In our modern culture, everything is optimized for convenience and efficiency. We mindlessly shop online, do our social media, subscribe to services, and do not see the battle raging to systematically undermine our security. We do not lift one finger to take personal responsibility for the technology we leverage, yet we navigate through the internet with a wide array of vulnerabilities — Just ask a friend or family member who were victims of identity fraud — they will tell you…
It’s no wonder we don’t put much thought into the plethora of passwords we’re asked to create almost on a weekly basis. The average consumer has 50+ accounts, with 50% of passwords being the same in structure and sequence. We judge some passwords are important and others are merely “garbage” passwords, because they protect “unimportant” things, but our choice in creating these passwords is of the utmost importance, especially if we’re in charge of protecting the identity of other people. This also begs the question: Do we even know what a good password is?
Don’t feel you’re up to snuff for password security? You’re not alone.
Consider these best practices as you navigate through our digital world:
Using the same password for everything. It’s all too common a practice to keep reusing the same password for multiple websites and applications. This is understood, as it’s hard to remember all these places that need credentials, and it makes sense to use your go-to password you’ve used for the past 15 years. Consider this, harvesting your email address and password from the poorly written “Fad of the Month” website can then be easily applied to your Bank account.
Telling others your password. We are often too forthcoming to others about our passwords. We think it’s safe, but in doing so, we’re diluting all our security mechanisms in the process. This point is compounded when we practice the previous point and tell others that we use this password for everything. What’s worse than telling others your password? It’s sending your password through email.
Not changing your passwords. At best we may change our passwords once every few years. We get so accustomed with our passwords, we apply a false sense of security to them because we’re sure we won't forget them. Misplacing our familiarly with the protection it may offer. We forget the older the password, the sooner the eventuality of it being cracked, or the fact that as you read this document, there have been over 5,000 attempts to break into our servers alone. Passwords need to be changed no less than every six months to better your chances of security. This fact is also a HIPAA requirement.
Using personal information in your password. Don’t use your dog’s name, your birthday, your street address, the current year, (you name it), as part of your password. It’s easy to rationalize it this way: “Who would know my dog’s name is Max.” Unfortunately they’re forgetting the threat is predominantly from those not close to us, or humans like to use pet names in their passwords, or the most popular dog name is currently “Max”. Passwords need to be strong, random and unique.
Re-using the same password when forced to change it. Some systems require changing your passwords regularly, but many don’t check if you use the same password over again, which defeats the purpose of changing the password in the first place.
Using weak passwords. Passwords like: “password”, “123456” or “none” are still used in the wild. Some systems are less rigid about security, and they allow passwords which are not secure enough. It’s best to stay away from solutions which allow poor passwords, but if you must use them, you almost always have the option to use a stronger password than required. Just as weak, are passwords with common patterns like “Billy1234”, or “Runner2016”. They are dangerous because they use dictionary words, which are remarkably easy to guess. They also promote lazy thinking when they need to be changed, it’s too easy to just increment the number: “Billy1235”, or “Runner2018”.
Writing your passwords down. This practice is all too common, but it depends on what you do with it afterword. If you’re going to keep it, lock it up in a safe place (even an actual safe). If you’re going to destroy it, shred or burn it. Treat them the same way as credit card numbers. How many people have sticky pads with passwords stuck onto the walls of their cubicles? So, what’s worse than this? Putting passwords on an electronic device like a smart phone or putting them in emails they send to themselves.
Using hackster text codes or repeated patterns for passwords. We think passwords like: “Y0uC4NT6u3Sz”, “j0s3p4_r0ckz” or “Go.For.It.17!” are cute, witty and creative. You may just as well use “Youcantguess” or “joseph_rocks”, etc., because they equate to the same thing. The insidious part of using these sort of patterns are that they often pass password strength requirements, so we think we’re safe. Although, password checkers are getting slightly better by insisting on special characters, we often add them to the end, and by far the most commonly used special character at the end: “!”
What about using the browser to save your password? That depends... This feature was added to browsers to encourage people to use stronger passwords for websites, which the browser could securely store. This potentially increases website security from the marauding masses, but shifts the vulnerability to those in your electronic kinesphere. An improvement, definitely. Essentially, you’re borrowing the security of your device login for a website login. If you login to gain access to your device, and it logs you off after inactivity, or you’re diligent to lock your screen every time you leave, this may only be slightly more secure, depending on your environment and habits. The thing to remember is this… Website passwords which are securely saved by the browser are a trivial matter to inspect if you know how. For instance, the main Google login page takes less than 10 seconds to expose the saved password.
There is one account password that must always be as secure as humanly possible, and that is your email password. That being compromised has grave consequences, because many websites depend on your email to confirm who you are.
The fact is, whether you are ever aware of it or not, one or more of your passwords probably have been compromised. Although, not having any impact in any tangible way, by being sloppy, you (or the website engineer), has helped build a profile about you, which surely contains your name, e-mail address, and your favorite pattern of making passwords. So, it’s clear there are no such thing as “garbage” passwords, because they can expose your core habits of creating passwords for things you care about dearly. You must strive to break the mold of how you curate, and manage your passwords. This may be cumbersome, but security is the reciprocal of convenience.
At Patient Protect, we’re serious about security, and urge users to take control over their own security! Patient Protect is a leading HIPAA solution that helps doctors and patients stay safe in our fragmented world. Want to learn more? Download our free HIPAA compliance guide, and find out how Patient Protect can help secure patient records and help your office reach compliance!