Password is the key used to access personal information stored on your computer online accounts or other electronic devices.
We have had discussions at our organization about eliminating requirements to change passwords every x days, and to having different PW's for each application, in exchange for requiring one complex password. Likely more secure? Any literature on breaches with this system vs the usual? Likely cost savings in PW resets by IS department?
Research firm RSA surveyed 1,700 enterprise end users in the US and found that more than a 1/4 of respondents manage more than 13 passwords at work . This leads to much frustration on the part of both end users as well as IT managers who must help their users resolve password related problems which 40% of respondents said took at least 6 minutes each to resolve. This frustration causes over 50% of users to write down passwords on paper or save them locally on a spreadsheet or in document (often in plain text, i.e., no encryption) on their PC or handheld device.
Password formatting guidelines
Here are some guidelines for determining password strength:
- Be at least eight alphanumeric characters in length
- Contain at least one upper case letter
- Contain at least one lower case letter
- Contain at least one number
- Contain at least one special character
- Not contain consecutive characters (abc or cba)
- Not contain repeating characters (aa, bb, etc.)
- Not contain the same character more than twice
- Not be repeated within the last 10 used
- Not be changed more than once in a 24-hour period
Password Strength: is a measurement of the effectiveness of a password as an authentication credential.
To avoid violation of confidential information strong password can be created to keep personal and sensible accounts well protected. Usually, a strong password is a lengthy random string of characters. Each character added increases the protection. Currently, 8 or more characters in length are the standard; 14 characters or longer is ideal.
In some instances it is possible to use the space bar, which can give the possibility of creating phrases made of many words (called pass phrase). This in turn offers a much easier way to remember long and hard passwords. Another characteristic of a strong password is the combination of letters, numbers, and symbols. The more variety of characters the harder to guess. Complexity can be added by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well.
It is beneficial to use special characters (!, @, #, etc) to add even more strength to one's password.
A hospital's electronic medical record system often consists of multiple systems, for example one for viewing radiology images and another for accessing health records from another cluster of hospitals via an exchange, a situation faced by many other hospitals.
Security administrators preach strong security:
- using alphanumeric passwords
- changing them every 90 days
- authenticating on all applications
However, they are also responsible for providing users with access to what they need in a timely manner. As more applications require authentication, users are bombarded with a vast number of different system logins each day with most requiring a different username and password. Users are plagued not only with trying to create new and different passwords, but also with the difficulty of remembering all of them. s a result, network administrators spend more time assisting users with forgotten passwords.
- Context switching: Within the EMR platform, options are included in the menubar for context switching, removing the need for additional logins. This applies to accessing radiology images, laboratory results and the health information exchange.
- Single sign-on (SSO): SSO simplifies the deployment of stronger passwords and help enforce an effective password policy
Users should be able to more easily comply with secure password policies that require a ‘strong’ password. The enforcement of the security policies is also centralized, making it easier to manage. There is a full audit trail of application access and password change. These reduce helpdesk “password reset” related costs.
There is an increase in login time and all applications are open to next user should the previous user forget to logout. There is frustration with auto logouts of 15 minutes. Integrating existing applications’ functions with the SSO can be problematic.
Submitted by Daniel Li
Biometrics curing password headaches, 28 September 2005.