Creating a Strong Password to Protect Your Accounts
By Gil Vidals, , HIPAA Blog, Resources

“Password strength” is a measure of a password’s ability to resist brute-force attacks. The longer, more complex, and more unpredictable a password, the greater its password strength.

Unfortunately, weak passwords are one of the most common and overlooked causes of system breaches. For this reason, passwords must be sufficiently strong to keep vital systems from being compromised.

Computers can be effective generators of strong passwords because they create random strings very easily. Humans, on the other hand, tend to create much weaker passwords because they often choose obvious things they will remember, like their own name, or the names of family members and friends.

For example, Star Wars names like “Solo” or “Princess” are fairly common. Additionally, words like “password,” or simple keyboard patterns like “12345” or “hjkl;” are easily guessable, and so should be avoided.

The problem with these passwords is they are simply not complex, and so are easily cracked with brute-force attacks by hackers. A strong, secure password will include a combination of upper / lower case letters, numbers, and special characters. This is where password requirements and policies come into play.

Password requirements help ensure that a password meets a certain complexity test; for example, be at least 8 characters in length, uses a mix of upper and lowercase characters, special characters, etc.

HIPAA Vault uses password requirements to ensure that our customers don’t default to using weak passwords. A strong password, including the use of two-factor authentication, will go a long way in preventing a system breach.

In addition, systems that require the input of a username and password should always “hash” your password. Hashing a password verifies that you’ve entered the correct password, but the system receives a different string that verifies that the password is correct.

One way to test whether a system you are using has hashed passwords is to request the system to send you the password. If it sends you a clear text password, you’ll know you have a serious security risk and the system may not be protecting any other data.

The normal response to expect when you request a password reset is to receive a link from the email tied to your account which allows you to reset it. 

A best practice for securing your data and passwords is also to utilize two-factor authentication. This way, if your password were to fall into the wrong hands, a second-factor code (sent only to you) would also be required to gain access.