by adgrooms on June 3, 2019

With the digital transformation of healthcare, everyone is using more software systems and apps, each one requiring a secure password. A password is supposed to be long, complex, and never reused. Creating and remembering many passwords that meet those guidelines can be a challenge. Password management software can help generate and store complex passwords and is more secure than other methods like - writing down passwords or reusing a handful of secure passwords. A Pew Research Center report found that most people memorize passwords and relatively few are using password managers. The reasons for this are unclear. Let's look at whether mistrust in password managers is a well-founded reason.

To get into a password management system you are usually required to have a master password. Password managers have very good encryption and cryptography to keep out hackers trying to crack the system, but if a hacker gets a hold of the master password, then they have access to ALL of the user's passwords. With a password manager, it is important to choose a very secure master password.

One vulnerability is the ability to retrieve your master password if it is forgotten. This allows for hints to help remember the master password, or even a password reset email to be sent to the user. This makes it easier for a hacker to obtain the master password, especially if they already have access to the user's email. A secure password management system should have no retrieval available, and the master password should be complex, but memorable.

Another potential vulnerability is if a malicious person has access to a target device, they could install a keylogger to capture a master password, as it is entered. A good prevention method is to make sure the password manager has two-factor authentication. This requires a code generated and sent to a second device to be entered for access.

The HIPAA Password policy does not mention specifically password management software, but the majority of experts believe that use of a password manager is the best way of achieving compliance. Nothing is 100% safe, but if properly used, a password manager can be an effective way to combat medical data thieves.