If you’re reading this it’s likely that you work in the health industry and have an interest in keeping the information you work with secure and away from prying eyes.
Do you leave your house unlocked with the windows open when you go out for your morning walk? Probably not – because you care about your personal security and that of your family.
With so many people working from home or online now its important to keep those systems secure and it starts with locking the front door – or for online systems – creating a good password.
Here are our top 5 security best practices for passwords:
Use a different password for each account
Data breaches occur every day around the world and you have very little control over the security measures put in place by the services you use. If a service is compromised and the bad guys get your login credentials its not difficult for them to then go looking for other services using your email address.
This introduces another problem which is remembering all of the extra passwords. This is where password managers come in, they help you manage all of your passwords centrally and retrieve them when needed.
Make your passwords long
Computers are really good at repetitive tasks such as guessing passwords and hacker have a set of tools that will do this task with extreme levels of efficiency. It does still take time to try all of the combinations so the longer you make your passwords the longer it will take to crack them.
Use at least twelve characters including interchangeable lower case, upper case, symbols, and numbers within your passwords. If you must use words then string them together to create a longer pass-phrase using both upper and lowercase as well as numbers and symbols such as “TheOrangeHorseRanUpHill#99”.
Multi-Factor Authentication (MFA)
Always make use of Multi-Factor Authentication (also known as Two-Factor Authentication 2FA) when its available. MFA adds another secret factor that only you know to the authentication process. You start with a username and password and are then presented with a challenge to provide the MFA code. Depending on how you setup your second factor the challenge code can come from a mobile app such as Google Authenticator, a physical device such as a Yubi Key or even a printed sheet with predefined codes.
This is likely one of the most important measure you can take to secure your accounts online.
Changing your passwords
If you have followed the advice in the first three steps then its no longer considered necessary to periodically change your password unless you have reason to believe someone may have guessed or obtained it in a data breach.
This is a change from previously held wisdom based on the rational that if forced to periodically change their passwords, people tend to choose a less secure option or iterate their existing password with the addition of a number or letter. As the National Institute of Standards and Technology (NIST) explains, making minor changes to an old password is not helpful as it gives the user a false sense of security.
“This practice provides a false sense of security if any of the previous (passwords) have been compromised, since attackers can apply these same common transformations.”National Institute of Standards and Technology (NIST)
Check if you have been Pwned
Its important that you make yourself aware of any data breaches your accounts have been involved in. Troy Hunt created the site Have I Been Pwned as a free resource for anyone to quickly assess if they have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach.
Its simple to use and you can register your email address to receive notifications any time your account is part of a data breach.
Visit the site now and check your details: https://haveibeenpwned.com/
Use a Password Manager – this can securely store many passwords across devices like laptops and phones, and makes the practice of having ‘long passwords’ and ‘different for each account’ much easier to handle. Some useful Password managers include , 1Password, BitWarden or Google and Apple laptops and phones have built-in password managers.