As more and more of us return to the office, it's a good time to revisit the passwords you use. It is therefore timely that the U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center ("HC3") recently published a set of password security suggestions and best practices. Here are some of HC3's key takeaways:

  • Use multi-factor authentication when possible.
  • Use different passwords for different accounts.
  • Make passwords that are hard to guess, but easy to remember.
    • To make passwords easier to remember, use sentences or phrases. Example: "pineappleonpizzaistasty";
    • Hackers will use dictionaries of words and commonly used passwords to guess your password. Avoid single words, or a word preceded or followed by a single number (e.g., Password1);
    • Do not use passwords that are based on personal information that can be easily accessed or guessed (e.g., birthdays, children's or pet's names, car model, etc.);
    • Length over complexity:
      • The longer a password is, the better. Use the longest password or passphrase permissible by each password system.
    • But complexity still matters:
      • To increase complexity, include upper- and lower-case letters, numbers, and special characters. Example: "pin3appl30nPizzaI$Ta$ty
    • Never reveal your passwords to others.
  • Password management tools, or password vaults, are a great way to organize your passwords.
  • Enable "Show Password" where possible.
    • It is unlikely that the person behind you is going to record your password data, so there is little
      reason to hide your password as you type. You are more likely to make mistakes in typing if
      you cannot see the characters, and mistakenly think you have forgotten your password. This
      error leads to potential data exposure every time you need to reset your password.
  • Store Securely:
    • Not on a Post-It under your keyboard.

References:

"Creating and Managing Strong Passwords," CISA. 27 March 2018.

Kurko, Michael. "Best Password Managers," Investopedia. 9 June 2022.

"NIST Password Guidelines: The New Requirements You Need to Know," Auditboard. 24

"Password Best Practices," UC Santa Barbara. N.d.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.