07/08/2024    Michael Brody, DPM

The Importance of Password Security

As part of the July 4 activities, a hacking group
known as ObamaCare posted 9,948,575,739 unencrypted
passwords to the Internet in a file titled
rockyou2024. This list of passwords comes from a
combination of old and new data breaches.

Data breaches are now seeming like an almost daily
event with more and more passwords being ‘broken’
on a regular basis. What does this mean for you in
terms of protecting the Protected Health
Information (PHI) you are responsible for as well
as protecting your private data?

You always want to follow good password security
policy which includes:

Change your passwords on a regular basis – at least
once a year for ALL of your account's

When changing a password do not just append a 1 to
the end or a password or change the 1 to a 2. Come
up with a totally different password

Do not use the same password for each site, if you
do then if one of your passwords is compromised
then all of your passwords are compromised

Use a strong password that contains numbers,
uppercase characters, lowercase characters, special
symbols and is at least 8 characters long. Many
sites now require 12-character passwords.

The question becomes How do I do this and remember
all of my passwords? I have a method that I will
share with you.

Step 1 Choose a phrase. This can be the title of a
song you like, the name of your favorite artist or
sports figure, the title of a book, anything of
that nature that you will remember

Step 2 Do ‘substitution’, for example replace the
letter L with a number 1 or an exclamation point
character, replace the letter A with the @ symbol.
Step 3 Somewhere in the password add in and remove
some characters that relate to the account. For
example, of adding if you are creating a password
for your AMAZON account you may want to use the
first and third letters of the account in this case
AA The last letter of AMAZON is “N” so remove all
of the N’s from the password

Let’s go through this exercise. As our phrase will
use the title of our National Anthem (the hack
happened on July 4 after all. We have
starspangledbanner as our base
For Capitalization we will capitalize the LAST
letter of each word we now have
staRspangleDbanneR

For substitution we substitute $ for the first s, &
for the g and 2 for the b (second letter in
alphabet) so now we have
staR$pan&leD2anneR

For adding in the site name we add the AA after the
first word but we do it with substitution so we add
in @a so now we have
staR@a$pan&leD2anneR

If the password was for our EHR system, we would
add in ER we might make this 3R that would give us
staR3R$pan&leD2anneR

Finally remove the N’s
staR3R$pa&leD2aeR

This may seem complicated but once you create a
formula you can use it to create a unique password
for each site, that as long as you remember your
formula will allow you to ‘figure out’ your
password for each account you have.

By changing your password for all accounts each and
every year, when large password breaches like this
are published, only you old passwords will be made
available to hackers, and they will not be able to
use them to break into your accounts.

Even better security is achieved by utilizing what
is known as Multi Factor Authentication (MFA), in
fact HIPAA guidance documents from the government
strongly recommend MFA whenever available. MFA is
getting a code texted to your cell phone, or
emailed to you, or from an authentication
application that you need in addition to your
username and password to log in. These codes
typically change every 60 seconds.

This way even if somebody has your username and
password, they still do not have that third factor
necessary to get into your account. Whenever a site
or service that you log onto enables you to turn on
MFA turn it on. These days more and more sites
that store sensitive information either require MFA
or make it an option.

Disclosure: Dr. Brody is the CEO of TLD Systems.

Michael Brody, DPM, Commack, NY

There are no more messages in this thread.