Follow ACC Docket Online:  

Passwords, Pa$$w0rd5: How to Protect Your Company’s Information

W e all know that we are not supposed to use the same passwords for everything. But how can we possibly manage a different password for each of the products and services that we use? To honor the new NIST guidance for NIST 800-63-3 that just finished accepting user comments, this article will review passwords, along with some tips and tricks to keep your digital information more safe and secure.

Common passwords (i.e., Don’t use these)

According to Computerworld, the most common passwords for the past five years are all too laughably easy, such as a string of numbers anywhere from 1234 up to 1234567890 or even 111111. Some of the others are password. Yes, password, or the less well-used passw0rd. Others that hit the top 25 are qwerty, qwertyuiop, football, baseball, welcome, login, or letmein. Some got a little creative with 1qaz2wsx (type it out on your keyboard) or abc123. Some of us like animals — and apparently many of us love monkeys and dragons. But it is good to see “Star Wars” lovers represented with solo, master, princess, and starwars.

It is understandable why so many people choose these common words due to the enormous hassle of trying to keep track of multiple different passwords. Part of the problem may be that manufacturers use such common words as the default passwords and customers simply never change them. This can be a huge problem, as hackers can enter your “house” through these cracks in the virtual walls and access other areas. This is how the infamous Target credit card breach in 2013 happened.

The HVAC vendor had remote entry authentication into Target systems. Hackers then managed to breach that system to gain entry to the point-of-sale system. To see how common this problem could be, check out this website that provides the default passwords for over 350 companies or this one with default router passwords.

Manufacturer default passwords are not considered reasonable security measures

Recently, however, there was talk in the industry about holding manufacturers accountable for easy to infiltrate default passwords. Most importantly, the US Federal Trade Commission (FTC) filed suit against D-Link for failing to take reasonable steps to secure its router and camera security flaws.

Specifically, the FTC states that by using a compromised router, an attacker could obtain consumers’ tax returns or other files stored on the router’s attached storage device. They could then redirect a consumer to a fraudulent website, or use the router to attack other devices on the local network, such as computers, smartphones, IP cameras, or connected appliances.

The FTC took similar action against the computer manufacturer ASUS, which resulted in a settlement agreement as well as related charges against TRENDnet (also resulted in a settlement) for a failure to use reasonable security to design and test its software.

Actions to take

How can you better protect your personal or professional information? As lawyers, we often work with the requirements for our employers’ own projects as well as contract clauses, vendor oversight measures, procurement processes, and due diligence. In the internal role, we ensure we are providing reasonable default passwords for our own products and services, issuing account access, etc. For vendors, we verify that they provide secure passwords. If not, we either create an internal policy to change default passwords or strengthen the password policy. In order to provide extra security, we should investigate where the single sign-on process works and where it should not work. Convenience for us equals convenience for hackers.

On a personal level, always change your default passwords. You should separate the passwords that you use at work and at home. Try to implement different levels of passwords for different categories of information. Your banking information may require more security measures than your Netflix account.

Helpful hints

Implement two-factor authentication where possible. If you log into an account from an unknown device, your account should require you to enter a code that is sent to your email or phone. I cannot tell you how many Gmail alerts I’ve gotten that say an email has been created under my account, and to please click here to authorize — but it is never me. If I did not have the two-factor set up, there is no telling how many emails are set up using my information.

Use strong passwords. Even though many experts say to get rid of passwords altogether, we are not there yet. Most people are not there yet. So until then, create strong ones. Nothing less than eight characters and four types of characters — upper, lower, number, symbol (New NIST guidelines recommend ASCII and UNICODE, too).

And stop changing the last two numbers on your standard password that you’ve been using for five years. Think of a song, book, line of poetry, or favorite quote and turn it into a password (e.g., “Another one bites the dust” into An1bYt35Ddu$T!). For an easy solution, use a random password generator, such as or

Can’t remember that? Look into password keepers such as Dashlane4 or LastPass 4.0. PC Mag compared several at the end of 2016 as did Consumer Affairs. These services help you generate and store passwords. While not perfect, they are much better than making a weak password, jotting it on a sticky note, or typing it in a file on your phone.

On a corporate level, make sure that whatever default passwords you are issuing for products or services don’t run afoul of the privacy statement you have online.

Good luck and stay secure. 

About the Author

K RoyalK Royal is the technology columnist for, and vice president, AGC privacy, and compliance/privacy officer at CellTrust Corp. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.