Call Us: (800) 367-2577

A Password Conundrum

At times, I feel that passwords are to the average computer user what bad tasting medicine is to a sick child. If only we didn’t have to take it! Most of us, however, have come to recognize the importance of having a strong password policy (e.g. use of alphanumeric passwords that are a minimum of 8 to 10 characters if possible) in the workplace setting. After all, how many times have we all been told, “Never write your passwords on a sticky note and tape it to your monitor?” Unfortunately, holding one’s nose to get the medicine down, if you will, can lead to an unexpected problem when it comes to trying to follow through with strong password policies. 

Suppose that I comply with my law firm’s password policy and have strong passwords in use for various needs. For example, I actually must enter two different passwords on my work laptop, one to enable the boot process and one to initialize the operating system. I do this as one way to further secure the contents of my laptop in the event of a theft. I also have different passwords for my Android phone, jump drives, network login, online bank accounts, personal email accounts (which I do use for work), and trust me quite a bit more. In fact, I take the security issue so seriously that I regularly change my passwords to key systems or accounts. This is all well and good until the unexpected happens. Returning to the example of my being employed at a law firm, perhaps I pass away or I am an employee who must be fired for some misdeed.

Here’s the rub. In many firms, no one would know what my passwords are so getting into the various systems may prove to be a costly venture in both time and money. Key client information stored on my laptop will not be readily accessible because no one will be able to get past the first password. Let’s make this even worse. I am the employee who must be fired, my position is network administrator and I have sole and exclusive knowledge of key network passwords. This is potentially a very serious problem because I may simply lock the network down remotely and the firm will be dead in the water.

Now that I have your attention, what is the solution? At its most basic level, anyone’s passwords should be available to someone else at the firm in the event of an emergency of some sort. While there is no one right solution, here are a few ideas. Create an Excel spreadsheet of all user passwords and limit access rights to this file to administrative staff only and make sure that this file remains encrypted at all times. Write down all network administrative passwords and place the resulting document in a sealed envelop. Keep this envelop in a safety deposit box or safe. For the solo attorney, include passwords in the letter of instructions that are to be given to the executor of your estate and/or the attorney who has been named to administer the winding up of your practice. Update these lists and documents as necessary.

This list of ideas is simply a starting place and not intended to be the best solution for your practice or firm. I am simply trying to raise awareness of the concern. Personally, I use two encrypted password safes for a number of reasons; however, my wife knows how to access the information stored there should I unexpectedly pass away. After all, for all that she has to put up with as my wife, it’s the least that I could do. Now, what can you do for your clients and partners?

Comments for A Password Conundrum

Name: Richard Cassidy
Time: Wednesday, December 12, 2012

I think you have identified the problem, and its a real one.
Your solution for law firms sounds too clunky and expensive to work.
You mention a password safe for personal use. Isn't there a product like that that could help for lawfirms?

Name: Mark
Time: Wednesday, December 12, 2012

Rich, - My idea is a plain Jane basic approach. There are password manager software tools available that would be appropriate for a firm. Might want to check with your IT person for specific recommendations. These tools basically enable password policy compliance and use of strong passwords by all, and that's a great tool. My point was, at a minimum, a record of all passwords in use must be maintained for security purposes and access if nothing else. If a passowrd manager is to be put to use, make certain that everyone is trained in it's use as they can create their own problems due to autofill capabilities and whatnot. In the end, I think these are awesome tools but they will require an investment and some training in their use.

Name: Matt
Time: Tuesday, March 31, 2015

With due respect, this is a terrible idea. Your passwords provide identity confirmation, among other things. If your passwords are accessible to anyone else, including anyone else in the firm, they lose considerable value. Moreover, if the document falls into the wrong hands the effects will be devastating. For instance, the encrypted Excel spreadsheet you suggest will be only as safe as the password used to secure it, and likely substantially less safe than that. What happens when one of the employees with knowledge of the Excel spreadsheet password is fired? What happens the month before they quit? Moreover, if key client data is kept on your laptop (and nowhere else,) what happens if you get hit by a bus while carrying the laptop? Password sharing, a dubious practice to solve any problem, is useless in that circumstance.

In my opinion, a better strategy is to get serious about the locations of important data. "Key client information" should not be stored on a laptop, or at least not exclusively there. The information should be held in a secured information repository with access controls. If you die or get fired, the next attorney up will be able to get assigned to the matter and thereby get permission to look at the data. Then they can login with their own password and see what needs to be seen. Similarly, network administration passwords should not be shared. Instead, multiple accounts should be given administrative access, and every access should be carefully monitored and logged. If the network admin gets fired, the sysadmin will still be able to maintain systems until a new network admin is brought in, and then will be able to assign network administrative privileges to the new admin. For simple devices that only permit a single account (like a home office wireless router,) store the configuration of the router (but not the admin password) in the law firm document management system. If the person with responsibility for the router becomes unavailable, it can simply be reset with factory settings, a new password set, and the configuration copied from the document management system.

This is not an absurd or unreasonable level of protection, even for a very small firm. Any reasonable practice management solution with multiple logins handles access controls and document management today, and I have been able to implement these controls even in my solo practice. As a result if I get hit by a bus tomorrow, my clients will be adequately protected - my office manager can gain access to their files and transfer everything pertinent to a new attorney.

Name: Mark
Time: Wednesday, April 1, 2015

Matt - you make some great points, particularly in this post Snowden world. Where I to write this post today, my advice would be quite a bit different. Thanks for sharing your thoughts!

Leave a comment