Tips for good password practice
- Categories: Best Practice & Advice
Joe Webber
Share this article
Prefer to listen?
Passwords in the modern world
The invention of the computer password goes right back to the 1960s. Today, it’s still the most popular means of adding basic levels of security to digital devices, systems, accounts and data. Unfortunately, passwords have never been easier to bypass. In most cases, passwords are either simply guessed, or people are tricked into willingly handing over the information to criminals. To help protect your digital property and data, it’s important to be aware of good password practices.
Cyber crime in the UK is growing at a fast rate. According to the National Crime Agency, “Cyber crime costs the UK billions of pounds, causes untold damage, and threatens national security.” Passwords aren’t the only vulnerability that cyber criminals exploit, but they are often easier targets for hackers. As a countermeasure, you may have noticed that many businesses now require you to create more complex passwords for logging into online accounts to use a service.
In some sectors, organisations that handle sensitive digital data are required to implement more complex security measures to protect clients or consumers. One contractual requirement for social care services that have access to NHS patient data is to complete the NHS Data Security and Protection Toolkit (DSPT). If certain standards aren’t met following the DSPT self-assessment, the organisation must continue to work to improve its practices until the criteria are satisfied.
The NHS DSPT & good password practice
The annual DSPT assessment was designed for two reasons: To measure an organisation’s “performance against the National Data Guardian’s 10 data security standards” and to provide assurance that the organisation is “practising good data security and that personal information is handled correctly”.
Several questions in the self-assessment relate specifically to password use. But two of them reference the importance of good password practice:
(4.5.4) How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?
(4.5.5) Do you ensure that passwords for highly privileged system accounts, social media accounts and infrastructure components shall be changed from default values and should have high strength?
Note: Any accounts that have links to the organisation are affected. For example, digital care management systems.
In order to provide a satisfactory response to these two questions, you must have an understanding of good password practices and what makes a high-strength password.
Once you are confident on the subject of password practice, it’s essential that any passwords used by you, your staff, directors, trustees and volunteers conform to the standards you set. Planning and due diligence are necessary to achieve this. Creating a company policy can help support you.
What is a strong password?
It’s up to your organisation to define what constitutes a ‘strong’ password. But essentially, the overall consensus is that passwords used on IT systems, electronic devices or online accounts should be ‘hard to guess’. This means avoiding using words that have a personal connection to the individual creating the password (e.g. name of a pet, first school or favourite film). This is because personal information can potentially be located without much effort.
The National Cyber Security Centre also recommends adopting the ‘three random words’ approach. This is a memorable way of making a random password by selecting any three words (e.g. ‘redtelevisionshoe’). Although it may seem less complicated in nature, the logic is that three words are harder to guess than one long word.
However, to answer the questions set out by the DSPT you need to be able to make sure that everyone who accesses your organisation’s information adheres to good practices. This can be difficult to evidence without defining more specific instructions. So another method of creating hard-to-guess passwords is to utilise:
- A minimum number of characters
- A mixture of uppercase and lowercase characters
- A mixture of letters, numbers and special characters (e.g. !, £, $)
An example that uses all of the above could be: red5Televisionshoe$
Communicating set requirements such as these in a policy will help your staff, directors, volunteers and trustees create memorable but hard-to-guess passwords. You can clearly describe these practices in your assessment to demonstrate your organisation’s commitment to data protection.
Password tips for good practice
In addition to creating strong passwords, here are some additional best practice tips to further support digital security:
- There’s no need to enforce very long passwords (6-8 characters minimum is enough). Passwords shouldn’t be overly complicated to the point where people are forgetting them. The main thing is to keep them memorable but not guessable.
- Use unique passwords for different accounts. In the event of a password being bypassed, you can rest assured knowing other accounts aren’t at risk of being compromised.
- Change all default passwords on devices and accounts that have been provided to you, including internet routers and laptops. Use the same strong password standards mentioned above. This is also a requirement of the DSPT (question 4.5.5).
- Don’t allow password or account sharing. Everyone should have their own personal access to the tools they need to complete their job. This will help reduce the number of people affected in the event of a data breach and will give you a better insight into how the incident happened.
Using CareDocs
Digital care management systems hold extremely sensitive and personal information about individuals who require healthcare. Many security measures have to be taken to protect data and ensure only the right people can access the right information. When it comes to passwords, CareDocs automatically enforces strong levels of security to support data protection.
In order to create a password to use on any CareDocs platform – including the desktop application, the CareDocs Cloud Portal web application and the CareDocs Management Portal – good standards must be adhered to. Aside from knowing that your data isn’t considered to be at risk, this approach supports your organisation when answering the DSPT.
If you want enhanced security protocols for extra assurance, then system administrators have the ability to manually apply stronger levels of password standards to all users.
If you’re a current CareDocs customer and would like more information about changing your password complexity settings then please call 0330 056 3333 or email support@caredocs.co.uk.
To find out more about adopting the CareDocs system to help you securely digitally manage your care setting, email sales@caredocs.co.uk or click here to book a free face-to-face or remote demonstration.
Share this article
Author
Joe Webber
Search
Recent articles
- CareDocs Partners with the Professional Record Standards Body (PRSB) to Support Care Standards Fit for the Future of Digital Care January 30, 2024
- CareDocs Joins the Care Software Providers Association (CASPA), an Independent, Not for Profit Association, Representing Software in the Care Industry January 19, 2024
- CareDocs partners with Bristol Waste to tackle digital poverty January 10, 2024