Password Expiration Insanity

Jan. 3, 2012
My password to a significant NIH funded program, whose program name shall be veiled so that I can rant without repent, is required to change every 60 days. Participation in the program is meant to stimulate collaboration and the spreading of goodwill among other goodwill spreaders, but its password management policies make me want to leap out my office window. Rather than doing that and creating a traffic jam on East Huron Street below, I’ll choose not to reset my password and thus end my collaboration in the program. Truth is, I have no fantasies that lack of participation will at all be noticed, but it gives me some sense of rebellious satisfaction to poke at that windmill anyway.

My password to a significant NIH funded program, whose program name shall be veiled so that I can rant without repent, is required to change every 60 days. Participation in the program is meant to stimulate collaboration and the spreading of goodwill among other goodwill spreaders, but its password management policies make me want to leap out my office window. Rather than doing that and creating a traffic jam on East Huron Street below, I’ll choose not to reset my password and thus end my collaboration in the program. Truth is, I have no fantasies that lack of participation will at all be noticed, but it gives me some sense of rebellious satisfaction to poke at that windmill anyway.

If anyone should be conservative about password management and reset frequency, you’d think it would be me. I was soaked in the waters of information security from the beginning of my career as an information systems officer for the Air Force in the Strategic Air Command. SAC’s motto was, “To err is human, but to forgive is not SAC policy.” Later, as civilian hired spooks for the National Security Agency, our team was responsible for dreaming dreams of every bizarre kind to hack into the command and control systems of the US nuclear weapons arsenal. One night, just to prove a point, we hacked the Joint Chiefs of Staff Alerting Network (JCSAN) from a payphone at Gilmore Lake Tavern in Bellevue, Nebraska and handed the phone to one of the waitresses. NSA renewed our contract. Everything professionally since those days has been pretty boring, frankly.

My point is: Password expiration frequency has almost nothing to do with greater security. The greater the frequency of change, the more likely people are going to store their passwords in non-secure ways, like sticky notes on their desks, or share passwords. We (IT and Informatics types) are driving our physicians and operations staff insane with password changes, and for no good reason, other than everyone else does it so therefore it must be a best practice. Caution: The best practice in front of you is actually the backend of a lemming.

The essential tenants to password management and effectiveness are, in order of importance:

· Account Activation and Termination: Clearly verifying and authenticating user identity and access rights is fundamental, as Yahoo discovered with Sarah Palin’s email account. Likewise, rapid and effective means for terminating accounts and resetting passwords is mandatory. This frequently boils down to an issue of simple coordination with Human Resources.

· Complexity: No brainer. Secure passwords should be a mixture of letters, spaces, special characters, case, and at least six characters long; preferably eight. Force your users to use a complex password, but then let them keep it forever and use it everywhere. And for gawd sake, change the default system passwords that come with installation of everything from software to network switches. “CHANGEONINSTALL” is pretty easy to hack.

· Limited Try Lockout: After five or six failed attempts, lock the account and force an alternate secure path to reset it. This is not to be confused with Limited Try Timeout, which expires a countdown timer between failed attempts to login. A timeout is better than nothing, but not nearly as effective as a full lockout.

· Auditing: Proactive audits of system logs, intrusion detection systems, and access control logs are a must. If your Security Managers aren’t checking and auditing for odd activity every morning, right after they brush their teeth, they should stop brushing their teeth and the check audit logs, first. Or... maybe they should brush their teeth with the audit logs…. Brilliant!

Put high frequency password expiration where it belongs-- in the backend of a lemming-- not on the backs of your physicians, nurses, and support staff.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?