Password Guidelines and Recommendations

World Password Day is celebrated on the first Thursday of May. It was founded in 2013 with the objective of increasing awareness of the significance of using complex and unique passwords and implementing password guidelines to maintain the privacy and confidentiality of sensitive data.

In the 1960s, passwords were initially employed to secure accounts against unauthorized access in processing areas. In 1961, the Massachusetts Institute of Technology (MIT) researchers began utilizing the Compatible Time-Sharing System (CTSS). The system worked on an IBM 709 and users can access the system via a dumb terminal, using passwords to stop unauthorized access to personal files of users.

The system first used passwords and was the first to encounter a password breach. In the middle of 1960s, MIT Ph.D. researcher Allan Scherr required more than 4 hours of CTSS time to do performance simulations he created for the computer system. He learned a way to print all passwords saved in the system and utilized the passwords to get extra time.

Passwords are commonly used to safeguard accounts. Although passwordless authentication using single sign-on and biometric identifiers, are also popular now, passwords will continue to be widely utilized way for authenticating users and stopping unauthorized access to accounts.

The Value of Using Strong Passwords

Using passwords has security challenges. Hackers can get access to accounts using stolen passwords. Passwords may be stolen through phishing (via email), vishing (via phone) or SMiShing (via text message). Implementing 2-factor authentication can help to prevent the success of these attacks. Based on Microsoft, 2-factor authentication hinders over 99% of programmed attacks on accounts.

Hackers likewise employ brute force tactics to know weak passwords and exploit default passwords that were not altered. When rate limiting is not activated to secure accounts after a number of failed sign in attempts, weak passwords could be guessed in less than a second. Strong passwords that are not sufficiently long could also be guessed in seconds or minutes.

In 2020, Hive Systems began posting charts telling how long it will take for an attacker using a powerful computer to brute force a password. Every year the table is made current to account for developments in computing technology. The chart shows the value of using strong passwords that combine numbers, upper- and lower-case letters, and symbols, with long enough characters. The recommendation for making passwords is at least 14 characters.

Password Management Shortcuts Weaken Security

Generating and recalling long, complicated passwords is hard for many. It’s even harder to remember multiple passwords for multiple accounts. The research by NordPass indicates that on average, a person has close to 100 passwords. A lot of people have trouble with making and remembering several passwords. So many use shortcuts, which considerably weaken password security.

Users also do not want to create many passwords so they reuse the same password for several accounts. The problem is when the password is exposed on one platform, accounts that use the same password are vulnerable. Hackers exploit this typical bad practice by using a strategy known as credential stuffing. When they get a listing of usernames and passwords from a data breach, they will try to log in on other systems utilizing those username and password combos. This method works when a password is reused.

Many companies have enforced minimal difficulty requirements for passwords, setting a minimum password length and combination requirements, however, it is typical for workers to take shortcuts so passwords are easy to recall. A password that satisfies minimum difficulty requirements can be created but it is still weak. For example, P4ssw0rd!’ satisifes the password difficulty requirements, but it is a weak password.

Poor Password Management Practices According to Global Password Management Survey

The 2024 Global Password Management Survey done by Bitwarden, a password management solution provider, states that very risky password practices continue to be common. The survey was performed on over 2,400 Internet users in the U.S., U.K., Germany, Australia, France, and Japan and included questions on personal passwords, password habits at work, and the techniques that are followed for handling passwords.

In spite of the risks, 84% of participants confessed to using passwords for several accounts, lower than 90% in 2022. In 2024, 33% of participants stated they use the same password on 1-5 sites, 26% use the same password on 6-10 sites, 15% use the same password on 11-15 sites, and 11% use the same password for over 15 sites. Password reuse is most typical on personal accounts; nevertheless, 47% of participants mentioned they use the same passwords at the office, 14% of which very frequently or 33% of which somewhat frequently.

The use of password managers is increasing. 32% of survey participants reported using a password manager at home, but only 30% reported using a password manager at work. 54% of survey participants claimed they depend on memorizing passwords at home, which implies that they use easy to remember passwords and were not complex. 36% of survey participants said they include personal data in their passwords, and 60% mentioned that the personal data they include in their passwords are on their social media accounts.

Workplace security practices were considered as generally secure by 53% of survey participants; with 37% of participants rated workplace security practices as somewhat risky (31%) or very risky (6%). Risky security practices include using weak or personal data-based passwords (39%), keeping passwords at work insecurely (35%), not utilizing 2-factor (2FA) or multifactor authentication (MFA) (33%), and disclosing passwords insecurely (32%).

Account security could be enhanced with 2FA/MFA, and although the extra authentication makes accessing accounts more difficult, 2FA/MFA is currently being implemented. 80% of participants mentioned they have 2FA on personal accounts, and 28% do not have 2FA or MFA on the job. Understanding of 2FA and MFA is better, with just 7% of users stating they don’t know those terms; it was 22% last year. SMS-based MFA is still commonly used though it is the least secure. 65% of participants have SMS-based MFA at home and 50% have it at work.

2FA/MFA is important for securing accounts. In case of a phishing attack and a staff exposes their password, 2FA/MFA can stop the attacker from getting access to the account, hence avoiding a data breach. Phishing-resistant MFA offers the best security. Threat actors are currently utilizing phishing kits to steal MFA codes and session cookies, thus bypassing MFA.

Password Security and Management Recommendations

Evaluate password security and do something to secure all accounts with strong and unique passwords. Listed below are some password best practices that should be included in HIPAA training:

  • Set a strong, unique password for all accounts
  • Combine upper- and lower-case letters, symbols and numbers in passwords
  • It’s okay to use easy-to-recall passphrases instead of passwords, with at least 14 characters
  • Do not use the same passwords on several accounts
  • Don’t use data in passwords that are posted on social media profiles like birth date, name of spouse or pet, etc or are identified by others
  • Set up 2-factor authentication, particularly for accounts with sensitive information
  • A secure password generator can help create random passwords or passphrases
  • Do not use words in the dictionary and often used passwords
Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism.