We’re back with part three of our series with CCI, where we break down the five most common causes of security incidents within the healthcare industry. One of the simplest and most effective fundamental practices in information security is good password hygiene, but it can be hard to know how to create a strong password.
It is surprising how often strong passwords and good password hygiene are overlooked altogether or not given appropriate weight, especially among healthcare organizations. Default, weak, shared, and reused passwords all make an attacker’s job a lot easier.
But passwords can be challenging to create well, remember, and maintain, and it doesn’t help that healthcare organizations have so many systems and accounts to log in to every day.
The good news is, there are tools, methods, and trainings to combat these challenges. Read on to learn about these and how to create a strong password.
How to Create a Strong Password
Despite many resources available, there is still quite a bit of mystery around how to create a strong password. People wonder what length is best, if it should include a certain number of special characters, whether to include uppercase or lowercase characters, and more.
Often, people also get stuck trying to create a password that they can also memorize. Meeting complexity requirements off the top of your head and then trying to memorize and keep track of dozens of passwords is challenging, if not impossible.
Additionally, you may not know how to tell if your password is strong. You can check your password with one of the many available, free tools. We recommend you change the actual password up slightly (transpose a few letters or outright replace them, for example) when you run it through the test.
What Makes a Password “Strong?”
Often people ask, “How do I know if my password is good enough?” Good is such a subjective word, it’s hard to correctly quantify what a “good” password looks like. However, since we are explaining how to create a strong password, we’ll stick with strength over “good” or “bad.”
Here are some key indicators of a strength in a password:
- Length. A strong password should be a minimum of 12 characters, but the more the better. All other things equal, 16 characters is a more secure password than one with 12 characters. Similarly, a 20-character password will be stronger than a 16-character one, and so on.
- Complexity. Though not as important as length, complexity can and does boost a password’s strength. Adding complexity goes beyond replacing the letter “a” with “@,” the letter “I” with “!,” and the letter “e” with “3” (attackers know these tricks, too!). Complexity is more effective when it’s not predictable.
- Uniqueness. It is imperative that you do not reuse passwords. We cannot stress this enough! If one account is compromised, your email address will most likely be associated with the compromised password. Attackers will try the same credentials combination for other logins; when you reuse passwords, these attackers will be successful.
- Confidentiality. This simply means that your password hasn’t been shared with anyone. The only caveat here is if you used a secure password management tool to share your password (more on those in a bit).
These criteria may seem daunting, but there are ways to create strong passwords more effectively. The good news is, there are some tricks you can use to help you create a strong password.
Passphrases
Without using any external tools, passphrases are one of the most effective ways to achieve this. A passphrase is just a string of random words. For example, “Camel beet Pokemon shell” is a passphrase (and, at 24 characters with both upper and lowercase, a relatively strong one).
A handy trick to creating a passphrase that you can remember is to use a mnemonic key. For example, if you love the song Supermassive Black Hole by Muse, you could take a line from the song as your mnemonic key. The lyric “Glaciers melting in the dead of night” could cue you in to your passphrase, “Golden monkeys in the dark of November.”
Again, that would be a relatively strong passphrase – it uses both upper and lowercase letters as well as spaces, adding complexity, and it is 38 characters long. Security.org’s free password checker tool says this password will take 17 sexdecillion years to crack—not too shabby!
Other Mnemonic Passwords
The same trick for creating a passphrase can be used to create a standard password. Let’s take the same lyric from the same song – “Glaciers melting in the dead of night.” As a password, that could become “Gmitdon,” which, as you know, isn’t a strong password at only 7 characters with little complexity. The password checker says this password will take 25 seconds to crack. We can do better.
The first step in increasing this password’s strength is adding length. The next lyrics in Supermassive Black Hole are, “And the superstars sucked into the super massive (you set my soul alight).” This would make the password “Gmitdon atssitsm ysmsa.” Notice, we added spaces between the lyrics sections to add some complexity. With that simple addition of more length and spaces, this password would now take 42 sextillion years to crack.
Finally, for good measure, let’s add additional complexity and put some special characters in this password. The obvious addition is parenthesis around the last section, which already had parenthesis in the lyrics. The password “Gmitdon atssitsm (ysmsa)” would take 21 octillion years to crack. Now, that’s a strong password!
Password Management Tools
One of the ways you can more effectively keep track of your account credentials is with a password management tool. There are many tools on the market with different features, but in general a password manager helps you accomplish several things:
- Store your passwords
- Auto-generate strong passwords
- Share account credentials securely
A password manager acts as a vault. You use one set of credentials to log into it – typically your email address with a strong password like the one we made above – which allows you to access all the rest of your credentials.
Many password managers have browser extensions and mobile apps available as well, and they will auto-fill your credentials for you once you’ve logged into the app or extension.
If you want more information about password managers and how some of the most popular ones compare, check out our review of password managers.
Multi-Factor Authentication (MFA)
This part is less of an actual tip on how to create a strong password, but it is related to account security. One of the most effective ways to make a strong password even stronger is to implement an additional level of security called multi-factor authentication, or MFA.
MFA acts as a second layer of protection. With MFA, after you enter the correct username and password combination on an account, you are then texted or emailed code. You must enter this code to gain access to the account.
There also apps that generate codes for your accounts within the app. They may also allow you to approve the login on the app in lieu of a code.
This is often a feature offered within the account itself; if you enter the privacy or security settings on the account, there is often an option to enable MFA. Depending on the account, it may restrict your MFA options, but it also may allow for text, email, phone call, or app-based MFA.
Whenever possible, we strongly encourage you to enable MFA on all of your accounts.
Healthcare Implications
Although it’s generally accepted that password strength and account security are important, it is arguably more so for healthcare practitioners.
Healthcare organizations keep some of people’s most sensitive records; in addition to the standard personal information, such as name, DOB, SSN, address, and payment methods, they also include extremely private health records and insurance information.
And this information is highly valuable to attackers.
By September of 2020, 9.7 million healthcare records had already been compromised. This trend only continued through the end of the year, and healthcare breaches are projected to triple in 2021.
The Moral of the Story
While healthcare practitioners maintaining account security and good password hygiene is not a silver bullet to protect against these attacks, it is a measure that can significantly reduce the number of potential compromises.
An attacker will have a much harder time compromising a system if they are not able to access an easy pathway to attack, such as an unsecured employee account. Attackers tend to prefer easy targets, and they may move on if they can’t quickly gain access.
We hope passphrases, mnemonic passwords, password managers, and MFA help you create strong passwords and keep your accounts more secure. As always, if you need any help or have any questions, we are always happy to hear from you.