Does your training go something like this, do not use your pets name, your signon ID, passwords that are easily guessed (actual words), and make sure they contain alpha and numeric characters. Training should instruct individuals in how to create a stronger password. Some helpful hints for selecting stronger (better) passwords:
- Select a Phrase and use the first letter of the phrase: BltpGED#4, is from the phrase, Bill Loves To Play Golf Every Day.
- Mix upper and lower case
- Replace letters with special characters or numbers.
- Combine parts of words (hapnewyr08, mahaalit$7) (Translation: HappyNewYear and Maryhadalittlelamb)
- Train users not to number their password (billy#01, billy#02) (see NOTE BELOW)
Microsoft provides information on selecting strong passwords at
NOTE: Statistics say to use numbers as part of passwords since there are different permutations, but I am not 100% convinced this is a good idea. I believe it encourages users to number their passwords (BLtpg#4 becomes BLtpg#5) when forced to change. In classes in which I have asked the questions, fully 95% number their passwords.
WORKING WITH HEALTHCARE VENDORS:
There are technical controls that can also assist, systems can be built to require stronger passwords. If your vendor does not provide a mechanism for stronger passwords, then work with them and the vendor user groups to get stronger passwords. When selecting new systems, password strength controls should be part of the process. What are some good controls:
- Systems that test against common names
- Systems that give users a couple of day warning to change their password
- Systems that require password strength (Alpha numeric, caps, password length, etc.).
- Systems that require you to change more than ONE character. This is important as many users if not most users, will create a password BLTPGED#4, then when forced to change, go to BLTPG#5.