Corban Technology Solutions Journal
Passwords: Easy ways to prevent giving away the keys to your kingdom
Part 10 of our series on Privacy and Data Security Best Practices.
Everyone knows that the more complicated and unique a password is, the harder it is for hackers to discover it.
But passwords must also be unique. Otherwise, one account that becomes compromised can cascade into a nightmare of a long list of compromised accounts. Including, perhaps some very important ones. Your clinic network or EMR, perhaps. Or your banking records.
So, how can you create complex passwords, are truly unique, and yet are easy to use? Here are two methods that can help.
1. Use a commercial password manager.
These applications have been available for years, but they are now considered to be a security industry best practice. The National Institute of Standards and Technology (NIST) actually encourages their use because in many cases they increase the likelihood that users will choose stronger memorized secrets.
Why is this the case? Because these systems are designed to help you generate unique, very complex passwords (at least 8, and ideally 12 to 16 or more characters), and will insert them into the account for you. Therefore, password managers will help to ensure that each password you use for every account is strong, and totally unique. Properly used, there’s no chance that part of a password might have been used on another account, which, if known by a hacker, could compromise both. That’s a common way that multiple accounts are being hacked these days. And if that other account is a really important one, it could lead to loss of very personal information. It's the last thing you would want to happen in your clinic.
Here is some practical advice when considering a password manager
- Don’t use the password managers that are included as a feature in web browsers. These are generally not as secure as commercial ones, and if your desktop is hacked, may be targeted to download the browser password file containing all of your other accounts.
- Let the password manager's built-in utility (make sure the one you choose has one) to generate a very complex, unique password for each account you use with it. You will never need to remember the password yourself, so use as many random and special characters as your web-based account allows. It's a bit of overkill for most accounts, but we generally use 16 characters or more.
- Use an especially secure Master password to power the insertion of all of those unique passwords you use through the password manager. Because it is so important, it would make sense using 2-Factor authentication (2FA) as part of the authentication method. This is, of course, something you should be doing to protect all of your important accounts. During a recent review, PC Magazine listed ten password managers that supports it.
- Set the password manager to never auto-fill your web browser or when you use the password manager app on a smartphone. The reason for this is that a “spoofed”, malicious website has been known to trick those auto-fill tools to give up personal information and credentials from desktop browsers, and more recently using password manager apps on Android phones. Instead, manually initiate inserting the password at the time you want it done.
- Use only commercial products. Given the consequences if your account(s) are ever compromised, it is difficult to imagine why would anyone want to trust a free product for this. Base your choice on independent reviews to help determine which password manager is the best for you.
- Regardless of whether you use a password manager or not, always configure 2-Factor authentication (2FA) , in addition to the complex password you use on the account. This greatly enhances the security of any web-based application that supports it.
2. For really important accounts, commit your password to memory.
There is always a possibility that the password manager itself might be compromised. Assuming that you use a strong master password and 2-factor authentication, the odds of this happening with one of the major commercial password managers is pretty small. However, you can mitigate the risk of this affecting high-value accounts by using a technique that can help create very complex passwords that you alone will manage, outside of the password manager. Your clinic domain login, for example. Or your EMR account. And, of course, you will still need to remember that master password for your password manager to support all of those other accounts.
Here is a method to create a password that is easy to remember, but will still be very complex, and unique.
And, if you are clever about it, you can even write it down without it being obvious to a casual reader that it is actually a password.
Consider creating a password from a phrase.
- Instead of using a memorable word, choose a memorable event in your life and convert the sentence into a secret code.
- The code is created by simply using the first letter of each word. For example (but please don’t use it):
I opened my health care clinic over 10 years ago
- Combining the first letter of each word and the two numbers will result in the following 11-character, case-sensitive password: Iomhcco10ya
- Once done, you will never need to remember the password itself. Just think of the sentence, but type in the first letter in each word. In this case, remember to use the number 10 rather than the letter "t' for "ten". While using only the letter 't' still results in a pretty strong password, according to one security test site that simple change strengthens the password by a factor of over 350. and would take a typical desktop computer 253 thousand years to crack .
You can, in fact, make any sentence you can think of stronger by swapping out an alphabetic character with a number and/or special character. For example, for a different account, you could use the 10-word sentence:
Be the change you want to see in the world
and substitute a couple of characters, based on the first letter of the word, so that it becomes:
Be the change you want 2 $ee in the world
Typing in the first letter of each word is still very easy to do and remember: Btcyw2$itw
Once again, please don't use these examples. Now that they are published, someone might guess it!