As a technology consultant, I work with many offices and have access to a huge number of passwords. There are myriad philosophies about passwords, such as how complex they should be, how often they should be changed, and where and how to store them should someone forget. I’m always astounded when I can return to a client’s office months later and remember the password. Actually, maybe it should scare me because it means the password is too easy to remember. Balancing complexity with recall can be tricky.

It boggles my mind when I consider how many firms have no passwords or use easily guessed words as the only protection of their system’s data. Setting up computers without a password is akin to leaving the front door of your house open. Forgetting to change default passwords is like leaving the back door open as well.

Yet, many small companies do just that with their computers. They may have a password on the server, but none on workstations and applications. I was at a client’s office two weeks ago and several teenaged children of employees were assisting with filing and other tasks. You can see where this could get dangerous, especially if a teenager decided to look at the firm’s accounting or billing information. Not having a password is a recipe for disaster.

I’ve seen some memorable passwords over the years. One all-time favorite was “money” as the password for the firm’s accounting system. At another firm, each attorney’s password was the name of his or her favorite sports team. Children and pet names also seem to crop up regularly. Using common words forward or backward - such as “password” or “drowssap” - are too easy to guess and should be avoided.

Administering passwords can be time consuming and frustrating. A system that’s too aggressive and requires users to change their password leads to regularly forgotten passwords. Studies have shown that changing passwords periodically actually results in less secure words since people can’t recall them or they revert to simpler formats. Complex or long passwords that bear no relation to real words or numbers are more difficult to remember. If passwords are too obscure, people must write them down, paradoxically making them less secure. (Did you know nearly 50 percent of passwords are written down?) At the same time, a system that’s too lax is vulnerable to hackers.

What works

Without giving away my passwords (and some of my clients’), I recommend a combination of initials and easily recalled numbers such as phone extensions, employee ID numbers if the firm has them, the last four digits of a person’s Social Security number, or the floor number or building address. The trick is to intersperse the numbers between the letters so it looks cryptic to outsiders but is easy for firm employees to remember. One of the benefits of this combination is the password usually is five or six characters (a combination of letters and numbers), which seems the optimal length.

While researching for this column, I found an interesting article from two computer scientists at Purdue University (“Have the cake and eat it too: Infusing usability into text password based authentication systems” by Sundararaman Jeyaraman and Umut Topkara (www.acsac.org/2005/papers/198.pdf). It includes an interesting approach that balances complexity with easier recall.

They propose using the first letter of each word of an easily recalled phrase. Eliminate words like “the” and change any starting vowel to numbers so “O” would become zero. The password derived from the phrase “the quick brown fox jumped over the lazy dog” would translate into “qbfj0ld.” The O from “over” becomes zero and the letter L could remain or be replaced by the numeral 1. If the right phrase is chosen, it provides a long enough password that includes numbers and letters in what will look random to others, but will be easy for the user to recall. The hardest part of this is coming up with phrases. Perhaps consider the first sentence of famous novels or children’s books, or famous quotes.

There’s an entire language - “leet speak” - used in text- and instant-messaging. It substitutes ! for the letter L, 3 to represent a backward E, 7 for the letter T, 1 for the letter I, etc. A good article on learning and using leet speak so you can incorporate it into your passwords can be found at www.microsoft.com/athome/security/children/leetspeak.mspx.
I even came across a leet speak generator that lets you enter a phrase or text for conversion to leet speak. Check out www.ryanross.net/leet/. The Purdue computer scientists also recommend using only lower case letters to keep things simpler and more consistent.

Changing passwords

IT professionals recommend changing passwords periodically for each user and application. Another suggestion in the article is to change the last letter of the phrase to the last letter of that word instead of the first letter. For example, in “the quick brown fox jumped over the lazy dog,” the last letter in the password would be G instead of D. This technique might be an easy way to have a second similar password to alternate with so staff can change them periodically.

There are a number of tools within Windows and many applications that can support good password protection policies. Windows can be configured to require a minimum number of characters for each password as well as define how long before a user must set a new password. Additionally, each workstation’s screensaver should be set so that if a person hasn’t touched the computer in a specific amount of time, the system will revert to a login screen requiring a password before work resumes.

Make sure to close the back door, too. I worked with a corporate legal department recently that was scrupulous about setting Windows passwords. However, its main application had a default user with the original password; it took me about two seconds to access its supposedly secure database. I’ve often been able to change antivirus settings by guessing the default password. Don’t forget to check devices connected to your network, such as routers, as well as remote devices, such as palm based phones. Imagine if someone else gets hold of your information when you misplace your telephone!

Best practices

There are other best practices to consider as part of a password policy. Keep a master list of passwords secure — not on a Postit next to the computer. Make sure someone in the office has access to the master list (for the server, workstations and key applications) with administrator level access so you don’t have to track down the firm’s network support when you can’t remember how to get into your systems.

Users should have their own password. It isn’t wise to have each person using the same password, their initials or something else that’s known to the rest of the firm’s personnel. These systems in the wrong hands, like a disgruntled employee, can wreak havoc. Ensure all employees know that their password should be kept secret. Once a password is known, it’s completely ineffective. Be careful about using “remember this password” or an automatic login since they can allow someone other than the workstation’s normal user to access those applications or websites.

The trick is to balance complexity with an easy to remember system. A sane policy incorporates ease of use with adequate protection.

Carol L. Schlein is president of Law Office Systems in Montclair, a training and consulting firm specializing in law firm automation. Copies of her previous columns are on losinc.com, which also lists upcoming meetings and training classes. For information, e-mail info@losinc.com or check the website. Schlein formerly chaired the Computer and Technology Division of the ABA Law Practice Management Section and can be reached at carol@losinc.com.

Questions for Carol L. Schlein on law office technology may be e-mailed to New Jersey Lawyer at news@njlnews.com or faxed to (908) 226-0165.