by adgrooms on June 18, 2019

Encouraging and enforcing secure passwords is an ongoing challenge for any organization. In healthcare, patient data is a valuable target. The easiest, cheapest, and lowest risk hack is to guess a password. It happened to Mark Zuckerberg in 2016. There is no easy, perfect answer. So what can help?

Brute force attacks are a common form of password attack. This method uses trial and error of an automated program that runs through every combination of characters possible. Instead of random characters, it can be faster to start by trying common passwords and dictionary words. Hackers draw on resources such as lists of compromised passwords and common words. The longer and more random appearing the password is, the harder it will be for a password cracking program to find the combination. Furthermore, including numbers and special characters expands the number of combinations and increases the difficulty of guessing with brute force.

These attacks succeed because most passwords are short and/or easy to guess. A password needs to be personal, meaningful, and difficult to guess. The usual approach is to pick a combination of significant names and dates. There is a simple trick to help that builds on the psychology of password selection. To help users create a password that is easier to remember but harder to guess, you can share this method and make it fun: Choose a long phrase that is meaningful to you. It could be song lyrics, a line from a movie, or a favorite poem. Use the first character (or two or three) of each word in the phrase. For example "When you eat pickles, don't get your hand caught inside the jar", but don't use that, that one's mine ;-) Decide on a character substitution that is easy for you to remember. There are common substitutions like the number zero for the letter 'O' that hackers already try. You can foil this by making your own meaningful substitution for example: substitute the number zero for the letter 'Z' because they both start with 'Z'.

Using the same password for different accounts is unsafe. Did you read that linked article about Zuckerberg? Oh yes, it does happen. The above method helps users create a better variety of memorable passwords, but if you have a lot of passwords to remember, a password manager can help. All passwords are securely stored, you just have to make and remember one really really good (and memorable) master password.

One last thing that helps: The National Institute of Standards and Technology recommends ending policies of changing your password every month. The practice of requiring scheduled password changes leads to using less secure passwords. Users' response has been to change one character of a base password, keeping it easy to remember and meeting the bare minimum requirement to change. Bad actors know that this is a common practice. If a password is compromised and changed, a similar password is an easy target to obtain access again.

The best way to combat hackers is awareness and education. Understanding user friction and creating smoother and more fun solutions eases the burden for the security team and everyone else.