Cybersecurity for Lawyers: 3 Steps to Better Passwords

Small law firms and solo practitioners are at a special level of risk when it comes to cybersecurity. Lawyers (and other professionals in small practices like doctors, accountants, and financial advisors) have a significant amount of sensitive data on their system compared to the size of the firm. This makes law firms a high-value target for hackers: the sophistication of the security is likely to be low compared with the value of the data being protected.

No one wants to be the next "Panama Papers" law firm

There is no such thing as perfect cybersecurity. The goal cannot be to get to 100% secure. That’s not a reason, though, to go from 10% secure to 50% secure, or even to 20% secure. Most hackers are looking for low-hanging fruit. The further you move your business up the tree, the more likely a hacker is to move on to someone easier to breach.

Fortunately, there are some low-cost ways to improve your cybersecurity that won’t bog down your business processes. This week, I’ll talk about passwords.


You’re still using one or two passwords for everything, aren’t you? I hope not, but if you are, you should stop doing that and improve your password control. That doesn’t mean you have to memorize a bunch of different passwords, though. Here are three easy ways to make passwords more secure:

1: Use a Password Manager

I use LastPass. There are others. You simply create one password (into the password manager), and it remembers all your other passwords. Better yet, it will generate a long, complicated password for each site for you, and store that password. LastPass will integrate with your browser so that it will suggest usernames and passwords on the login pages of your sites. Where it does not, you can log in to LastPass and copy the password and paste it into the login page, so you don’t have to retype the whole thing. You can also log in to LastPass first, and then use it log you into your sites.

2: Enable Two-Factor Identification

Multi-factor identification is the new thing in cybersecurity. Two-factor identification combines the traditional “something you know” protection (your user-name and a password) with something else, like:

Something you have, like a phone, confirmed with a text

Something you are, like your fingerprint

Somewhere you are, like geolocation on your phone

For instance, when I log into Google on a computer, Google sends a message to the Google App on my phone. I enter the number Google sends to my phone into the spaces on the computer, and I’m allowed in.

Many platforms allow you to enable two-factor identification. One list of websites supporting two-factor identification can be found here:

For extra credit, enable two-factor identification for your LastPass account as well.

3: Outwit Security Questions

An early form of two-factor identification attempted to pair your password and username with another “something you know” in the form of security questions. The problem is that many hackers already have access to information about you. They may know your mother’s maiden name or even the name of your childhood best friend or a beloved pet or whatever.

Defeat insecure security questions by mixing up the answers. The question may be “where were you born,” but I’m going to answer my favorite ice-cream flavor, and remind myself of my answer in LastPass in the “comments” section.

You can also answer the question backwards. If my mother’s maiden name is Smith, I would answer “Htims,” or even “HtimsSmith.” Remember, we’re not working on perfect, we’re working on better.

Let someone else be the low-hanging fruit.

Bonus Tip: Use Passphrases Instead

There is some new data out there that indicates that a long passphrase may be more secure than a traditional password. To use a passphrase, you come up with a long, non-autobiographical sentence (with no spaces) as your password. You can use something like myfavoritebookofalltimeisthethreemusketeersbyalexandredumas. The problem here is that some password programs require you to have a capital and lowercase letter, a number and a symbol. If so, you might use something like myfavoritebookofalltimeisTheThreeMusketeersbyAlexandreDumasandIfirstreaditin1984. The point here is that it is long and hard to break, while at the same time being something you can remember. For bonus points, have a different passphrase for each account, and use LastPass to remember them.