• E-mail
• Print
• RSS

What is the best way to select secure passwords?

HIPAA Weekly Advisor, June 28, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: HIPAA suggests using passwords to ensure secure access to computers. What is the best way to select secure passwords?

A: Health care organizations use passwords to control access to computer networks and applications and will continue to use them well into the future. Even with the introduction of two-factor authentication schemes for safer remote access, one of those factors is a usually a secret password or personal identification number (PIN).

Passwords are a fairly "low tech" solution, but they can provide effective protection. So it's very important that employees learn how to choose "good" passwords that are not easy to guess or to crack by comparing them to a dictionary, for example.

Here are some password rules to follow:

1. Always use a combination of letters and numbers. This means passwords won't ever be real words, and they won't be an obvious number string such as 123456 or a birth date.

2. Never choose your user ID (log-on, sign-on) as your password. Even if it has both numbers and letters, it isn't secret and it's one of the first things a hacker will try.

3. Select a mixture of both upper case and lower case letters if your system can distinguish between them. This expands the number of possible combinations that could make up your password, making it harder to guess or crack.

4. Include special characters if your system permits them. This, too, expands the possibilities.

5. Use a minimum of six or seven alphanumeric characters. The optimal minimum lengths vary by system, but most security experts recommend a length of at least six or seven.

6. Change passwords periodically, but not too often. Strong passwords should "last" longer. Forcing frequent changes can actually make security worse because users are more likely to keep passwords written down.

So how do you follow the rules and still remember your complicated password without writing it down? Here's a common approach:

Pick a subject you're interested in such as books, movies, sports, birds, or country music. Think of a related title or phrase. Select the first letter of each of the first four or more words. Insert two or more numbers and/or special characters. Now, you have a good password that appears meaningless to everyone but you. For example if your subject is nursery rhymes, "Little Jack Horner sat in a corner" becomes with a few numbers inserted: L2Jh4s.

Create your own secret scheme for inserting numbers and special characters, and for using upper versus lower case letters. Don't tell anyone what your chosen subject is or how you construct your passwords. But do write down your new password as you are constructing it. The visual reinforcement is an important memory tool. Then destroy that piece of paper!

Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, Inc., a national security and privacy consulting firm in Marblehead, MA. If you have a question for her, send an e-mail to "HIPAA Weekly Advisor" editor Brian Driscoll at bdriscoll@hcpro.com.

Excerpted from the upcoming June 2002 issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive