Password Reuse is Rife and Security Awareness Training Has Little Effect
Aug16

Password Reuse is Rife and Security Awareness Training Has Little Effect

An overwhelming majority of employees are aware what constitutes a strong password, but 53% of employees do not always set a strong password to protect their accounts. When it comes to setting unique passwords for all accounts, even fewer employees adhere to the best practice, according to a survey recently conducted by My1login on 1,000 employees and 1,000 business leaders. 62% of employees said they reuse personal passwords for their business accounts or vice versa. Healthcare employees were the worst when it comes to password reuse, with 94% of surveyed healthcare employees admitting to reusing passwords across multiple accounts, with similarly high numbers of employees in education (91%) and the public sector (83%) reusing passwords. These three verticals also rated the highest for use of personal passwords for business applications, with education coming top (75%) followed by healthcare (68%) and the public sector (61%). Across all industry sectors, 87% of employees said they reused passwords across business applications. Password reuse is a security risk. If a password is...

Read More
NCSC Password Recommendations
Aug10

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability.  There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in brute force attacks. Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean end users will set strong passwords. The Problem with Password Complexity Requirements The minimum requirements for password complexity are typically to have at least one lower-...

Read More
Study Explores Why Many People Don’t Use a Password Manager
Jul08

Study Explores Why Many People Don’t Use a Password Manager

One of the easiest ways for hackers to gain access to accounts is to simply guess passwords. Hackers use lists of commonly used passwords and passwords that have been obtained in previous data breaches, and just try each one until the right one is guessed. This automated process can take seconds if particularly weak passwords are used to secure an account. Brute force tactics only work because a lot of users fail to change default passwords, set weak passwords, or reuse passwords across multiple platforms. In the case of the latter, if there is a breach of one platform, the password can then be used to access all other accounts where it has been set. Having – and enforcing – a password policy that requires users to set complex passwords will help to ensure that strong passwords are set, but employees often still set weak passwords and circumvent their employer’s password policy. For instance, setting a password of Password1! to meet the lower/upper case, number, and special character requirements. The most secure passwords are randomly generated long passwords, but these are...

Read More
Flaw in Kaspersky Password Manager Password Generator Made Passwords Susceptible to Brute Force Attacks
Jul06

Flaw in Kaspersky Password Manager Password Generator Made Passwords Susceptible to Brute Force Attacks

Security researchers have discovered the random password generator of the Kaspersky Password Manager (KPM) was generating passwords that were susceptible to brute force attacks. Password managers often include a password generator to help users create unique, random, complex passwords for their accounts. In a recent blog post, researchers at security firm Donjon said the pseudo-random number generator (PRNG) used by the KPM solution was not sufficiently random to create strong passwords. As a result, any passwords generated could be brute forced in a matter of minutes, and in seconds if the approximate time that the account password was created is known. Password generation in KPG involves suggesting a password based on the policy created by the user. Those policies are set for password length and the characters that must be included (upper/lower case letters, numbers, special characters).  While several issues were found with the solution, the main problem was the PRNG was not suitable for cryptographic purposes, as the single source of entropy was the current time in seconds....

Read More
Survey Reveals Password Best Practices are Not Being Folllowed
Jul02

Survey Reveals Password Best Practices are Not Being Folllowed

A recent survey conducted by researchers at Skynet Softtech has revealed most adults are guilty of poor password practices that are placing their accounts and sensitive data at risk. The survey was conducted on 2,200 adults in the United Kingdom who were asked about cybersecurity practices related to password creation and password management. The best practice for password creation is to create a complex, unique password for each account. Those passwords should be a random combination of upper- and lower-case letters, numbers, and special characters. The problem with that approach is it also makes passwords very difficult to remember, which is why password manager solutions have become so popular. With a password manager, a user only needs to remember one password to access the password manager, which stores al other passwords in a secure vault. The survey revealed password reuse across multiple accounts is rife and passwords are easy to guess with a little knowledge about the individual. Further, once passwords are set, they are rarely changed. Two thirds of respondents used an...

Read More
Best Password Manager for the Healthcare Industry
Jun01

Best Password Manager for the Healthcare Industry

In this post we explore some of the leading solutions to find the best password manager for the healthcare industry – One that is easy to use, reasonably priced and, most importantly considering the extent to which the industry is targeted by hackers, has excellent security. HIPAA and Password Management The HIPAA Security Rule was signed into law at a time when the requirements for password complexity were far lower, fewer passwords had to be created and remembered, and cracking passwords was a long and slow process. In the 18 years since the HIPAA Security Rule took effect, a lot has changed. The changes to best practices over time is the reason why the HIPAA Security rule is not technology specific. The Security Rule was written to be flexible to allow for changes to best practices. What was perfectly acceptable in 2003 for passwords, is no where near enough in 2021. The HIPAA Security Rule has provisions covering passwords. The technical safeguards of the HIPAA Security Rule (45 CFR § 164.312), require covered entities to implement technical procedures for systems that maintain...

Read More
PasswordState Password Manager Supply Chain Attack Delivers Password-Stealing Malware
May30

PasswordState Password Manager Supply Chain Attack Delivers Password-Stealing Malware

Password managers can greatly improve security. They help users create strong, difficult-to-guess passwords and store them in a secure vault. With a password manager, users do not have to remember their complex passwords, so they solve one of the most common password problems that can greatly reduce security – password reuse on multiple accounts. All users need to do is set and remember a single complex password to access their vault. One problem with password managers is while they can improve security, the password vaults will be housed on a third-party server, so users are reliant on the security of the solution provider, although some providers offer a self-hosted solution. Many businesses feel more comfortable with this option and are confident in their ability to secure their own environments. PasswordState from Click Studios is a self-hosted rather than cloud-hosted password management solution. While this can be more secure than a cloud-hosted solution, that does not mean breaches will not occur. Recently some users of the PasswordState solution discovered they had...

Read More
Bitwarden Review
May26

Bitwarden Review

In our Bitwarden review, we explain the password manager´s key features and explore its strengths and weaknesses to help you evaluate whether this is a suitable solution to meet your password management needs. Bitwarden Review Summary Bitwarden is an open-source password manager with a strong range of features and capabilities in both the free and premium versions. Ideal for empowering users to become more security conscious, Bitwarden is quick to set up, highly customizable, and can be self-hosted if required. On the downside, there is no live support if you encounter issues. Although the Bitwarden user interface is more intuitive than most, and there are plenty of online resources that can help resolve your issues, it could be an annoyance if you are unfamiliar with commercial password managers. Bitwarden Key Features Bitwarden is a multi-platform password manager that enables users to generate, store, use, and share passwords securely from any location. Bitwarden also supports the secure storage of credit cards and identities, enabling users to autofill payment details and forms...

Read More
How Often Should Passwords be Changed in the EHR System?
May11

How Often Should Passwords be Changed in the EHR System?

In 2010, the Office of the National Coordinator for Health Information Technology (ONC) – a branch of Department for Health and Human Services (HHS) – published “10 Best Practices for the Small Healthcare Environment” (PDF). The publication – the ONC claimed – was “not intended to provide guidance on how to comply with HIPAA”, but rather “a first step to the effective setup of new EHR systems in a way that minimizes the risk to health information maintained in EHRs”. However, the timing of the publication was not an accident. A year earlier, Congress had passed the HITECH Act and Meaningful Use program which incentivized Covered Entities to adopt technology for creating, maintaining, and providing access to Protected Health Information. The HITECH Act also required Business Associates to comply with HIPAA for the first time and, as many Business Associates operate in “small healthcare environments”, the publication was relevant. The publication also came at a time when larger Covered Entities, who had not previously adopted technologies such as EHR systems, were now doing so to...

Read More
What are the HIPAA Password Expiration Requirements?
May07

What are the HIPAA Password Expiration Requirements?

According to the Administrative Guidelines of the HIPAA Security Rule, Covered Entities and Business Associates must create procedures for “creating, changing, and safeguarding passwords” (45 CFR § 164.308). The inclusion of the word “changing” implies passwords only have a certain lifecycle. But is that really the case? And, if so, what are the HIPAA password expiration requirements? The concept of HIPAA password expiration requirements goes back to the early 2000s when, within a short time of each other, the Department of Health and Human Services (HHS) issued the HIPAA Final Security Rule (2003) and the National Institute of Standards and Technology (NIST) issued “Special Publication 800-63” (2004), which included a section on password best practices. At the time “Special Publication 800-63 Appendix A” was issued, Covered Entities were preparing to meet the compliance requirements of the Security Rule by the 2006 deadline. However, the language of the Security Rule is deliberately flexible to cover as many different types of Covered Entity as possible, open to interpretation,...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
May01

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Apr06

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password or alternate – but equally effective – authentication method. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for...

Read More
Small and Medium Sized Practices Under Increased Pressure from Cyberattacks
Mar05

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations. A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming. Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable. Cyberattacks on Small- and Medium-Sized Healthcare Organizations are...

Read More
LastPass Restricts Functionality of its Free Password Manager
Feb20

LastPass Restricts Functionality of its Free Password Manager

LastPass, one of the most popular free-to-use password manager solutions, has announced it will be restricting access to its services for free users of the solution. LastPass offers paid and free version of its password manager, with the paid service offering a more comprehensive range of features, but the free version was a solid choice, offering users most of the features of the paid version. That is now about to change. From March 20, 2021, users of the free version of LastPass will be faced with a choice. If they continue using the password manager under the free tier, they will only be able to do so for either desktop computers and laptops or mobile devices. Previously, the free version could be used across all device types, but now they face a desktop or mobile choice. Accompanying this change will be the end of access to customer support via email for free users of the solution. Support will continue until August 23, 2021, after which it will only be provided for Premium and Families accounts. While LastPass remains a great choice in terms of the quality of the password...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More