It's a common belief that you need passwords that are minimum length and have a mix of capital, lowercase letters, numbers and symbols (like: $jfhT3@1Rlf!) and reset them every 3-4 months in order to be in-step with security best practices.
But those best practices are actually outdated, and the author of those rules actually backtracked on those recommendations.
The United States National Institute for Standards and Technology (NIST) has since released new guidelines that actually state the opposite of those old rules.
Here are the new best practices as outlined by new research and guidelines from NIST itself.
The primary reasons the recommendations have changed are all related to one thing: humans.
This article by CSO goes into more detail, but basically research analyzing multiple large breaches revealed that the effectiveness of passwords created by old guidelines weren't effective.
In order to try and "remember" passwords for multiple portals, applications and software, the research revealed people would make predictable substitutions when creating passwords.
For example, switching "@" for "a" and "!" for "l".
This becomes more of an issue when you force users to change passwords every 3-4 months as it creates a need for users to use predictable substitutions they can remember.
Or worse yet, users will write down passwords on sticky notes.
In fact, NIST specifically states you SHOULD NOT impose passwords should be changed arbitrarily (e.g., periodically).
Thankfully, there's better ways to manage strong passwords that favor the user and is inline with NIST's new guidelines.
As the CSO article insightfully articulates - creating strong passwords is simply not a job for humans.
Instead randomly generated sequences of letters, numbers and symbols at least 8 characters long are the most effective.
But how do you manage random passwords?
By using Password Managers. In their new guidelines, NIST specifically encourages the use of password managers, which in many cases increases the likelihood that users will choose stronger passwords.
At Paubox we require all employees to use LastPass as a password manager, but there are other great products like 1password.
Yes! You won't be storing any PHI in a password manager, so you don't have to worry about compliance there. You also should conduct due diligence when choosing a password manager to make sure their storing your data securely.
But as part of your HIPAA compliance program, it's absolutely ok to use a password manager. HIPAA does not get into specifics with authentication and password management, but they often reference NIST guidelines and we now know where NIST stands.