Most people have a basic level of familiarity with suggested password best practices, even if that’s only limited to “needs 1 uppercase letter, 1 lowercase letter, 1 number, and one of the following special characters..”. Or maybe you’ve heard you should avoid using common words, as that leaves you far more vulnerable to a dictionary attack, even if you’re replacing characters here and there a la 1337. You’ve probably heard of incidents involving celebrities and others where they were “hacked” through the discovery of their passwords, as they reused this same password on multiple services. Either way, you can probably still be doing more when it comes to password security, and protecting access to your accounts, services, and data. Still, everyone has heard what is probably the most repeated rule : “Do not leave passwords in plain sight.”
What Not to Do
The accompanying picture is a good example of what you’re not supposed to do. Writing your password or other access code out and sticking it under your keyboard, on the front of your monitor, or tacked to a wall is a familiar image that we should all get less familiar with. Very much akin to writing your PIN on your debit card, a clearly visible password leaves you open to anyone passing by. Or worse, publicized globally. An account password of a UK politician was publicized via a tweet and a French TV network unwittingly exposed social media account information during an interview. In fact, the pictured location here is committing two password sins with these bathroom codes: visible passwords, and password reuse.
How to Fix it
Good password security doesn’t have to be difficult. Avoiding password reuse is a big change that is easily implemented. Other recommended tips are also fairly easy to adopt. Instead of a short password consisting of just a word or two, like TrustNo1, try turning passwords into passphrases, which are longer but easier to remember.
Another change and one that can eliminate password sticky notes altogether, is adopting use of password manager.
The digital version of sticky notes and password journals, password managers take the burden of remembering off of the user. Password managers take your current endless number of passwords, and going forward require you to only remember one. Because it is a master key, this password should be incredibly secure, as it protects all your accounts and related data. There are many options out there now when it comes to password managers, boasting a wide set of features. From local to cloud storage, or application availability on multiple devices, to encrypted backups, password managers can be affordable at any size scale.
Following good password practices is also a HIPAA requirement. According to HIPAA specification § 164.308(a)(5)(ii)(D), proper password management includes “procedures for creating, changing, and safeguarding passwords.” Creating and safeguarding passwords are often the most difficult elements to implement properly, as these rely largely on employee common sense. Because of this, staff training is the best way to spread knowledge of best practices when it comes to passwords.
Good password security doesn’t have to be difficult, and usually just asks for a certain amount of common sense. There are more and more options going forward that can help create secure passwords, and help keep them secure day in and day out.