Mar 01, 2019 06:00AM
By MED Magazine
By Alex Strauss
Most of us think we know what makes a strong password, even if we don’t always follow that wisdom. To protect themselves, companies often establish minimum password requirements for employees. These are things like the password must have 8 characters, upper and lowercase, at least one number and one special character.
But James Maguire, Senior Security Engineer with High Point Networks, says passwords like that are no longer good enough to keep the bad guys out. Maguire does penetration testing - ethical hacking - to expose organizational vulnerabilities. He says passwords are often one of the weakest points.
“We now have much more powerful hardware to crack passwords like that,” says Maguire. “Also, when you enforce those kinds of traditional password rules on users, people tend to create passwords that are pretty easy to guess like ‘Winter2019!’, especially if you require them to change the password every 90 days, which falls into a seasonal rotation.”
How can a busy medical practice help ensure that its data is protected? Maguire has several suggestions.
The first is to replace passwords with passphrases. A phrase longer than 16 characters can still be easy to remember but much, much harder to crack.
“My dog’s name is Frank. So I might use a phrase like ‘Walk Frank twice a day!’ in which case the spaces count as special characters,” says Maguire. Maguire says a passphrase that strong does not have to be changed every 90 days, which is also easier on users.
Another suggestion is to use MFA or Multifactor Authentication. This is a second layer of security such as a PIN delivered by text message, or a a cell phone app which sends a push notification when you try to log in. MFA means that, even if a hacker can get at the username and password, they cannot access files without jumping through that second hoop. Maguire suggests always using MFA for banking and shopping sites and for personal email.
A password manager can help solve the problem of creating and remembering multiple passwords by storing them for you. While Maguire says this is better than using predictable passwords or using the same password everywhere, it still means you are putting a lot of trust in a single system. If you go this route, Maguire recommends a system that supports MFA and allows you to use a passphrase to access it.
Finally, If you are concerned that your password (or those of others in your organization) may have been breached somewhere along the line, a website that collects and aggregates data breaches may be able to tell you. At ‘HaveIBeenPwned.com’, it is possible to search for compromised accounts by domain, showing whether anyone in your organization has been part of a breach.
“I used that site to find out that I was in the LinkedIn data breach,” says Maguire who admits to having been lazy with his own passwords in the past. “That really set me off because I used the same password for everything. I completely changed how I was protecting myself.”
Advice from Jamie Maguire: Common password managers you might consider are LastPass, 1Password or KeePass. All are available in free and paid subscription versions.