The National Institute for Standards and Technology issued new advice on passwords to help companies and individuals increase the security of their information.

Often, passwords are reused for multiple accounts because they are hard to remember, especially when the account requires or suggests using upper- and lower-case letters, numbers and symbols in the password.  In many cases, having multiple, complex passwords leads to individuals writing their passwords down on paper or storing them in an unsecure document, which ultimately defeats the purpose of having a strong password.

Remember: Insider breaches are also an issue.

NIST is now suggesting the ability to use spaces in passwords or passphrases, making it easier for users to remember.

Additionally, NIST recommends IT directors and teams send out lists of unacceptable passwords, such as “password123.”  Sometimes the issue is people don’t know what they don’t know.  When/if passwords are discovered or breached, it is a good practice to keep a list of those passwords to inform your employees to steer clear of them and any similar.

In addition, NIST suggests limiting the number of failed login attempts.  This reduces the risk of a brute force attack.  A brute force attack is usually an automated process of trial-and-error where an algorithm will attempt to login using different passwords, usually common passwords that have been breached before, such as the example above.  Sometimes it’s a matter of making things difficult enough for an attacker to go look for an easier target.

Another marked change in the password suggestions is to not change passwords periodically, but only when there is evidence that there has been a compromised or breached password.  Many organizations require changing of passwords as often as every three months, making it harder to remember passwords and to pick new ones.

Many organizations still find it to be a best practice to have some kind of frequency for changing passwords. Here at HIPAAgps, we believe changing passwords every six months to a year is a good practice for security.

For more guidance on ways to protect your patient information, join HIPAAgps today!