Password and Login Management
Take Notice... the Federal Guidelines have Changed!
Published on
In June 2017, the National Institute of Standards and Technology (NIST) issued new guidelines related to passwords and management of user logins. These new guidelines contained some surprising new recommendations and, in some cases, reversed prior guidelines or commonly accepted security practices. Although HIPAA has not issued a specific endorsement of the new NIST standards, they have generally adopted NIST recommendations, where they apply.
The complete standard can be found at https://pages.nist.gov/800-63-3/, but we have included the following summary:
What Has Changed:
Passwords should be longer
- 8 character passwords is the absolute minimum; 10-12 characters or longer is recommended
- Passwords up to 64 characters should be allowed
Requiring mixed case, numbers or special characters is no longer recommended
- Does not necessarily increase password strength
- Makes it harder for users to choose “memorable” passwords
Requiring users to periodically change their passwords is also no longer recommended
- May also prevent users from choosing memorable passwords
- Only require a change if there is suspicion that a password has been compromised
Password “hints” to recover a password is no longer recommended
- Thanks to social media, these are often easily guessed.
Password selection software should not allow “obvious” passwords:
- Common words, words related to the user, repeated letters, numeric
sequences, etc. (e.g, “password123”, “johnsmith”, or “abcabcabc”)
Login software should include features to prevent brute force attacks:
- Delays between login attempts
- Lock account after a number of failed attempts
Two-factor authentication, where users must also enter a code they receive via a text message, email or a hardware device, is encouraged to strengthen user authentication.
WHAT HAS NOT CHANGED
- User IDs and passwords should uniquely identify a user
- Passwords should never be transmitted or stored without being encrypted
CompliancePro Solutions recommends that all healthcare organizations managing ePHI should consider adopting these new guidelines.