Reading Time: 6 minutes

A password is such a simple thing.  People do not need much help to make a password.  The difficulty comes when you want them to make a strong password.  It increases when you ask them to make multiple unique passwords.  As the difficulty increases, you create reluctance because each new, unique, strong password slows down people who want to login quickly.  It is easier to use a memorized password than to have to look it up or copy it each time. Accessing passwords is friction.

We use simple, multi-purpose passwords because they reduce that friction.  Password managers like LastPass should be secure options that create an advantageous balance between friction and risk.  Organizations like law libraries, that have both private and shared passwords, can benefit from cloud-based password managers.  But what do you do when the password managers are hacked? 

LastPass is one of a number of cloud-based password managers.  It is the latest one to be hacked, as of this post.  The hackers took encrypted password vaults and customer backups.  Oh, and the encryption key.  I have for many years advocated that you use a password manager but one that is not internet accessible.  If I was a LastPass customer, I’d reset all my passwords. 

I am not a LastPass customer.  And I’m glad, as I have well over a hundred passwords that I’ve accumulated over the years.  When I first started using a password manager, I went back over old accounts and ensured each one was unique and strong.  Even when I deactivate an account, I keep the old password and do not reuse it. 

But this is not a case of schadenfreude.  I used LastPass myself about a decade a go, even though they had a security problem back in 2011.  It isn’t the first online password manager to be hacked and it won’t be the last.  So how do we balance this friction issue (more friction with more security, slowing people down) with risk (less friction, weaker passwords, easier to hack, and cloud-providers who are themselves not securing our password vaults)? 

This is particularly true in a work environment.  If your library reference team is like ours, some databases come with only one password to be used by multiple people.  You need a way to share that easily and quickly.  Or your law library might be like ours, where we have some mission critical passwords.  What happens when the one person who has access to them leaves the library?  How do you manage password access to ensure that your law library’s operations aren’t interrupted? 

You should use IP authentication!  You should use SAML!  Then you don’t need passwords!  You should …  realize that publishers are not all equal and not all resources can use single-sign-on or seamless authentication mechanisms. 

I still prefer offline password management.  But I also realize that’s not the right fit for everyone.  And, as any leader knows, what works for you personally may not make sense organizationally.  We’re starting to work through that ourselves. 

Decrease Resistance 

The Department of Interior recently audited their passwords.  It didn’t go well.  16% of passwords were cracked within 90 minutes of starting the testing.  I expect that many organizations would probably suffer this result.  Organizations are trying to balance friction and risk too.  Sometimes they use antiquated approaches, like forcing passwords to be changed after a period of time rather than only on suspicion of a breach.  Or they limit you to 10 characters (instead of requiring at least that many).   

For example, the most commonly reused password (Password-1234) was used on 478 unique active accounts. In fact, 5 of the 10 most reused passwords at the Department included a variation of “password” combined with “1234”; 

P@s$w0rds at the Department of the Interior, January 2023

I used more 26 iterations of the same Windows password (based off a defunct frequent flyer number), changing the last character, to both satisfy MFPOW’s password scheme and avoid having to come up with a good, strong password every 90 days.  It’s the one you have to memorize so why force people to change it?  What would have been better?  Let me create one really strong one and keep it forever. 

The National Institute of Standards and Testing guidelines issued in 2017 (updated in 2020) are a great read both on how to make strong passwords but also how to encourage people to store them and retrieve them from password managers.  They emphasize creating an environment where people can use password managers, including allowing them to cut and paste them into login screens. 

Individuals have to make their own choices.  But organizations need to find ways to drop resistance to strong, unique passwords.  They need to reduce friction.  One of the easiest ways can be to use a password manager. 

So use a password manager.  Use a simple one, like a Microsoft Word or Excel 2016 document that itself has a password.  Use a dedicated one, that includes password generators and meters to show you strength, like KeePass or BitWarden, open source options that have had their code reviewed for security assurance

If your organization can tolerate a bit of friction, add multi-factor authentication.  I’d say mandate it, but MFA creates friction. It may be a goal, once people are accustomed to using password managers.  That’s why you can (but shouldn’t) remember this device with MFA, so that you don’t have to put your MFA token in each time.  It saves time but also means anyone else who can access your device doesn’t need your MFA either.  

But a password manager is probably the baseline nowadays.  It offloads the cognitive load of having to create and remember strong, unique passwords.  It minimizes the excuse of difficulty, of friction. Instead, you have to remember one strong unique master password to get access to your vault of passwords.  Free advice: your master password should not be Password1234!  There is a lot of good advice on passphrases and other secure but memorable options for your master password.

Finding a Balance 

If you can at least land on the idea that password managers are integral, now you can discuss whether to use an online one or an offline one.  As I say, I prefer the latter.  But one thing any law library director knows is that what’s best for your staff isn’t necessarily what you would do yourself. 

One of the things we’re looking at in our law library is that balance.  We want to move staff to a password manager that can be shared.  A password manager will provide a tool for staff to be able to make lots of strong, unique passwords.  A shared password manager will allow us to put passwords – like legal publisher databases – that need to be shared into a secure pool.  And if there’s one thing we’ve all realized, once you want to share a resource, the easiest way is to use a network.  Or, in this case, the cloud. 

After LastPass, how do you assess a cloud-based password option?  I’ve written about Bitwarden, which is one of the products we’re looking at.  We could always run our own password manager but that’s not our business.  One benefit of the cloud is that we can, in theory, place responsibility for these services with people who know what they’re doing and can manage the servers etc.  See the Financial Times’ thoughts on running a Mastodon server (tl;dr, don’t run your own server unless you know what you’re doing.)  

I’ve been using Bitwarden now for a couple of weeks.  They have a free account and I have apps on my Windows and Android devices to synchronize my password vault.  Before, with KeePass, I would save my changes to a local password vault and synchronize that vault to my OneDrive account.  Bitwarden also syncs my vault, but somehow I feel more confident about my Microsoft OneDrive security, layered with MFA.   

I like Bitwarden.  But it isn’t a feature improvement over my previous personal password system.  What it does offer is the ability to share passwords within an organizational vault.  You can manage user access to that organizational vault, making passwords read-only.  As far as I can tell, this doesn’t make them private.  Once you use a password, if that login page allows you to view the password, you’ll be able to see it and copy it yourself.  Like an email that has been sent, once you’ve shared it, you may not be able to control who else gets a hold of it. 

That’s not a huge concern for me.  Shared passwords would, by their nature, not be for resources that have a lot of risk around them.  You would never share a password to an accounting or billing system.  But you might to the latest court opinions or another licensed read-only database.  In that risk to friction balance, sharing a read-only version of a password to a team will reduce friction.  If they’ve already committed, individually, to using password managers, keeping all the passwords in one place makes sense to me. 

One of the biggest challenges for me recently was accessing a bunch of accounts that belonged to a staff person who died.  I had to figure out how to create that password file to manage (tl;dr, do not save your passwords in a browser).  If we use an organizational password, I can create a work vault that can be reassigned to my replacement on my death or departure.  Or we can lock a user out of our shared password system on their departure.  We can then change shared passwords without anyone having to learn a new one or be alerted.  It takes some of the risk out of personnel transitions. 

I am still not sold, though, on cloud-based passwords.  Even as I use Bitwarden personally, each time I save a password, I think of losing the entire vault.  I don’t have the expertise to know how likely that is, except that it has already happened multiple times to other providers. 

My own risk tolerance may mean that keeping my personal passwords offline is the best option.  But I can see the value of sharing at least my operational work passwords, and being able to access other’s shared passwords.  It should make us more secure and reduce some of the friction of having strong, unique passwords.  Hopefully cloud-based password managers will learn and iterate, making the risk v. friction choice even simpler.