Cyber Security: Plugging up a gateway for hackers 

By Carl Mazzanti

Many firms have been able to efficiently leverage LinkedIn, Facebook, and other social media sites as a component of their marketing activities. Legal professionals, however, should be aware that bad actors are also on social media. They may use purloined passwords to get into a lawyer’s professional profiles, then use the profiles as a gateway to a firm’s files, potentially gaining access to megabytes of sensitive information. But maintaining password integrity may help prevent this nightmare scenario.

One investigation alone found more than a million pieces of information from the Top 500 UK law firms sitting on the Dark Web and concluded that hackers likely acquired information from breaches of third-party websites such as Dropbox and LinkedIn. Even savvy techno-giants like Mark Zuckerberg are not immune. A reported LinkedIn hack led to the exposure of accounts belonging to the Facebook (Meta) CEO, who had repeatedly used an easy-to-crack password (dadada).

Shortcuts can be hazardous to a firm’s health

It may be natural for overburdened lawyers to try to save some time by using common words for their passwords. Then, for further convenience, they employ the same password for multiple online accounts. But cyber security solutions providers caution that this kind of common mistake—often made by otherwise knowledgeable users who do not want to memorize lengthy sign-in codes— is a no-no. It is especially dangerous since hackers are getting more sophisticated. For example, in 2022, the NSA, FBI, and other security agencies noted that the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Center for Special Technologies released new malware targeting Americans and other users.

The good news is that law firms and other professional services organizations can easily secure their accounts. One simple measure involves multi-factor authentication (MFA), which requires at least two independent verification methods before a user can log into an account. One factor may be a password, and the second could be a one-time passcode sent to a mobile phone or another device. This way, the account will remain safe even if hackers gain access to one of the factors.

Additional steps can further safeguard an account. One involves lengthening the initial password or PIN (Personal Identification Number), since some studies indicate that one of the most commonly used PINs is the relatively easy-to-guess numerical code 7777. But almost every device supports PINs that are longer than four digits, and adding a few more numbers can make a big difference, thanks to the exponential math involved. For example, a four-digit PIN has 10,000 unique combinations, yet adding only two digits means the PIN now has 1 million possibilities. Additionally, some devices support alphanumeric PINs or passwords that can make things even harder for hackers.

Of course, even though more numbers, or words, or combinations are safer, they are also more difficult to remember. But time-pressed users can make it easier on themselves by using words or phrases that mean something unique to them, while staying below the radar of others. This means keeping away from special dates like birthdays, anniversaries, personal phone numbers, or street addresses, which are all easily accessible by digital wrongdoers.

A better alternative could be passwords with combinations that will not be easily guessed by outsiders. These enhanced passwords should also be as long as possible. An eight-character password like betashow, for example, sounds safe, but an attacker could guess this password instantly with sophisticated software tools. However, if four characters are added, perhaps betashowbest, it would likely take an attacker some two weeks to guess. Bringing it to 20 characters though, like betashowbestshipping, means it would take an attacker years, and by then best practices call for changing the password anyway; a small effort but a big return.

Creative passphrases, which are longer passwords composed of multiple, random words,  represent another solution. These could include passwords like swiftesttropicaldownhillski, walkingonoranges, or BrieflyMoreDiamond (of course, these specific phrases should not be used). Other hard-to-crack passphrases can create pictures in the user’s mind, like purplenoseonabrickwall.

Or say a firm has a noisy associate that makes a user think: “Every day I can hear Sam from across the office!” That thought could yield something like EdicHSfATO!, which would be hard to guess. However, it is also important to avoid words that are related to each other. For example, the passphrase “gentle ocean breeze” is not as strong as “laptop pineapple car.”

Follow the safety rules

Users can be creative with passwords and passphrases, but they should also know and follow any firm policies that may have such requirements as a minimum character account, a mix of alpha and numeric characters, or special characters. These security requirements are there for a reason, and if they make it tougher on the authorized user, they also make it tougher on hackers.

Even the best password, however, will be at risk if it is used across multiple accounts, or if it is not changed periodically. That can be a challenge, especially for attorneys with multiple cases, multiple client accounts, and multiple devices that may each require a unique password or PIN, including on their mobile, laptop, desktop, iPad, business laptop, and others. But solos and firms may consider purchasing a password manager, a software application that securely stores and manages online credentials. It sits behind a master password, so only one password needs to be memorized, and the manager automatically generates new passwords every time an authorized user logs into a device.

Regardless of how a password is created, it is important to keep the credentials secure. They should never be written down, or stored on a device, and they should never be sent through email or text. And as a best practice, passwords or PINs should never be shared. Finally, “shoulder surfing” is another danger. It occurs when a cyber-thief tries to steal a password or PIN by watching a user enter it when they login to a website or an application. The solution is to be vigilant and aware of surroundings when entering passwords, master passwords, passphrases, or PINs, and to make sure that no one can see what is being typed.

Establishing and maintaining secure passwords and PINs takes some work, but the digital data they protect can be worth its weight in gold. With the step-up in hacking and other threats, it is only reasonable for legal professionals to take more precautions to safeguard their sensitive data.

Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected].