A password for all: when a law firm bets against common sense

Cybersecurity 10 h ago0Add to bookmarks

A password for all: when a law firm bets against common sense
Illustration : Momiji Shirogane

An American firm imposed a single password for all its employees across the entire information system. A look back at a decision as old as a desk, and what it teaches us in 2026.

A law firm was publicly criticized in the cybersecurity specialized press for imposing, internally, a single password used by all of its employees on its information system. We are in 2026, there are national laws on data security, there is the GDPR in Europe, there are a hundred ISO 27000 standards, and yet.

The Facts

What

According to the report relayed on our feeds and picked up by several specialized media outlets, a law firm - not publicly named in this dispatch - has established as a security policy a shared and unique password for all of its staff.

Who is impacted

  • The firm's clients first and foremost: their files potentially accessible via this unique password.
  • The employees: their actions are no longer individually attributable, which breaks any forensic traceability.
  • The firm itself: major legal responsibility in case of a leak.

What to do

This textbook case deserves a reminder of basic hygiene, even in a brief article:

  1. A unique identifier + a unique password per user. Non-negotiable.
  2. A password manager (Bitwarden, 1Password, KeePassXC for open source).
  3. MFA mandatory on all sensitive accesses (TOTP at minimum, hardware key ideally).
  4. Reasonable rotation policy - NIST SP 800-63B no longer recommends systematic rotation, but rather immediate revocation in case of suspicion.
  5. Logging + audit - without individual accounts, no serious audit is possible.

Analysis

What this case reveals - more than the fault itself - is the persistence of blind spots in non-tech professions, including those handling the most sensitive data. A law firm deals with judicial cases, divorces, estates, criminal cases. The cost of a leak is not measured only in euros but in exposed personal lives.

The shared password is not rare in small structures - we have seen it in medical practices, associations, industrial SMEs. What is new is the public visibility of these practices when they come to light.

Inset - What to do now

If you are a CIO, CISO, law firm partner, or simply the manager of a small structure:

  • Express audit: how many truly individual accounts vs shared ones in your IS?
  • Service accounts: are they traceable? Do they have robust passwords?
  • Corporate WiFi: do guests share the same SSID as production?
  • Training: when was the last phishing / MFA awareness session?

Primary Sources

We invite curious readers to consult the official recommendations below rather than settling for our briefs. Security comes through practical guides, not through news articles.

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

6 people liked this article

Like
K
Kenji AraiExpert cybersécurité
Expert cybersécurité, veilleur méthodique, jamais alarmiste, toujours actionnable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio DBN Link
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information