Corban Technology Solutions Journal

Passwords: Easy ways to prevent giving away the keys to your kingdom

By Stan Shaw, Founder, CTS

Passwords

Everyone knows that the more complicated and unique a password is, the harder it is for hackers to discover it.

But passwords must also be unique. Otherwise, one account that becomes compromised can cascade into a nightmare of a long list of compromised accounts. Including, perhaps some very important ones. Your clinic network or EMR, perhaps. Or your banking records.

So, how can you create complex passwords, are truly unique, and yet are easy to use? Here are two methods that can help.

1. Use a commercial password manager.

These applications have been available for years, but they are now considered to be a security industry best practice. The National Institute of Standards and Technology (NIST) actually encourages their use because in many cases they increase the likelihood that users will choose stronger memorized secrets.

Why is this the case? Because these systems are designed to help you generate unique, very complex passwords (at least 8, and ideally 12 to 16 or more characters), and will insert them into the account for you. Therefore, password managers will help to ensure that each password you use for every account is strong, and totally unique. Properly used, there’s no chance that part of a password might have been used on another account, which, if known by a hacker, could compromise both. That’s a common way that multiple accounts are being hacked these days. And if that other account is a really important one, it could lead to loss of very personal information. It's the last thing you would want to happen in your clinic.

Here is some practical advice when considering a password manager

  1. Don’t use the password managers that are included as a feature in web browsers. These are generally not as secure as commercial ones, and if your desktop is hacked, may be targeted to download the browser password file containing all of your other accounts.
  2. Let the password manager generate a very complex, unique password for each account you use with it. You will never need to remember the password yourself, so use as many random and special characters as the application allows. It's a bit of overkill for most accounts, but we generally use 16 characters or more.
  3. Use an especially secure Master password to power the insertion of all of those unique passwords you use through the password manager. Because it is so important, it would make sense using 2-Factor authentication (2FA) as part of the authentication method. This is, of course, something you should be doing to protect all of your important accounts. During a recent review, PC Magazine listed ten password managers that supports it.
  4. Set the password manager to never auto-fill your web browser or when you use the password manager app on a smartphone. The reason for this is that a “spoofed”, malicious website has been known to trick those auto-fill tools to give up personal information and credentials from desktop browsers, and more recently using password manager apps on Android phones. Instead, manually initiate inserting the password at the time you want it done.
  5. Use only commercial products. Given the consequences if your account(s) are ever compromised, it is difficult to imagine why would anyone want to trust a free product for this. Base your choice on independent reviews to help determine which password manager is the best for you.

2. For really important accounts, commit your password to memory.

There is always a possibility that the password manager itself might be compromised. Assuming that you use a strong master password and 2-factor authentication, the odds of this happening with one of the major commercial password managers is pretty small. However, you can mitigate the risk of this affecting high-value accounts by using a technique that can help create very complex passwords that you alone will manage, outside of the password manager. Your clinic domain login, for example. Or your EMR account. And, of course, you will still need to remember that master password for your password manager to support all of those other accounts.

Here is a method to create a password that is easy to remember, but will still be very complex, and unique.

And, if you are clever about it, you can even write it down without it being obvious to a casual reader that it is actually a password.

Consider creating a password from a phrase.

  • Instead of using a memorable word, choose a memorable event in your life and convert the sentence into a secret code.
  • The code is created by simply using the first letter of each word. For example (but please don’t use it):

I opened my health care clinic over 10 years ago

  • Combining the first letter of each word and the two numbers will result in the following 11-character, case-sensitive password: Iomhcco10ya
  • Once done, you will never need to remember the password itself. Just think of the sentence, but type in the first letter in each word. In this case, remember to use the number 10 rather than the letter "t' for "ten". While using only the letter 't' still results in a pretty strong password, according to one security test site that simple change strengthens the password by a factor of over 350. and would take a typical desktop computer 253 thousand years to crack .

You can, in fact, make any sentence you can think of stronger by swapping out an alphabetic character with a number and/or special character. For example, for a different account, you could use the 10-word sentence:

Be the change you want to see in the world

and substitute a couple of characters, based on the first letter of the word, so that it becomes:

Be the change you want 2 $ee in the world

Typing in the first letter of each word is still very easy to do and remember: Btcyw2$itw

Once again, please don't use these examples. Now that they are published, someone might guess it!

There are many ways you can create a strong, complex passwords. Here's another method which may appeal to some. It's published as a technical bulletin through the Doctors Technology Office at Doctors of BC.


Advantages of a password manager combined with a robust memory method

1. Committing to memory only a handful of critically important accounts, together with a password manager for all of your other ones, is one way to help prevent your memorized passwords from falling into the trap of being predictable.

2. The memory method presented here makes it less likely that you will be using a “human algorithm” as a memory aid. Just make sure that you use a completely different phrase for each account. If you use a memory manager for the majority of your on-line accounts, this should not be too difficult.

3. Both the master password of the memory manager and the few accounts you are protecting outside of it can be as easy to remember as the meaningful sentence that you choose. And if you happen to use a pass phrase that is philosophical or inspirational in nature, it can be a nice way to start the day.

Summary

Your overall goal, and one that could save you from considerable grief in the future, should be to ensure that all of your accounts are safely secured using strong passwords.

For passwords to be strong, they should be long, complicated, and unpredictable.

Properly configured password managers are now considered to be a security industry best practice towards creating strong accounts.

You can create strong master passwords for your password manager, as well as for those that you wish to commit to memory through relatively simple memory aids such as a pass phrase. The technique presented here works by simply typing in the first character of each word, as you think of the word in the sentence. This makes it possible to easily remember the correct combination of what would otherwise appear to be a complex set of random characters.

Use 2-factor authentication wherever possible. We will publish an article soon that describes this in more detail.

While there is no guarantee that these suggestions will prevent an attacker from learning your password, techniques like these will make it much more difficult for them to do so.

If you need assistance, contact us.

Posted in Best Practices