In the era of Petya, WannaCry, the good news is users are getting better about passwords

A new survey points to improved password practices, and a cybersecurity expert has password advice for healthcare CIOs and CISOs.
By Bill Siwicki
12:02 PM
Share
WannaCry ransomware

With Petya and WannaCry and all the chaos in the healthcare cybersecurity realm, password security remains at the heart of securing many systems and data. And healthcare CISOs are always riding users’ backs to regularly change their passwords and to use long and complex passwords, in other words, to practice what is called good password hygiene.

Many users do not practice good hygiene when it comes to their passwords, shrugging it off. But the good news is that 2017 has seen an increase in good password hygiene, according to a new survey from cybersecurity firm Digital Guardian. Though there still is room for improvement.

[Also: The biggest healthcare breaches of 2017 (so far)]

It was found that 70 percent of 1,000 adult Google users in the U.S. change their passwords at least once a year, though 18.5 percent only change their passwords if formally notified of a security issue, the survey found. 56 percent of users reported they create complex passwords or passphrases, the survey said. And two-thirds of users say they are more concerned with security than convenience, which is a good sign for security overall, the survey found.

Interestingly, 47 percent of users have implemented two-factor authentication, which takes system access beyond just a username and password, the survey found. However, 33 percent of users indicated they don’t know what two-factor authentication is.

Improvements in password hygiene are based on comparisons of this survey to the survey results of a 2012 Research Now/CSID study and to data from Dashlane and Kaspersky.

“There are a couple of key indicators that contribute to the improvement in password hygiene among users,” said Tim Bandos, director of cybersecurity at Digital Guardian. “First, we live in an age where breaches occur extremely frequently, and often large-scale attacks are making headlines in mainstream media. In addition to credit cards, e-mail addresses and personally identifiable information, password credentials have been highly sought after by cybercriminals.”

[Also: Barracuda unveils AI-driven tech to combat spear-phishing]

Due to this high level of publicity, users have learned that it’s very important to practice good password hygiene, otherwise they’re putting sensitive accounts and credentials at risk, Bandos said.

“And second, the cybersecurity community has done a good job educating users on the importance of strong password hygiene, and users are starting to take it seriously,” he added.

So what can healthcare CIOs and CISOs do to boost password hygiene among their users? Bandos has a variety of suggestions.

[Also: Health systems tout Security CIS Controls in fight against cybercriminals]

“Alert users to avoid using any word in the dictionary because automatic tools can crack them within seconds,” he said. “We really need to be thinking about which words, phrases or strings we should create to add additional complexity and make passwords harder to crack yet easy enough to remember. Seemingly illogical strings of words or phrases, such as song lyrics, with numbers and special characters mixed in will make the password much harder to crack.”

Length also adds complexity, so a minimum of 10-15 characters is recommended because that makes it harder for an attacker to crack, Bandos added.

“CISOs can instill these as policies for password creation among their users, as well as enabling two-factor authentication for an additional layer of security,” he said. “Leveraging tools like password managers also can aid in developing extremely complex credentials that don’t require the end user to remember every single one. These tools can auto-populate password field boxes with your passwords in a secure manner.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn