Standard advice for securing computer systems is to require users to change passwords frequently. Something about this recommendation has always bothered me, but I never really thought it through. A current blog posting at Healthcare Informatics by Dale Sanders really hits the nail on the head. He points out that these change-passwords-frequently policies actually undercut password security rather than enhancing it, once you factor in human psychology. If you have to replace your password frequently, you will probably come up with something simplistic, or resort to a post-it note on the monitor, or maintain a paper list. It would be far more secure to create a single, strong password or passphrase and continue to use it for a much longer period.
To manage passwords used on the web, you can’t go wrong with Roboform. Create a strong master password (long, and using a combination of letters, numbers, and special characters), then let Robo’s password generator suggest strong passwords for individual web sites. Once you select and use a password on a web site, Robo will remember and “type” it in for you when you next visit that site. All you have to do is enter your master password once in each browser session; Robo uses that to unlock your password library and cleverly selects the right one whenever you hit a login window. There is even a version of Roboform that you can install on a USB “thumb” drive, so you can securely carry your passwords with you for use on multiple computers, or even public computers when traveling.
In the course of providing technical support on our billing and EMR software, I am exposed to the password selections of many of our users. It is amazing how rare it is to find anyone using serious passwords. Names, almost surely loved ones or pets, are the most common, but way too frequently I see passwords that are identical to user IDs, or non-passwords like “123” and “password”. Although we have optional rules in our products that would require strong password choices if enabled, they rarely are used.
Coming up with an easily remembered, secure, master password is not really all that hard. Just think up a short sentence that includes punctuation and some numbers. You can check the quality of your choice using Microsoft’s password checker.
Here’s an example: “Turning 60! soon.” This easily remembered phrase is actually more secure than “3-vO$aLKG7”, which conforms to all the standard password creation advice.
Maintaining medical privacy is serious business. Current HIPAA rules provide for serious penalties when medical information is not properly secured. Are you guilty of password negligence yourself?
Seth Krieger
To comment on this article, click on the title and enter your comment at the bottom of the article.
Are your passwords HIPAA secure? says:
nice info .. 🙂
Kathy says:
Hi, Thanks for your comment. Some of our staff have just started using your LastPass product to manage passwords. We’ll let you know how it goes. Thanks for visiting our blog. Come back any time.
Abe says:
“Turning 60! soon.” may actually be less secure from dictionary attacks when compared to 3-vO$aLKG7. From a pure number of letters/etc. it seems more secure, however if someone were to use an English dictionary they’d be far better off at guessing “Turning 60! soon.” than “3-vO$aLKG7”
Of course this does depend on the system and how well prepared it is to fend off brute force attacks.
Either way, both are more secure than the standard “firstname” + “1234…n”, that most use.
Spencer Gear says:
Interesting article. I too have noticed the password issues you describe, and agree with you about the unintended effects of frequent changes. The program you describe sounds intriguing. We are also looking at a hardware solution that does much the same thing.