|
|
Passwords
Best Practices: Passwords excerpted from Lockdown:
Security Compliance Under HIPAA 
by Tom Walsh, CHS, CISSP, Decisions in Imaging Economics, November
2004
Good, strong business practices must accompany password use.
When an employee leaves, his or her password must be removed from
the system. Rules must be designed (and enforced) that prevent
users from choosing easy-to-guess passwords or from changing them
merely by adding a single character. It is better to have one
good, strong password for a year or more than to rotate among
three or four weak or sloppy passwords every 45 days. Organizations
should make sure that passwords are six to seven characters long,
difficult to guess (and not in the dictionary), and easy to remember.
The use of both numbers and letters can be required for the system
to accept a password, for example.
One method used to create a complex-but-memorable password is
to choose a favorite song, use the first letters of the first
seven words of its lyrics, and add special characters ( !@#$%
&*), numbers, and/or case changes. For example, the lyric
"Oh, when the saints go marching in" yields owtsgmi.
Replacing vowels with numbers, adding a special character, and
using uppercase letters to frame the center character produces
0wT$Gm1. The user should be able to remember this, but it would
be very difficult to guess (unless the user develops the habit
of whistling the song when logging in daily).
Articles
Case Report: Side Effects of Tighter Security by Burt Ridge, Healthcare Informatics, July 2005
Despite the proliferation of software applications and security and compliance requirements, hospitals can ensure strong security and data confidentiality without alienating physicians, inconveniencing patients, reducing productivity or increasing costs. Implementation of an effective password policy at 144-bed Laughlin Memorial Hospital, Greeneville, Tenn., is an example.
Cracking
Windows Passwords in Seconds by Robert Lemos, CNET News,
July 23, 2003
Swiss researchers released a paper on Tuesday outlining a way to
speed the cracking of alphanumeric Windows passwords, reducing the
time to break such codes to an average of 13.6 seconds, from 1 minute
41 seconds using large lookup tables. Users can protect themselves
against the attack by adding non-alphanumeric characters to a password.
Including other symbols besides alphanumeric characters adds complexity
to the process of breaking passwords and that means the cracker
needs more time or more memory or both.
Secrets
to the best passwords by Peter H. Gregory, Computerworld,
July 9, 2003
The use of good, hard-to-guess passwords can make it difficult for
a malicious hacker to break into your computer account. Avoiding
predictable keywords and using different methods to introduce variety
into your passwords makes it easy for you to remember them but virtually
impossible for others to guess them. Here are some tips on creating
winning passwords.
Psst...
I know your password by Robert Lemos, Special to ZDNet News,
May 22, 2002
When a regional health care company called in network protection
firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based
security company knew a sure place to look. Retrieving the password
file from one of the health care company's servers, the consulting
firm put "John the Ripper," a well-known cracking program,
on the case. While well-chosen passwords could take years--if not
decades--of computer time to crack, it took the program only an
hour to decipher 30 percent of the passwords for the nearly 10,000
accounts listed in the file.
|
 |
 |
