Many people use a “set it and forget it” approach to passwords. Others create passwords that are easy to remember and thus vulnerable to data thieves. Passwords are a first line of defense against data breaches, which continue to increase year after year. In 2017, for example, data breaches rose by an astonishing 44.7 percent compared to the year before.
If you store medical records or other information, you have an obligation to protect it. Creating strong passwords is a first step in ensuring your data — and that of your clients — is secure. Here are five best practices to consider for your internal password protocols.
Avoid Common Choices
It may sound obvious, but you shouldn’t use 12345 (or any other runs of sequential numbers) to safeguard your accounts. In fact, you should avoid any of the common passwords, as they are incredibly easy for hackers to guess.
Some passwords are so common, in fact, that data security experts keep lists of the top offenders. For example, in 2016 the most common passwords included:
- password (yes, really)
When you rely on common passwords, you make your data a sitting target for identity thieves and hackers. And if you handle others’ sensitive information, such as medical records, failing to protect this type of data can actually make you vulnerable to fines under state and federal privacy laws.
Additionally, you should stay away from any words or dates that hold a personal significance. For example, birthdates and anniversaries should be off limits, along with pets’ and children’s names.
Also avoid things like the name of your hometown, your favorite teacher’s name and your high school mascot. While these things may seem like information only you would know, cyber thieves can easily gather this type of data from the internet.
Longer Is Better
Security experts recommend using passwords that are both long and filled with a mix of numbers and letters as well as upper and lower case letters. In the contest between long and complex, however, data security experts say length is the clear winner. The reason is that longer passwords are more difficult for cyber criminals to crack in a brute force attack — a type of hack in which cyber thieves use software that generates thousands of password guesses and bombards a system with them, hoping for a lucky guess.
In fact, even a relatively simple yet long password is generally more secure than a shorter, more complex one. For example, ThisIsMyPasswrd is harder to crack than C0mpl3x! because it’s longer (and it’s missing an “o”).
Of course, this doesn’t mean you should use a password that simply drops a single letter. Rather, these examples show that longer passwords are often much more difficult to hack than a shorter password that looks more complex at first glance.
Mix It Up
In addition to long passwords, data security experts say it’s a best practice to add complexity by mixing in letters, symbols and spaces. The key is to use words (including proper names like names of towns or a person’s first name) that would never appear in the dictionary, as password hacking software typically runs through a dictionary database to try every possible word. Because modern hacking tools are so fast and sophisticated, they can run through thousands of potential passwords in seconds.
So how do you create a password using words you won’t find in a dictionary? Experts say to try misspellings and substitutions. Think in terms of the shorthand you might use in a text. Instead of the word “love,” you might try “luv.” Or instead of “would,” you could go with “wuld.”
You can also mix things up by substituting symbols for letters or sounds. For example, the letter “8” works well as a substitute for words that end in “—ate.” Internet standards expert John Pozadzides says that even small tweaks can strengthen a password considerably. “Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”
Likewise, if your password is at least 14 characters long, contains a mix of upper and lower case letters, and does contain any dictionary words, it would take more than 154 billion millennia to hack. By contrast, a password with just three characters containing only lower case letters could be hacked in about .02 seconds.
Don’t Change Passwords Too Often
Common password protocols often recommend changing your password every few weeks or perhaps once a month. Some companies even build mandatory password changes into their systems, which forces employees to update their passwords on a regular basis.
According to the Federal Trade Commission (FTC), however, these frequent changes don’t help as much as you might think, and they may even make systems less secure. Lorrie Cranor, the Chief Technologist at the FTC, says that mandatory password changes often prompt workers to choose progressively less secure passwords. She states: “…[T]here is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways attackers can guess easily.”
Cranor points to a study of password practices conducted by the University of North Carolina at Chapel Hill, in which researchers looked at over 10,000 accounts abandoned by former students and staff. All of the accounts forced users to change their passwords every three months. When researchers used cracking software to try to guess users’ passwords, they successfully cracked 60 percent of the accounts.
In the study, researchers were also able to identify patterns in the way users changed their passwords as they were required to update.
As Cranor states, “The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”
This begs the question: If changing your passwords too often is bad, how often (if ever) should you change them? Cranor says there are definitely times when you should change your password, including when you suspect it has been stolen, or if you believe you may have given it to a phishing website. You should also change your password if you think it’s weak or too easy to crack.
If you do change your password, it’s important to ensure it’s totally different from your old one. This will stop cyber thieves from looking for patterns that could help them predict your new password or any future ones.
Don’t Use the Same Password for Everything
These days, you need a password for just about everything you do on the web, from using the printer at work to accessing your online account at your favorite clothing store. Joseph Bernstein at BuzzFeed News reports that the average person has 27 separate logins. The number for people in the business world is much higher. A LastPass report reveals the average business user has a staggering 191 passwords.
However, this doesn’t mean the average person also has 191 or even 27 different passwords. With so many passwords to remember, many people tend to use the same one over and over. This makes you vulnerable to breaches, as a hacker’s lucky guess or successful crack could open the door to dozens or even hundreds of your accounts.
LastPass also reports that 81 percent of data breaches are caused by password issues, such as weak and repetitive passwords. Additionally, some workers within the same organization share a password among several team members, which makes it easier for hackers to break in.
Experts say it’s important to avoid recycling the same password over and over again. Instead, vary your passwords for different accounts. If you have trouble keeping track of them, you can try secure, encrypted password storage apps that allow you to store your passwords and access them with a single secure login. Some of these apps are free, while others require a business to purchase a subscription or license to use the software.
Keep Your Data Secure with ABI Document Support Services
At ABI Document Support Services, we help law firms save time and money by providing fast, affordable record retrieval services. We also keep your data secure with the most advance encryption, so you can rest easy knowing your records are protected. To learn more, contact us today at 800-266-0613 or use our contact form to get in touch.