Articles by IntegriNet Solutions, Inc.

Why you must have strong passwords

I know of a medical office where the staff is unhappy. The reason is that the new HIPAA regulations are requiring unique usernames and strong passwords for their computer systems. Before the office implemented the requirements of the Health Insurance Portability and Accountability Act, all the nurses logged on as NURSE. And they all used the same password, which never expired. It was very convenient – but not very secure.

It seemed at first to many health care providers that the HIPAA requirements, with respect to their computer systems, were onerous. However, most of them simply mandate the same procedures that every business should be using – especially with respect to usernames, passwords, expiration dates and lockouts.

In most secure computing environments, logging on requires at least two steps. First you enter your username. This identifies you to the system, and gives you the appropriate set of rights and permissions – no more, and no less. Second, you enter your password, which proves that you are the user you said you were.

Remarkably, the administrators of many computer networks do not require user passwords. Clearly, such networks are a hacker’s dream. However, many of the networks where passwords are required are nonetheless highly vulnerable to hackers. The reason is that not all passwords are created equal.

Many programs exist that can be used to crack users’ passwords. And most users make it easy for these programs and the hackers that use them by choosing for their passwords a common word or name. For that reason, password-cracking programs typically start through a library of words and names, and they try the most common ones first.

In trials on several networks in our area, one such program that is freely available on the Internet was able to crack 80 percent of a network’s user names and passwords within 15 minutes. Within 24 hours, it usually had all of them.

The conclusion is that many organizations should take their password policy more seriously. If they don’t already so, every user should be required to come up with a password, and it would be a good idea to teach them how to choose a strong password. This is especially important for users that have broad access to the files on the network, such as the administrator.

My first tip is this: the longer the password, the better. It should be at least six characters long, and eight characters are better. It should also be a complicated set of upper and lower case letters, numbers, and punctuation marks.

Many users are afraid of such passwords because they fear they will forget them. Indeed, if a password is so complicated that the user has to write it down somewhere to remember it, much of the benefit is lost. I remember going to a bank once where an employee had a strange word on a note stuck to her monitor. I asked her what that was, and she told me it was her password.

However, a password can be both complicated and easy to remember. For example, you might take the initials of your children and the order they were born in, throwing an ampersand between each: m1&j2&s3.

Or, you might use a word or name, but substitute some other character for some of the letters: a zero for an “O”, or a $ for an S, a “one” for an L, a 5 for an S, etc. Then enclose the word with some punctuation. Using this method, the common word “houses” could become the decent password: (H0u$e5).

Sophisticated passwords join the list of inconveniences that are required of us as a result of dishonest people who would do harm to us, our organizations and our computer systems. Like backups, data redundancy, antivirus protection and firewalls, they have become an essential element of protecting ourselves.