HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

World Password Day 2022 – Password Tips and Best Practices

Thursday, May 5, 2022, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and Single Sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems published a chart showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters, and ensuring passwords contain enough characters.

How Long Does it Take a Hacker to Brute Force a Password

How Long Does it Take a Hacker to Brute Force a Password in 2022. Source: Hive Systems.

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts weaken password security.

It is common for users to avoid creating unique passwords and use the same password for multiple accounts, but if one password is compromised, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Changing passwords slightly by adding a number or substituting characters for different accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks, and writing down passwords is never a good idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak, as the above chart shows.

Global Password Management Survey Reveals Poor Password Management Practices

The 2022 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day has revealed the password habits of Americans. While it is reassuring that 98% of Americans said they were very or somewhat familiar with password security best practices, it is a concern that 31% have experienced a data breach in the past 18 months. That is perhaps no surprise considering the survey revealed 85% of Americans reuse passwords on multiple websites.

60% say their average password length is between 9 and 15 characters (the starting point for a secure password is now considered to be 14 characters) and 49% of Americans said they rely on their memory for managing passwords, which suggests that passwords may not be particularly strong. That is clearly not the best approach considering 24% of U.S. respondents said they need to reset at least one password every day or multiple times a week. 32% write their passwords down, 23% store them in a document on their computer, and 20% store them in email accounts.

Only 30% use a password manager, which is widely considered to be the best tool for creating strong passwords and storing them securely. Password managers have strong password generators that can be used to generate truly random strings of characters for passwords that are resistant to brute force attacks, and store passwords in an encrypted vault.

Despite password managers offering businesses an easy way to improve password security, only 32% of Americans said they are required to use a password manager at work, although 68% of Americans think their employer should provide a password manager for use in the workplace.

“Despite the documented effectiveness and low cost of password managers, workplaces surprisingly often leave employees to figure password management out themselves,” said Bitwarden CEO, Michael Crandell. “Employers should pay heed to the fact that employees want to be protected.

Password Security and Management Tips

World Password Day 2022 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

  • Ensure a strong, unique password is set for all accounts
  • Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
  • Use easy to remember passphrases rather than passwords, that have a minimum of 14 characters
  • Never reuse passwords on multiple accounts
  • Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name etc.) or is known to others
  • Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
  • Use a secure password generator to generate random strings of characters
  • Avoid using dictionary words and commonly used passwords
  • Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.