From: "Opland, Russell" <OplandR@uphs.upenn.edu>
Date: March 31, 2005 2:49:15 PM EST
To: "All Exchange Users" <allexu@uphs.upenn.edu>
Subject: HIPAA Security: Protecting Passwords
One of our greatest areas of vulnerability is the passwords we use to login to the UPHS network, and computer systems. There are freely-available hacker tools on the internet that use the incredible computing power of today's desktop computers to "crack" passwords in seconds.
As part of our HIPAA Security initiative, and as a result of a focused risk assessment in this area, we will be implementing requirements for "strong passwords" on our systems starting in late April. When the computer system in question is technically capable of supporting it, a "strong" password is one that is:
- At least 7 characters in length
- Contains upper- and lowercase characters
- Contains at least one number, and
- Contains at least one "special character" (like a punctuation symbol).
Passwords should not be easily associated with you. For example, do not use the following as passwords:
- Your username
- Your name, a family member's name, a pet's name, etc.
- Birth dates, anniversary dates, etc.
- Any dictionary word, or proper name (unless modified as described below)
Passwords will be required to be changed periodically, depending on the sensitivity of the information contained in the applicable computer system.
Passwords should not be written down, nor should they be shared with anyone else under any circumstances. This includes Help Desk personnel. Hackers will often pretend to be Help Desk personnel, and ask you for your password. This is one of their techniques for gaining access. Our Help Desk personnel will not ask you for your password.
We strongly encourage you to create strong passwords for yourself and begin using them as soon as possible.
Technique for creating easily remembered strong passwords:
- Create a short, easily-recalled sentence (one with numbers in makes this a little easier, but is not essential), for example: "Apollo 11 first landed men on the moon"
- Next, take the first letter of each word in the sentence, and the numbers, to being creating your password: for example, using the sentence above, we'd have "A11flmotm"
- The next step is to add or include numbers. The easiest way to do this is to have numbers in your base sentence, as in the example we've been using, but another technique is to replace certain letters of the alphabet with numbers. For example, you can replace the letters "i" or "l" with the number 1; the letter "o" with the number 0; the letter "s" with the number 5; the letter "b" with the number 6 (the technique is to use a number that has a similar shape to the letter).
- The final step is to include a punctuation symbol. For example, you can replace the letter "a" with an @ sign, or the letter "s" with a $ sign, or the letter "o" with an *, or the letters "i" or "l" with an ! mark.
- If you're having difficulty substituting numbers or symbols for characters, your "last ditch" solution is to include them at the beginning or end of your password.
- Using the original example sentence, above, we could come up with "A11f!m*tm" as a complex password that's not too difficult to remember (assuming you picked an easily-recalled sentence to start with). This password has upper- and lowercase characters, punctuation symbols, and numbers, and is more than 7 characters in length.
How to Change the Password on your Windows-based PC
- Press and hold down both the "Ctrl" and the "Alt" buttons at the same time
- While holding them down, press the "Delete" button (not the "Backspace" button)
- A screen should appear that has a button on it saying "Change Password"
- Click that button and change your password