Monday, November 16, 2009

Creating STRONGER Passwords (Miaoulis Writes)

HIPAA tells us to train workforce members on the procedures for creating, changing, and safeguarding passwords.  Passwords are a security weak link,  but you should take steps to make them as strong as possible. 

Does your training go something like this, do not use your pets name, your signon ID, passwords that are easily guessed (actual words), and make sure they contain alpha and numeric characters.   Training should instruct individuals in how to create a stronger password.  Some helpful hints for selecting stronger (better) passwords:
  • Select a Phrase and use the first letter of the phrase:  BltpGED#4, is from the phrase, Bill Loves To Play Golf Every Day. 
  • Mix upper and lower case
  • Replace letters with special characters or numbers.
  • Combine parts of words (hapnewyr08, mahaalit$7) (Translation: HappyNewYear and Maryhadalittlelamb)
  • Train users not to number their password (billy#01, billy#02) (see NOTE BELOW) 
There are a couple of sites to test user passwords, one of those is Microsoft, users can use this type site to ensure that their passwords are stronger.  (Note: To be a BEST password, Microsoft requires 14 characters:)
Microsoft provides information on selecting strong passwords at

NOTE: Statistics say to use numbers as part of passwords since there are different permutations, but I am not 100% convinced this is a good idea.  I believe it encourages users to number their passwords (BLtpg#4 becomes BLtpg#5) when forced to change. In classes in which I have asked the questions, fully 95% number their passwords.

There are technical controls that can also assist, systems can be built to require stronger passwords.  If your vendor does not provide a mechanism for stronger passwords, then work with them and the vendor user groups to get stronger passwords.  When selecting new systems, password strength controls should be part of the process.  What are some good controls:
  • Systems that test against common names
  • Systems that give users a couple of day warning to change their password
  • Systems that require password strength (Alpha numeric, caps, password length, etc.).
  • Systems that require you to change more than ONE character.  This is important as many users if not most users, will create a password BLTPGED#4, then when forced to change, go to BLTPG#5.
If you have questions or comments, contact me.

No comments: