Creating Secure Passwords for Greater Firm Protection

Secure password practices for law firms

A single word or phrase, your password, is what stands between your firm and malicious actors who seek to profit from the sensitive client data you’re charged to protect

Here are some easy-to-adopt practices firm members can use to protect systems and client data:

1. Use Two-Factor Authentication

Hackers employ a number of different tactics to steal your username and password and gain access to firm and client data. One tactic, involves installing keylogging programs on your computer to capture your credentials without you realizing it. 

For this reason, two-factor authentication (2FA) is absolutely critical as the only foolproof way to prevent a breach. If a hacker successfully steals your password, with 2FA they won't be able to get into your account. 

2FA is an additional layer of security that ensures anyone who attempts to log in to the network is actually who they say they are by double checking user identity with a separate mechanism such as a text to to your cell phone. uses an access solution that authenticates every login; after entering their password, firm members are prompted to touch a button on their phone. Only after they tap it can they get in to their LexCloud virtual desktop.

These days, most websites and applications offer built-in 2FA, and we strongly recommend you use them where possible.

Two-Factor Authentication for the Hybrid Law Firm

Learn More


2. Use a Secure Password Format

We’re seeing hackers go to great lengths to obtain login credentials, targeting everyone from the managing partner to staff. They'll even go so far as combing through firm members’ social accounts to find clues that help them crack your password.

For example, a person might use their spouse’s nickname and birth year as their network password, not remembering that two years ago they posted a public birthday wish to their spouse on Facebook, addressing them by their nickname. The hacker now has all they need to get in.

To avoid such scenarios, we recommend using long passwords of 8 or more letters that are easy for you to remember. Try using two to three non-related words; adding numbers and symbols is another good tactic, however the length is the most important factor. For example, something like “FridayDentistSad22” is more secure that “D3nt1st”.

Each password should be unique to its account in order to mitigate potential damage and, because hackers can collect bits of information from each account, prevent further penetration into the firm’s network.


3. Password Management

Creating and remembering unique passwords for every website, application or account you use is nearly impossible to manage, which is why we recommend using a password manager.

A password manager is an encrypted program that houses all your passwords, as well as other information, in one location with a singular master password. You only have to remember one, and logging into websites is much easier and more secure.

When you visit a website with a log in page, you type your master password into the password manager, which automatically fills the website’s login fields

Password managers like LastPass and Dashlane enable each member of the firm to maintain their own ‘vault’ of passwords so they can securely and easily log in to their accounts from any location. It generates very secure passwords and auto fills them to any sites you log into, making your work more secure and convenient. Data is available on any device and can be synced to other devices to provide secure mobility.


4. Be Wary of Emails

Be careful if you receive an email asking you to fill in your username and password, or containing links to a site that asks you to log in. This is a common tactic of phishing emails, which captures your credentials and immediately gets to work breaking into your account.

If you receive an email that prompts you to login but you believe it’s legitimate, check the link by right-clicking it then copy and paste it to Notepad or a Word document to view its entirety.

Secure URL

  • Does the URL match where the email says it’s going? Do you see any typos or suspicious language?
  • Review the sender’s name as well – is it spelled correctly? Are there any additional letters, and is the company domain correct, eg., “Scotiasbank"?
  • Do not click the link – instead navigate to the website yourself by Googling it or entering the URL from a trusted source.

If you have any doubts, contact the helpdesk and we’ll review it for you.


5. Never Share Your Password

No company will ask you to share your password over the phone or email, especially financial institutions or government bodies. If you are asked to, ask for the individual’s extension, hang up and call the company’s public line. You can never be sure anyone who calls you actually is who they say they are.

Never share your passwords with colleagues; of course your team members are more than likely trustworthy, however you cannot control how or where they store the information, which could enable hackers to further penetrate the network and all fingers would point back to you.

Each of us is responsible for protecting our own credentials, and we must ensure we do our part to protect the firm and clients’ data security.



Hackers are always looking for a way to exploit the most vulnerable aspect of every IT network: human nature. The human factor has always been considered the weakest link in the security chain, which is why we are introducing security training for users in early 2022. 

Contact us to set up training for your firm, and continue to follow our blog for more security tips to ensure your firm and clients are protected at all times.


New call-to-action
Private Cloud for Law Firms 10 Questions