- Learning Centre
- Lawyer Programs
- Key Resources
- Legal Practice
- Continuous Improvement
- Cultural Competence & Equity, Diversity and Inclusion
- Lawyer-Client Relationships
- Practice Management
- Retirement Guide
- Business Continuity and Succession Plan Guide and Checklist
- Practice Management Assessment Tool
- Professional Conduct
- Professional Contributions
- Truth and Reconciliation
- Disaster Planning and Recovery
- Student Resources
- Public Resources
- Upcoming Events
- Media Room
- Latest from the Law Society
- Resource Centre
- Key Resources
- Practice Management
- Password Managers: Locking the Barndoor with Better Passwords
Last updated: February 2023
Joe stared at his computer screen and wondered, “Why am I locked out of my own account?“ He knew he had not done anything wrong, but the message on his screen told him otherwise. His account had been breached and he knew he had to take action.
If criminals gain access to your data or online accounts, there could be significant financial and professional ramifications. One way of protecting your data is to employ strong and robust passwords across your digital accounts. Poor password habits have become a target for cybercriminal activity, instead of a line of defense. There are practical things you can do to restore the protective function of our passwords.
The Problem with Passwords
Despite the risks, people continue to use — and re-use — weak passwords. The reason? It is simply not practical to create and remember a unique and complex password for every account we own.
As a consequence:
- An audit of the dark web in 2020 found over 15 billion passwords were revealed online.
- In 2021, the most common passwords used in Canada included 123456, password, qwerty, abc123, password1, testing, hockey and iloveyou – any of which take cyber criminals mere seconds to crack.
- As many as 81 per cent of data breaches are due to poor password security.
To leverage the full protective capabilities of passwords, strong passwords are a must.
What Makes a Good Password?
Password safety requires two things:
- A password that is robust in design; and
- The use of unique passwords for each account a user owns.
The first element – password design – looks at the content of the password itself. The more complex the password, the better.
Complexity can mean a longer password, using random text, numbers and special characters. Best practices also advise against using personal information. Names, dates and places are important to us, but hackers can quickly find such details from publicly available sites.
The second element — unique passwords — guards against the danger of using the same password across multiple accounts. Re-using passwords, or using minor variations based on a pattern or a root word, is an open invitation to hackers wanting to access your records.
If a shared password is compromised, all your accounts become compromised, and the damage multiplies. Of course, creating complex and unique passwords is all well and good. But to memorize them for every account we own? That might prove to be an impractical — if not impossible — task.
This is where password managers come in.
What Are Password Managers and How Do They Work?
Password managers are digital tools or software that act as a secure “vault” where users can record their login credentials. Users only need to remember one password — the “master password” — to unlock their “vault”, and the password manager then lets them create complex passwords for account they own.
The result? Robust and unique passwords for each individual account, with the practical advantage of only needing to remember one master password to access all of these records.
Most password managers combine convenience and security with the following features:
- Random password generators: A tool that quickly creates random passwords for users to apply to their existing or new account logins. The tool lets users specify the desired password length or inclusion/exclusion of certain letters, numbers, symbols, or special characters, to generate a random password.
- Multi-device access: Users can log into their password manager across any platform and desktop and mobile operating systems – Mac, Windows, Android, and iOS. Adding or modifying a password on one device updates and syncs the information across all platforms.
Other features include:
- Payment information and document storage: The ability to store credit card information, online banking information, passports, health records and other secure files.
- Sharing capabilities: The ability to share passwords and documents with other trusted users such as family members or team members at work. This feature is not always available with free versions but is common with paid versions.
- Emergency access/account recovery: The ability to recover access to the password vault if a user forgets their master password or is unable to login. This can be through additional security questions or permissions to access granted to another trusted user.
- Dark web monitoring: The user’s email addresses across various accounts are monitored against a database of known breaches. If an account is known to have been compromised, the password manager alerts the user to the breach and triggers them to change their login credentials.
Zero Knowledge Security Architecture
One of the ways password managers guard against this risk is by using what is called zero knowledge security architecture.
This means that data is only readable by the end user. When the data is stored and transmitted to and from the password manager’s servers, it remains fully encrypted.
The result is that even the company operating the password manager has “zero knowledge” of the information stored within the tool.
If their servers are ever hacked, the perpetrators would only obtain encrypted records which would be gibberish without the individual customers’ master passwords to decrypt the information.
Cyber-security experts now view multi-factor authentication (MFA) as an essential step in maintaining cybersecurity.
MFA is a process that requires users to verify who they are by using a combination of steps (or factors) – in addition to a password – before they are granted access to their data.
The name sounds complicated but the process it describes is not.
The first factor is the password the user creates for themselves.
The additional factor can take various forms and can usually be completed within a few seconds.
Biometric verifiers (fingerprints or retina scans) are one option.
Another is a passcode — typically a four or five digit number — sent by text message to the user’s cell phone. The user then enters the code, together with their password, into whatever webpage they are trying to access.
A third option is push-to-authenticate verifiers, which send a message directly to the user’s device, telling them that an authentication attempt is taking place. Users can then approve or deny access with a simple click of a button. This technique is gaining popularity because it provides a simple means to authenticate users, especially if used without passwords.
Ultimately your password manager is not simply secured by a master password alone, but by other factors that require verification before allowing access to your vault.
The greatest risk to the use of password managers is often the user themselves. A study conducted in 2019 revealed that many users of password managers store their master password in a plain text document somewhere on their computer, meaning it could be accessed by hackers without difficulty.
By following a few simple practices, you can play a role in ensuring that your password vault remains as secure as possible.
- Never save your master password where someone could access it without your knowledge or permission. Just as you should not leave your password on a Post-It note stuck to the side of your computer, you should not keep your password in an unsecured document or email within your computer either.
- Do not leave your password manager running in the background, even if it is locked. Exit the tool completely once you retrieve the password you were looking for.
- Set up multi-factor authentication wherever possible since this significantly limits a hacker’s ability to breach your computer.
- Never re-use your passwords. Always use a distinct password for each of your distinct accounts and avoid password clones that vary by only a single character or digit.
- Consider refraining from integrating your password manager with your web browsers, if possible, as the browser extensions/plugins can create issues. While you will have to launch your password manager instead of auto-populating credentials, this is a simple step that only requires a few seconds to complete. The resulting improvement in your online security is well worth the minor delay.
For Mac and iOS users, iCloud Keychain is part of the operating system that lets users keep their passwords and other secure information updated across their Apple devices. Password AutoFill automatically fills credentials stored in the keychain.
The Keychain password manager and Password AutoFill provide the following features:
- filling in credentials in apps and websites;
- generating strong passwords;
- saving passwords in both apps and websites in Safari;
- sharing passwords securely to a user’s contacts; and
- providing passwords to a nearby Apple TV that requests credentials.
Password Monitoring is an Apple feature that matches passwords stored in the user’s keychain against a continuously updated and curated list of passwords known to have been exposed in leaks. If the feature is turned on, the monitoring protocol continuously matches the user’s keychain passwords against the curated list. If the user’s password appears on this list, the user is immediately notified without any external interaction.
If you use Safari on your iPad or iPhone, you can store website passwords and manage them using the Passwords settings.
For Windows 10 users, Personal Vault (also known as Credential Locker) is a protected area in OneDrive where users can store usernames and passwords. Microsoft Edge allows users to save passwords for sites they use.
These programs are free but full-featured password managers currently on the market, including LastPass, 1Password, DashLane, Bitwarden, Keeper, and NordPass, are more attractive and provide better data security generally. Please refer to the appendix for more details.
Subscription plans for password managers are available at different price points with the following increasing levels of functionality and features:
- A basic tier (for one user) – often free, includes essential password manager features such as the password vault, password generator, and auto-save/auto-fill capabilities. There may a restriction on the number of passwords a user is able to store or the number of devices that the application may operate on (e.g., only operates on a single mobile device or for desktop, without cross-integration).
- A premium tier (for one user) – around or below $5.00 USD/month that builds on the capabilities offered under the basic tier with features like dark web monitoring, unlimited devices allowed, and capacity to store an unlimited number of passwords.
- A family tier – increases the number of user accounts available under a single subscription plan, including a family dashboard to monitor member accounts.
- A business, teams, or enterprise version – designed for larger-scale and business-wide implementation.
In today’s digital world, cybersecurity has become increasingly important. One simple and obvious line of defense against data breaches – a good password – is key to protecting confidential and sensitive information. Multi factor authentication is quickly becoming a standard requirement as well.
Password managers do not provide foolproof protection against every potential security risk. However, most experts view them favorably and strongly recommend their use, especially if the alternative means using weak passwords, reusing passwords, storing passwords in an unsecured computer document or spreadsheet or writing them down on paper where they could easily be seen or exposed.
Combining password managers with multi-factor authentication in a lawyer’s digital routine could significantly help to enhance the security of confidential data and information within their practice.
Password Manager Chart
The following charts provide a detailed overview of six popular password managers currently available on the market. These password managers all operate on Mac, Windows, iOS and Android systems. Pricing is provided on a per user basis.
The information provided here is derived from public sources, is current at the time of publication and may change over time. Readers are encouraged to perform their own due diligence in deciding which password manager is right for them.
By: Len Polsky, Manager of Legal Technology and Mentorship
1Password combines security and design to bring you private, secure and user-friendly password management. Easily and safely share logins, passwords, credit cards and more. Get passwords out of spreadsheets and email to keep your team in sync. Define employee controls, access and permissions to secure information for your team and others – even if they don’t use 1Password.
|1Password ($2.99 USD/month, billed annually)|
Teams ($19.95 USD/month, billed annually)
|Bitwarden||Bitwarden generates, stores, and provides secure unique usernames and passwords from any location or device. It is easy to set up and provides cross platform access for mobile, browser and desktop apps. Zero knowledge, end-to-end encryption guides the Bitwarden open source approach to trust, accountability, and security.||Free ($0)|
Teams Organization ($3.00 USD/month, billed annually)
|Dashlane||Dashlane provides the admin tools such as login monitoring, plan member management and reporting, policy management and directory integration. It also provides advanced password management and seamless integration. You can onboard new team members, manage permissions, and monitor security issues from the Dashlane admin console. You can also increase organization-wide compliance by enabling one-click policies for 2FA, offboarding employees and data encryption.||Free ($0)|
Starter ($20.00/month USD, billed annually)
|Keeper||Keeper automatically generates strong passwords, stores them in a secure digital vault accessible from any device, and autofills them across all of your sites and apps. Keeper’s encryption protects your passwords and sensitive information from data breaches, ransomware and other cyberattacks.||Free ($0)|
Business ($3.75 USD/month, billed annually)
|LastPass||LastPass is a password manager that secures your passwords and personal information in an encrypted vault. As you visit apps and sites, LastPass autofills your login credentials. From your LastPass vault, you can store passwords and logins, create online shopping profiles, generate strong passwords, track personal information securely in notes and more. All you have to do is remember your LastPass master password and LastPass will autofill web browser and app logins for you.||Free ($0)|
Teams $5.50 CAD/month, billed annually)
|NordPass||NordPass is a secure, easy-to-use, purpose-built password manager. Besides your login credentials, you can use NordPass to securely store and access your credit card details, secure notes and personal information. Everything you keep in NordPass is protected by advanced encryption algorithms. Their advanced security features include password health, data breach scanner and secure item sharing. It allows you to detect weak, reused or old passwords. Secure item sharing allows you to safely share your passwords as well as other sensitive information with other NordPass users.||Free ($0)|
Business ($2.56 USD/month)