Even as more legal documents migrate to the Internet, and more confidential matters are discussed on e-mail, these sensitive papers continue to be "protected" in the same old clunky way they've been for years: a password that is easily guessed. Our universal password to financial accounts is our mother's maiden name, which presumably is known to other members of our family, if only to our mother. Names of pets, sports heroes, or children are other popular "secret" passwords.
Worse, many people (including me) don't take great care to protect our easily-guessed passwords. In a British study, more than 70 percent of people surveyed readily disclosed their passwords in exchange for a bar of chocolate. The survey, carried out for the Infosecurity Europe trade show, held in London last spring, was conducted by questioning commuters passing through Liverpool Street tube station in England's capital. Thirty-four percent of those surveyed helpfully volunteered their logins and passwords without even needing to be offered the chocolate.
Now, a few points about the weakness of the survey method. Presumably you could offer any old random, plausible-sounding term as your password and get your chocolate. Still, the numbers are so high that even if half of the people fibbed, that still means that 35 percent of those surveyed gave their actual passwords, and none were recorded as objecting to the question. (Imagine if people stationed at Metro stations in Washington asked for your Social Security number as you were passing through the turnstile.)
Now, I have a sweet tooth, and wonder how I'd stand up to this inducement, especially if what was offered was a large bar of Cadbury's Fruit and Nut chocolate bar. The survey does not say which chocolates were offered, but I don't think that the conclusion that I first drew - egads, people need to be educated on security - is the right one. Rather, we need a better system that doesn't depend on secret words, numbers, or some combination thereof.
Almost all of those questioned, 80 percent, said they were fed up with passwords and would like a better way to login to work computer systems and Web sites. Some people have to remember four or more passwords on a daily basis. If passwords are changed frequently, some people (including me) just add a 1 or a 2 to our old password.
The ordinary reaction of some in the high-tech community is to blame the consumer. "Those stupid people." Well, I'm tired of blaming the consumer. Why can't the tech industry invent and market an easy, low-cost, secure alternative to access information we need, that doesn't depend on a secret word or word-number combination, which many computer programs can guess? It's only a matter of time until important information is stolen (and I don't mean credit card information. Thefts of credit card information are so common that we know how to handle it -phone to cancel the card). I wonder if a lawsuit will be filed, based on negligence or breach of fiduciary duty, because confidential information was protected by a login such as an e-mail address and an easily-guessed password.
Until the tech industry is able to help us, the customers, to protect our information in a reasonable way, then intelligent, ordinary people will use passwords that are easy to remember and thus easily guessed. If the passwords are assigned, or frequently changed, then people will write them down in places where they can be easily accessed. This isn't because people are stupid, or careless, or badly educated about security. It's because we are busy and human. As soon as the technology and security industry realizes this, and treats us flawed human beings as clients that need better service, rather than idiots who don't want their password to be "d*&^#2efth!," the safer our information will be.
If lawyers can counsel their tech clients to acknowledge this, all the better.