Cybersecurity basics: Passwords

Passwords are often the first line of defence against data loss.

And in 2023 a password alone is not adequate to secure important data,¹ though getting them right is important.

One effective way to improve the protection offered by passwords is by ensuring they are an appropriate length, are stored properly and are not used across multiple websites.²

Law firms should adopt and properly implement a password policy to ensure all network users choose and use passwords appropriately.

Queensland Law Society has a template Password Protection Policy available for download.

Complexity & length

Complex passwords, also known as strong passwords, are essential to defend sensitive information. These passwords are typically longer and use a combination of upper and lower-case letters, numbers, and special characters. They are also less likely to be found in a dictionary or easily guessed by an attacker using information from social media.

On the other hand, simple passwords, such as ‘password’ or ‘123456’, can be easily hacked using tools such as brute force attacks or dictionary attacks, especially if attackers manage to copy an encrypted archive and have as much time as they want to break into it.

These attacks involve using a computer program to try all possible combinations of characters until the correct password is found. As computers speed up, the length of a ‘safe’ password increases.³

In the case of a law firm, the consequences of a password being cracked can be severe. Failure to take reasonable steps to protect client confidentiality is a breach of a solicitor’s professional obligations, in addition to the significant financial liability and disruption to basic systems that may take months to fix.

This is why electronic conveyancing platforms (such as Pexa and Sympli) and insurers have minimum password requirements. Failure to observe these may have liability or coverage implications.

Passwords are not enough

Even good passwords can be broken or phished. In addition to implementing complex passwords and maintaining a password policy, there are several other steps that law firms should take to enhance their cybersecurity:

• Enable multi-factor authentication (MFA) whenever possible. MFA requires an additional step, such as entering a code sent to a mobile phone or supplying a fingerprint in order to access an account. This helps to prevent unauthorised access even if a password is compromised (see the QLS Guide to MFA).
• Regularly update software and security protocols. This helps to protect against newly discovered vulnerabilities that could be exploited by hackers.
• Educate employees on cybersecurity best practices. This includes training on creating complex passwords and the importance of not sharing passwords with others (see the QLS Cybersecurity Package for firms which use electronic conveyancing).
• Consider using a password manager. A password manager is a tool that stores and generates complex passwords for all of a user’s accounts. This allows users to have unique and secure passwords for each account without the need to remember them all.

Bottom line: it is essential for law firms to prioritise the security of their sensitive information by implementing complex passwords and maintaining a password policy. By following these and other best practices for cybersecurity, law firms can protect against unauthorised access to sensitive data and mitigate the potential consequences of a security breach.

For inquiries, please contact the author at the QLS Ethics & Practice Centre.

David Bowles is a Queensland Law Society ethics solicitor.

Footnotes
¹ See below (n2) for more information.
² More information on the research behind the various password choices can be found on the Cybersecurity Prevention and Education page of the QLS website.
³ An eight-character password would have taken over five days to crack in 2018, but now takes less than an hour.