Passwords are the most common form of user authentication. Each user has a specific (usually self-chosen) combination of characters known to him or her. Entering this specific combination of characters identifies the user and gives them access into the system.
Although passwords constitute one of the three basic methods for authentication (Passwords, smart cards, and biometrics) in any security system they express some particular drawbacks.
For instance, passwords chosen by users usually are simple and short such as dictionary words; if not demanded by the system. Due to this potential intruders may use the trial-and-error method to gain easy access into the system. Another issue is that complex passwords tend to be kept by users stored in a place written down either physically or digitally which in both instances can be stolen by either intruders or hackers. Finally, users tend to remain with the same password for prolonged periods of time, this actions only further increase the risk of hackers to by-pass such combination of characters and gain access to the system. However, frequent changes of passwords tend to result in users writing them down. Therefore, a time frame of about 3-4 months is recommended in order for users to change their passwords.
Research firm RSA surveyed 1,700 enterprise end users in the US and found that more than a 1/4 of respondents manage more than 13 passwords at work . This leads to much frustration on the part of both end users as well as IT managers who must help their users resolve password related problems which 40% of respondents said took at least 6 minutes each to resolve. This frustration causes over 50% of users to write down passwords on paper or save them locally on a spreadsheet or in document (often in plain text, i.e., no encryption) on their PC or handheld device.
Password formatting guidelines
Here are some guidelines for determining password strength:
- Be at least eight alphanumeric characters in length. One dictionary word connected with one or more digits or special characters. (E.g. “name$name”)
- Contain at least one upper case letter
- Contain at least one lower case letter
- Contain at least one number
- Contain at least one special character
- Not contain consecutive characters (abc or cba)
- Not contain repeating characters (aa, bb, etc.)
- Not contain the same character more than twice
- Not be repeated within the last 10 used
- Not be changed more than once in a 24-hour period
- Not contain familiar numbers, names, or words. (E.g. DOB, SSN, Family members, Hometown)
Password Strength: is a measurement of the effectiveness of a password as an authentication credential.
To avoid violation of confidential information strong password can be created to keep personal and sensible accounts well protected. Usually, a strong password is a lengthy random string of characters. Each character added increases the protection. Currently, 8 or more characters in length are the standard; 14 characters or longer is ideal.
In some instances it is possible to use the space bar, which can give the possibility of creating phrases made of many words (called pass phrase). This in turn offers a much easier way to remember long and hard passwords. Another characteristic of a strong password is the combination of letters, numbers, and symbols. The more variety of characters the harder to guess. Complexity can be added by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well.
It is beneficial to use special characters (!, @, #, etc) to add even more strength to one's password.
Password requirements imposed by the Centers for Disease Control and Prevention (CDC) on users of its systems:
- 1. A password is required to be created to gain access to all agency information technology systems.
- 2. The minimum allowable length for reusable passwords is eight characters.
- 3. Passwords may not contain the individual’s name and must have a mix of at least three of the following: upper case letters, lower case letters, numerals, and punctuation marks (one suggestion is to include the first letters from a phrase that is easily remembered).
- 4. Reusable passwords must be changed at least every 90 days.
- 5. Repeated unsuccessful attempts to login result in account suspension (this is the most effective means to prevent automated attacks at guessing passwords for accounts).
- 6. Password sharing is prohibited.
- 7. Passwords must be protected from disclosure to others and may not be displayed on the screen or displayed at the desk environment where they might be viewed.
- 8. Creating shortcuts for automatic entering of a password is prohibited.
A hospital's electronic medical record system often consists of multiple systems, for example one for viewing radiology images and another for accessing health records from another cluster of hospitals via an exchange, a situation faced by many other hospitals.
Security administrators preach strong security:
- using alphanumeric passwords
- changing them every 90 days
- authenticating on all applications
However, they are also responsible for providing users with access to what they need in a timely manner. As more applications require authentication, users are bombarded with a vast number of different system logins each day with most requiring a different username and password. Users are plagued not only with trying to create new and different passwords, but also with the difficulty of remembering all of them. s a result, network administrators spend more time assisting users with forgotten passwords.
- Context switching: Within the EMR platform, options are included in the menubar for context switching, removing the need for additional logins. This applies to accessing radiology images, laboratory results and the health information exchange.
- Single sign-on (SSO): SSO simplifies the deployment of stronger passwords and help enforce an effective password policy
Users should be able to more easily comply with secure password policies that require a ‘strong’ password. The enforcement of the security policies is also centralized, making it easier to manage. There is a full audit trail of application access and password change. These reduce helpdesk “password reset” related costs.
There is an increase in login time and all applications are open to next user should the previous user forget to logout. There is frustration with auto logouts of 15 minutes. Integrating existing applications’ functions with the SSO can be problematic.
Submitted by Daniel Li
Biometrics curing password headaches, 28 September 2005.
- Magnuson, J. A., & Fu Jr, Paul C., (Eds.). (2014). Privacy, Confidentiality, and Security of Public Health Information. Health Informatics: Public Health Informatics and Information Systems (158-159). London: Springer-Verlag 10.1007/978-1-4471-4237-9