The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
30 PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA CASE STUDIES Last August, I had the pleasure to present at the ILTA conference in Las Vegas. During the presentation, an ad hoc discussion regarding password complexity and duration broke out. When I mentioned that the firm in which I was working had just implemented a password duration of 45 days (meaning people had to change their passwords every 45 days), the gasps in the room were more than audible. People responded with the usual, "Our policy is a 90/120/180 day period and we'll never be able to get buy in for a change, even though we know we should." The number one question posed after the session was about how I convinced management to adopt stronger password policies, when people don't like to be bothered with passwords to begin with. Many could hear the pushback in their management's voices already. My answer? I made the business case for cost, associated with the risk of not making the change, and put a dollar amount to it (or rather, the potential costs of ignoring the situation). I will now share those arguments and formulas with you. (Bear with me, some math is involved.) ENCOURAGE COMPLEX PASSWORDS The most basic argument is based on an obvious, but often overlooked, concept. An organization may spend tens or hundreds of thousands of dollars on security infrastructure and technology, but all of that security can be undone by just one weak or compromised password. A law firm is only as secure as its weakest password. Strong password creation must be taught, enforced and then reinforced. How complex does a password have to be? The answer is: just complex enough that it cannot be cracked in a reasonable amount of time. In order to have strong passwords there are two options. 1. Extend the passwords to a length beyond what the human mind can easily recall, but this leads to the frustration and resistance of complex password use (enter Post-it note on the monitor). 2. Change the passwords more frequently. But how frequently? We can figure this out by looking at the time it might take to crack a captured password. IT'S ALL IN THE NUMBERS To begin, let's assume: • The standard 31 symbols (uppercase, lowercase, numbers and symbols) are being used in the password creation • Your policy requires one of each (most organizations do not, but let's be optimistic) This gives us, potentially, 93 different character sets for us to create our password with. A computer which has multiple four gigabyte processors (four) and a single GPU can generate 400,000,000,000 keys per second. That means the average time it would take to bust a 10-digit password is 71 days. (This tells us the best-case scenario is 142 days of password protection. The worst case is that the password is cracked on day About the Author Mark Brophy, Director of Security Services and Risk Management at Keno Kozie Associates, Ltd., is responsible for developing and implementing security assessments, business continuity and risk management plans for Keno Kozie's law firm clients. Before joining Keno Kozie, he was an IT director for several law firms and a frequent ILTA volunteer. Contact Mark at mbrophy@kenokozie.com. The Business Case for Stronger Password Policies There are many unwritten challenges when working in IT for a law firm. The unique organizational designs of management can make the decision-making process problematic. Biased opinions often trump rational, fact- based decisions. Nothing reflects this issue more than password policies.