🔒 Cybersecurity for lawyers

• Use a unique email address, and a unique password, for every site and service
• Use a strong password

Whenever you sign up with a new site or service, use a unique email address, and a unique password.

The reason you do this is that, if a site's database is compromised, and someone obtains your username and password, and tries to log into other sites with them (something known as “credential stuffing”), they will not get access to your accounts on those other sites.

If you run or rent your own email server, you should be able to enable something called “catchall” on your domain. This means that any email sent to any account name on your domain get delivered to you.

The benefit is that you can give a site any email address you like, and you will receive email sent to it without needing to do anything.

The downside is that you are likely to get more spam, as any email sent to any account name are delivered to you.

You can use a “plus” sign after your username, and then any text you want, to create a unique email address.

For example, if your email address if johnsmith@gmail.com, you could use johnsmith+facebook@gmail.com to create a unique email address to give to Facebook.

You will still receive any email sent to that address at your normal account.

You can use a “plus” sign after your username, and then any text you want, to create a unique email address.

For example, if your email address if johnsmith@protonmail.com, you could use johnsmith+facebook@protonmail.com to create a unique email address to give to Facebook.

You will still receive any email sent to that address at your normal account.

Source

Use a password manager to generate a unique password for your new account.

Password managers usually let you set the format of your password. For example, you might set it to follow the NCSC's guidance to use three random words as a password. However, some sites still have outdated or just strange password requirements, requiring you to add special characters, a mix of upper and lowercase characters, and numbers. For those sites, you'll probably need to amend your automatically-generated password to fit the site's requirements.

Paste the password you have generated from your password manager into a text document, then make the changes to meet the site's password requirements, and paste the resulting password into the site. That way, if you need to make further changes (perhaps the site's requirements are vague), you can do so easily. Once your password is accepted, paste it into your password manager.

(Yes, you will find sites which, in the mistaken belief it adds to security, have disabled the ability to paste passwords. Consider if you really need to do business with a site which is actively working against you securing yourself.)

Every password you use needs to be hard to guess. Some guidance suggests taking a word and mixing in letters and symbols, but the National Cyber Security Centre's guidance is to use three random words.

For example:

snickdrawing-nesslerization-devilwood

As you are

A password manager is a piece of software which you use to store your passwords, and unique logins, so that you do not have to worry about remembering them.

It may seem counterintuitive to write down all your passwords in one piece of software, but the National Cyber Security Centre's guidance is that the benefits outweigh the risks.

There are a number of different options to choose from.

My preference is 1Password.

Advice used to be to change your passwords frequently. No longer considered good practice.

Check your

https://haveibeenpwned.com

In some jurisdictions, it appears that one cannot be forced to disclose a password, but can be asked to place a finger on a device to unlock it. If in doubt, you might consider disabling fingerprint unlock for the duration of a trip into such a country.

Convenient, fast, and not something which can be detected by just looking over your shoulder as you enter it into the phone.

Even with the Android swipe pattern unlock mechanism, it is pretty easy to watch someone do a basic pattern once and replicate it — so you need to go for something pretty complicated, coupled with shielding your phone when you enter your passcode.

Obviously defeated by security cameras nearby.

See two-factor authentication.