeguards are not used, the cost of using such safeguards, the difficulty of implementing such safeguards, and whether using such safeguards would inhibit the lawyer’s ability to effectively represent the client.

One of the ways to try to fulfil the ethical obligation may be to use a strong password. What is a strong password? Well, there is still some debate in the technology world as to what is the hardest type of password to crack. Is it one based on complexity? Or, is it one of a certain character length?

A complex password is one that uses various types of different letters, cases and symbols, in a way that typically does not replicate an actual word, such as ‘i*M99&Qr’. A long password, or a ‘passphrase’, is one that is usually over 16 characters in length, and can even be an actual phrase (though easy to guess phrases are not generally recommended). For example, ‘I’minlovewiththenewyorkgiants’.

Why care about password length versus complexity? Because after searches of all common passwords (such as 1234567, password and passw0rd) and use of a dictionary attack (systematically entering all words in the dictionary), the next step hackers may use, is what’s called a ‘brute force attack’ – which is trying every possible combination of letters, numbers and symbols repeatedly until a password is exposed. Length then becomes important because, according to at least one study by the Georgia Institute of Technology, an eight character password can be cracked in as little as two hours, even a complex one using different cases, numbers and special characters.

This concept, that password length is arguably more important than password complexity, is often referred to as ‘password entropy’. This is a measurement of how unpredictable a password is to guess, for example, through a brute force attack. A longer password, even if simple terms are used, can therefore generally be harder to crack than a shorter, more complex one.

As an illustration, the passphrase ‘I’minlovewiththenewyorkgiants’ would take 2.89 hundred million trillion centuries to crack assuming one hundred trillion guesses per second. While the complex password ‘i*M99&Qr’ would take only 1.12 minutes to crack, assuming the same number of guesses. Such a large number of guesses would be extremely rare, but sufficiently illustrates the point – longer is typically better. Thus, utilising a passphrase as a password, instead of a complex eight character one, may fulfil a lawyer’s obligation to reasonably protect client information on a lawyer’s devices and accessible through a lawyer’s accounts.

Even more important is to change that simple four number password that is often used on smartphones and tablets. A four number password, in a brute force attack, would take only 0.000000000111 seconds to crack with the same number of guesses. Most smartphones and tablets have a way to change from the simple four number password to a passcode phrase.

All of this, of course, assumes that a password doesn’t contain easy to guess items such as the most common passwords, children’s names, birth dates, college or high school names, or even the firm’s names or locations. Such words can be guessed by a common password or dictionary attack, and thus would not likely be seen as reasonable protection in terms of a lawyer’s ethical obligation.

Using a strong password is a good step in attempting to satisfy ethical obligations for confidential client information. However, even if a strong password is used, it may not stop a breach, especially if the same password is used for multiple sites/networks, the password is not periodically changed, the device’s lockout mechanism for wrong password attempts isn’t set at all or is set at a very high limit, and without education as to other potential methods that could lead password breaches such as phishing and malware.

Jenna F. Karadbil is president of the International Technology Law Association and owner of the Law Office of Jenna F. Karadbil. She can be contacted on +1 (646) 535 3252 or by email: jenna@jfk-lawyer.com.

Jenna F. Karadbil

Law Office of Jenna F. Karadbil