Common Sense Passwords Coming To Law Firms Soon
Be open to changing the way you protect your data.
Ed. note: This is the latest in the article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.
How Happy is Your Law Firm with the Current Password Requirements?
The usual answer is “we’re not happy, not at all happy.”
Thomson Reuters' Claims Explorer: A Powerful Tool For Legal Claim Identification
Anyone who understands passwords has bemoaned the current state of law firm passwords which make no sense and cause more harm than good. The National Institute of Standards and Technology (NIST) is preparing to change that. Who would believe that a federal agency got it right?
Amazingly, NIST has come out with a well thought out set of changes, released in August 2024, which is very likely to be adopted with little modification sometime after the deadline for responding to public comment on its second draft (via email [email protected]) which is open until 11:59 p.m. Eastern Time on October 7, 2024.
Can You Make the Commonsense New Rules Effective Now?
Sure you can. As a Managed Service Provider (MSP), which provides cybersecurity for many law firms, we distributed the late September NIST proposed rules to our cybersecurity staff. They breathed a sigh of relief that we are contemplating adopting some of the rules soon, after we’ve had a chance to sit down around a conference table and evaluate each new rule and its suitability for law firms and other clients.
Sponsored
Tackling Deposition Anxiety: How AI Is Changing The Way Lawyers Do Depositions
Thomson Reuters' Claims Explorer: A Powerful Tool For Legal Claim Identification
Luxury, Lies, And A $10 Million Embezzlement
Curbing Client And Talent Loss With Productivity Tech
We were heartened when cybersecurity specialist Bruce Schneier, famous in our world, reviewed the proposed rules and gave them a rousing “Hooray!”
Bruce may have been as surprised as we were when he titled his post, “NIST Recommends Some Common-Sense Password Rules.”
You can almost hear his oft-repeated criticism of the old rules when his first sentence says, “NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords.”
So, What are the New Rules?
NIST will no longer recommend using a mixture of character types in passwords or regularly changing passwords. Do we hear lawyers shouting “Hooray”? We sure do.
Sponsored
Law Firm Business Development Is More Than Relationship Building
Curbing Client And Talent Loss With Productivity Tech
NIST sets forth technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types of characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs are instructed to cease using knowledge-based authentication or security questions when selecting passwords.
When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords made of a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords aren’t always strong (i.e., the famous “Password123!”). And complexity led to users making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. We can’t recount the huge number of those mistakes that we encounter regularly with new clients. The NIST focus is on longer passwords which are harder to crack with brute-force attacks and are easier for users to remember without being predictable.
NIST is now recommending password resets only when there’s a credential breach. Making people change passwords frequently means they tend to choose weaker passwords. When passwords are sufficiently long and random, and there’s no evidence of a breach, making users change passwords could potentially lead to weaker security.
Previous versions used the words “should not” while this draft says “shall not,” which means the rule has moved from a suggestion to an actual requirement. Yay!
What Lawyers Should Do Sooner Rather Than Later
Be open to changing the way you protect your data. The advice from NIST is very sound and changes made after the October input are likely to be minor. Be wary of MSPs that want to keep things just as they are. “Just as they are” will not properly protect you.
Our guess is that the cyberinsurance folks will start requiring compliance with the new NIST guidelines, likely in 2025. Get ahead of the curve. Be safer sooner!
Final Thought
One more quote from cybersecurity specialist Bruce Schneier: “Complexity is the worst enemy of security, and our systems are getting more complex all the time.”
Sharon D. Nelson ([email protected]) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek ([email protected]) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke ([email protected]) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
