What do lawyers, the Astros, and LastPass all have in common? They all need to rework their password approach.

That’s right, folks; another week another hack (or two, or three, and so on). But this latest round shows that hacks don’t have to be sophisticated to be effective—and even worse, sometimes they only need one point of access.

Photo Credit: ThisIsNotApril cc
Photo Credit: ThisIsNotApril cc

Just yesterday—for what is widely believed to be the first time in history—the FBI announced they were investigating the St. Louis Cardinals officials hacked into the internal networks of rival team the Houston Astros. Believed to be possible retribution for Jeff Luhnow leaving the Cardinals to become the Astros’ general manager, The New York Times reports that officals would not qualify the hack as particularly sophisticated:

When Mr. Luhnow was with the Cardinals, the organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.

…Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

While the general public grows more and more used to elite hacks perpetrated by shadowy figures overseas, weak passwords are among the top causes for data breaches, with a 2013 report claiming 76 percent of attacks on corporate networks involved weak passwords. In fact, 1 in 5 employees admits they share passwords across personal and work applications.

Which has its benefits: The average user has about 26 online accounts and just five passwords. Memorizing 26 different, unique passwords in a time where passwords are required to be increasingly long and complex would be a bit of a nightmare. And though there are services that will keep track of your passwords like LastPass, as their own recent hack shows us even they aren’t free from the dangers of the web.

But as accounts are increasingly daisy-chained, and email addresses double as a universal username, it’s easier than ever for hackers to leverage publicly or easily available information to get access to a wealth of accounts. For lawyers, one bad password could mean access to a whole lot of privileged information—probably why even the DOJ is recommending lawyers become more knowledgeable about cybersecurity.

The uncomfortable truth is, we live in a time when hacks will happen, and like Maria Matasar-Padilla writes on The Ethical Investigator, information gets out:

But however empowering it may feel to think we’ve finally mastered the privacy settings of the technologies we use every day, the truth of the matter is that despite all our best efforts, information can and will be leaked.

…[for instance] you may assume that because you’ve never posted your address or physical whereabouts on Facebook or Twitter that you’ve managed to conceal where you actually live.  But the minute you post a picture, the image’s metadata may pinpoint the coordinates of where you took the shot.  So if you snapped that picture of your new puppy at home, you might be giving out your exact location when you upload it to Facebook.

And though the jury’s still out on just how effective a password can be, there are some ways to help protect your account that you can do today. As PC World writes on the LastPass scandal:

  • Enable multi-factor authentication: This is the most important step you can take if you haven’t already. Even if the worst happens and hackers get your master password, they’ll still need the authentication code to access your account if you have two-factor authentication enabled. Multi-factor authentication isn’t important just for LastPass—you should be using it on any site that offers it, including social networks, email accounts, and so on.
  • Beware of the phish: With hackers in possession of the email addresses of LastPass users, at least some of us are likely to see phishing attacks. This is when attackers send a phony email dressed up like an authentic message from LastPass. The difference is this email will ask you to click a link and change your master password—something you should never do. Never, ever click on a link in an email asking you to change your password. Chances are that link will take you to a fraudulent version of the LastPass site that exists solely to steal your login credentials.
  • Change your master password: That said, LastPass will be asking all users to change their master passwords in the near future. I take that to mean we’ll be notified via the LastPass mobile apps or browser extensions. We are confirming this with LastPass, but to reiterate, do notchange your password by a following a link contained in an email or, instant message. Also, if you’ve used your LastPass master password on any other site—you shouldn’t do that, by the way—you should change it there as well.
  • Be careful with your password reminder:Security specialist Martin Vigo discussed the LastPass breach on his personal blog. (Ironically, Vigo is about to do a talk on hacking LastPass.) Vigo advises you not to bother filling out your password reminder on LastPass. Let’s say your password was MMxy80pyt. You probably thought it was smart to make your reminder, “My Mare’s xylophone is 80 playing years today.” Now, it doesn’t sound like such a great idea with that sentence in the hands of the bad guys. The problem is LastPass requires a password reminder. To skirt around the requirement without potentially giving too much info to would-be hackers, just add something like “the password I entered just now” or something similar. Then keep a real reminder (or the actual password) written down on paper and secured at home.

Additionally, as Mr. Luhnow has shown us, if you leave a job it might be best to switch up the passwords. It doesn’t take a heavy hitter to crack your password, and once they’ve got that who knows how far they’ll go.