It is a common practice for new users to be assigned a simple, easy-to-remember password at the time of employment, or when a user is assigned a new application. For example, a new user may be assigned a default password, such as "password" at the time of employment. Although most administrators require an initial, default password to be changed when the user first logs in, others may not have the same requirement.
There are important considerations to do, and important don't do considerations when creating or changing your password. We recommend using a strong password that is not easy-to-guess. Easy-to-guess passwords are open doors for hackers and/or viruses to attack your computer and/or network.
The DO list for creating or changing passwords:
- Do create a password that is at least 6 characters in length (although the HIPAA suggest 6 characters, my recommendation for a strong password is 8 or more characters).
- Do create a password that is difficult to guess.
- Do use a combination of alphabetic, mixed case, numeric and punctuation characters when creating a password.
- Do vary the case of the letters. For example, HcP06a1!
- Do change passwords frequently. Changing passwords every 90 days is a good practice.
The DON'T do list for creating or changing passwords:
- Don't use proper names.
- Don't use words from the dictionary.
- Don't use personal details such as your child's name, the name of a pet, a birthdate or other any other personal information.
- Don't create a password with a common character sequence. For example, june2014, 12345678, etc.
- Don't use common passwords. For example, a list of the most common used passwords include: password, 123456, iloveyou, qwerty, trustno1, password1, and `123qwer, to name a few.
- Don't write passwords down and leave them in areas that are visible and accessible to others.
Password Management 164.308(a)(5)(ii)(D) is an addressable implementation specification included in the Administrative Safeguards section of the HIPAA Security Rule.
Security Rule language: "ImplementProcedures for creating, changing, and safeguarding passwords."
In our reference guide, the Security Awareness Training chapter lists the Password Management requirements. In addition to the recommendations listed above, a strong password is:
- Changed whenever compromised. If you have any reason to believe that someone knows your password, change it immediately.
- Not shared with anyone, including anyone claiming to need a password to "fix" your computer or for an emergency.
It is important to note that all activities involving your user identification and password is attributed to you. You should ensure your password is confidential, and you should know how to properly safeguard it.
If you are still using a default password, using common easy-to-guess passwords or if you can't remember the last time you changed your password, we recommend creating/changing your password using strong password considerations.
If you would like assistance implementing a Password Management policy or have any questions, please do not hesitate to contact one of our professional consultants.