“Password strength” is a measure of a password’s ability to resist brute-force attacks. The longer, more complex, and more unpredictable a password, the greater its password strength. Unfortunately, weak passwords are one of the most common and overlooked causes of system breaches. For this reason, passwords must be sufficiently strong to keep vital systems from being compromised.
Computers can be effective generators of strong passwords because they create random strings very easily. Humans, on the other hand, tend to create much weaker passwords because they often choose obvious things they will remember, like their own name, or the names of family members and friends.
Even Star Wars names like “Solo” or “Princess” are fairly common. Additionally, words like “password,” or simple keyboard patterns like “12345” or “hjkl;” are easily guessable, and so should be avoided.
The problem with these passwords is they are simply not complex, and so are easily cracked by hackers. A strong, secure password will include a combination of upper / lower case letters, numbers, and special characters. This is where password requirements and policies come into play. Password requirements help ensure that a password meets a certain complexity test; for example, be at least 8 characters in length, uses a mix of upper and lowercase characters, special characters, etc.
HIPAA Vault uses password requirements to ensure that our customers don’t default to using weak passwords. A strong password, including the use of two factor authentication, will go a long way in preventing almost every system breach.
In addition, the systems where you input user and passwords, should do so by hashing your password. Hashing passwords verifies that you’ve entered the correct password, but the system receives a different string that verifies that the password is correct. One way to test whether a system you are using has hashed passwords is to request the system send you the password. If they send you a clear text password, that is a serious security risk and also tells you that they may not be protecting any other data. The normal response when you request a password reset is to receive a link from the email tied to your account and then you can reset it. Best practice for securing your data and passwords is also to utilize two-factor authentication when available.