Password security has been in the news again this week, and I’m using this as an opportunity to remind all iPhone J.D. readers — especially all of us attorneys with a duty a protect confidential attorney-client information — that we ought to be using complex, different passwords. I think that the best way to manage them is with password manager software such as 1Password, which happens to be on sale right now. More on that in a minute, but first let’s discuss some of the recent stories.
One of the recent news stories (here is one from Michael Schmidt in the New York Times) is that employees of the St. Louis Cardinals are being investigated by the FBI and the Justice Department for hacking into the internal network used by the Houston Astros to store confidential information evaluating players. The allegation is that after Jeff Luhnow left the Cardinals to join the Astros, Cardinals employees researched all of the passwords that Luhnow had ever used on a Cardinals network, and then tried those same passwords to access the Astros network. One of the passwords worked, and once they were in, they got access to lots of confidential information that could be used to help the Cardinals and hurt the Astros.
Another story being reported (here is one from Ellen Nakashima of the Washington Post) is that hackers working for China accessed the U.S. Office of Personnel Management computers to get information such as Social Security numbers and job assignments for around four million current and former federal employees. The information could theoretically be used to the disadvantage of one of those folks, or this article notes, this information my help a hacker send a fake e-mail purporting to be from a colleague at work to convince someone to click a link or take other action that could lead to further problems.
The reality of our world is that hacks and attempted hacks are going to happen. Perhaps they will be initiated by folks living in other countries, perhaps even sponsored by those countries. Perhaps they will be attacks targeted against you or your company, initiated by a business competitor or someone who knows who you are. What you need to do is take reasonable steps to protect yourself.
One thing that you need to do is use different passwords for every service. We are constantly hearing about hackers gaining access to databases at retail companies, and if a hacker gets the password that you use a BigStoreCo, they can try to use that same password at your bank, Amazon.com, your law firm, etc. If you use the same password (or simple variants on the same password) at multiple sites, then when the password to one of your accounts is obtained, essentially all of your accounts have been hacked.
Second, in addition to using different passwords, you need to use complex passwords that are long and hard to guess. Just using your kid’s names isn’t enough. Folks who know you, or know of you, can figure out those names easily enough if they want to target an attack on you. And while hackers in foreign countries may not know you personally, they are going to run every single name in the Baby Name Book (and the dictionary) when they try to hack accounts.
Those two tips sound simple enough, but the problem with using unique, complex passwords for every site is that they are impossible for you to remember, not to mention difficult to type. That’s why I recommend using password management software. The one that I use is 1Password, and I’ve written about it before (1, 2, 3). The first advantage of password management software is that it can easily create random, complex passwords that are different for every website. For example, I’m going to ask 1Password to generate one right now, and here it is: rFidnonEKjpRN7jFVy4r. No hacker is going to be able to happen upon that password by trying out all of the words in a dictionary or baby name book, and that 20-character long password would be incredibly difficult to guess. And even if that is the password that I use at BigStoreCo and someone somehow gets access to customer information, that won’t be the same password that I use for my law firm email or other institutions, so the bad guys can’t use that password elsewhere.
The second advantage of using password management software is that it can automatically enter my passwords — on my PC at work, my Mac at home, my iPhone and my iPad. Thus, I don’t need to remember that the password was rFidnonJKjpRN7jFVy4r. I just need to remember a single central password that I use with 1Password, a password that I never use on any online site or anywhere else so nobody knows it but me. And for my devices that have a fingerprint sensor such as my iPhone 6 and my iPad Air 2, I can often just use my fingerprint to confirm that I am me and unlock 1Password, and have my unique and complex password entered, without my even having to even type in my single central password. (I do have to retype the password every time I restart my iPhone or iPad.)
At this point, you might be saying, isn’t it dangerous putting all of my passwords in one app that a bad guy could access? And this is a reasonable question. Just this week, hackers were able to breach the password database used by LastPass, another password management service. But as security expert Glenn Fleishman of Macworld explained, the silver lining is that because of security measures that LastPass had in place before the hack, it is unlikely that hackers will be able to do anything with what they got as long as users respond to the security alert issued by LastPass and change their master password. For what it’s worth, one of the things that has always appealed to me about 1Password over LastPass is that the company that runs 1Password doesn’t even have a central database of master passwords like LastPass does, so a hacker cannot simply target 1Password like they did with LastPass.
But whether you use 1Password or LastPass or a similar, reputable, service, the point is that you are trusting your passwords to software that is specifically designed to make your passwords accessible to you and only you. The companies that make these products treat security incredibly seriously and update their security measures all of the time. Nothing is perfect, but putting different, complex passwords in 1Password is infinitely more secure than using the same, simple password on all sites that you visit. Plus it is more secure than writing your passwords on a sticky note or in a notebook that could be viewed by anyone who walks by your desk, or using a password that could be guessed by someone who knows (or can guess) basic details about you such as the names of your kids, spouse, pets, etc.
As I was finishing up this post, I see that New Orleans attorney Ernie Svenson just wrote about this same issue a few hours ago on his PaperlessChase.com website. I’m not the only attorney with security on his mind this week. If what I wrote above doesn’t convince you to consider using a password manager, read Ernie’s post and see if that convinces you.
In the interest of full disclosure, I’ll tell you now that when you first start using a password manager, it is a pain. You need to enter all of your current passwords for all of your services, and update all of the passwords that are repeated or simple (which could be most of them). Also, you need to learn how the software works. 1Password is not complicated, but of course anything new has a learning curve.
But if you are reading this post, then by definition I know that you are more than smart enough to figure it all out. And then once you get up and running, you will see all of the advantages. Your passwords will be much more secure, which is becoming a necessity in today’s world. Also, these password managers make it much easier and faster to enter your username and password when you visit a website that requires one. So in the long run, you may even save time. Also, apps like 1Password can give you a secure place to store other confidential information on your iPhone and iPad such as Social Security numbers. Plus, you can use the secure notes function to jot down personal private information (such as medical information) or information relating to your job or your clients in a place on your iPad that someone else won’t be able to access even if you are letting them use your iPad.
If you decide to use 1Password, you need to get both the iOS app for your iPhone/iPad and the software for your computer (Mac, or PC, or a combo that has both). The iOS software for your iPhone/iPad is free, but you will want to pay $9.99 (an in-app purchase) to unlock all of full features of the app. The version for your Mac or PC normally costs $50 (or $70 for both), but the company is having a 9th Anniversary Sale right now with a 30% discount.
But whatever password manager you use, please consider using something. You don’t want the next hacker article in the news to have anything to do with you.
Click here to get 1Password for iOS (free, but $9.99 to unlock all features): 
http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/
Thanks for sharing that link, al Kalain. Here is the rest of the story on that issue:
https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/
-Jeff
And here is more information on this subject:
http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities
-Jeff
Jeff, I started to give it a try. I did. Downloaded on iPad pro and paid the $10 for pro features. And then, after some digging around and nearly locking myself out of my Apple ID account, I realized this app, unless I am missing something fundamental, cannot at all do what I thought it could, the one thing that makes it worth the money and effort: automatically save and then enter passwords for each app and website that require them.
You see, if all 1Password can do is work with a website you’re logging into on a web browser, it’s useless to me. I need it to be compatible with all the common apps (Yahoo mail, google, Amazon, facebook, Apple ID, etc.), or its ability to generate long passwords is meaningless. And from what I can tell, none of those super-common apps work with 1Password because there’s no button or option when signing in on those apps to use 1Password to log in. This seems to be confirmed when I read the list of apps that 1Password says “support” it–and that list includes almost none of the important ones.
I really hope I’m wrong. Please tell me if I am. But if I’m right, and 1Password can’t generate strong passwords and automatically fill them in for me on all iOs apps on all my devices, it’s not for me. I’d love to know if there’s an app that can.
1Password can automatically enter passwords in a web browser on the iPhone, iPad, PC or Mac. It is possible for 1Password to also automatically enter a password in a third party app, but only if the app developer incorporates 1Password. A number of apps do, and they are listed on the 1Password website:
https://blog.agilebits.com/1password-apps/
For other apps, it is true that you need to open 1Password, manually copy your password, and then go into the app and paste it.
Here is what use for a workflow. Most apps have a username that is your email address. I created some keyboard shortcuts in the Settings app for my email addresses. For example, if I type jji it automatically enters my iPhone J.D. email; if I type jja it automatically types my Adams and Reese email; etc. So when I go to the app I see which email address I used for a username and I copy the password. Then I got into the app and type the appropriate shortcut to enter my username and then paste the password into the app field.
I agree with you that 1Password is more useful when third party apps incorporate full support. But even this workaround is not that cumbersome to use, especially when I know that it gives me the advantage of using unique and complex passwords for every website or app.
-Jeff