When confronted with a HIPAA or Sarbanes-Oxley audit, there is one aspect of the network that will be checked EVERY time — password policies. There will be no allowance for not using what Microsoft calls “Complex Passwords”. By definition that means that the password must contain three of the four character types:
- Upper Case – A B C D E F G …
- Lower Case – a b c d e f g …
- Numbers – 1 2 3 4 5 6…
- Special characters – ! @ # $ % ^ …
I believe that most people despise complex passwords because they haven’t taught how to creatively construct complexity using simplicity. I’ll show you how.
Simple Substitution (medium strength)
Start with a common, everyday word and tweak it. Look around the room and what do you see. I’m in a kitchen, so I’ll choose a “Potato”. As spelt, I already have one upper case and several lower case characters. Just one change – Pot@to – and I have a complex password. Change another letter to a symbol or add one to the end and your password becomes even more complex.
Natural Associations (medium strength)
Where in your life do numbers and words naturally go together? How about your first car? Mine was a 68Camaro. What is your favorite Bible verse? What was your street address when you were seven years old? What was your grandmother’s birth date?
There is just one exception to this rule and that is to avoid commonly known things about yourself. Like in the movies, people should not be able to guess your password. Example: You have a son, your life revolves around him, and he’s ten years old. In your case, Bobbie10 is probably not a good password for you to use.
Initial Passphrase (high strength)
This is so simple, yet so impossible to crack. Here’s my example: Il@713AL. What does it mean? Well, actually it’s the initials of my easy-to-remember passphrase with a special character thrown in for good measure, “I live at 713 Alamo Lane”. You could do the same thing with one line from a song, the punch line of a very clever joke, or an old saying.
Key Proximity + PIN (very high strength)
I like this one because I can type it really, really fast. There’s a bit of a technique, but I think that you’ll catch on quickly. We’re going to start easy and then add a twist. With your left hand, type “asdf”. Notice how you started with your pinky and just left your hand roll across the letter keys. Now, let’s do that again, but this time, I’m going to insert a random PIN number in-between the letters using my right hand and the number pad – a2s4d6f8.
Notice that asdf still exists, but I now have 2468 injected in as every other character. I hear what you’re saying, “But that’s only two character types and I need at least three. What if I shift my left hand so that these keys are used instead – iop[
Alternatively, just start or end your password with a special character. You can roll with your right hand or start with your index finger and roll towards your pinky. Any variation makes your password very unique.
In the broader sense…
Let’s take a moment and look at the examples that I’ve given you so far. Notice that each and every one ranges from 7 to 10 characters. While it is true that the more characters you use, the stronger your password, there should be a balance. No one wants to type a 28 character password every time their screensaver kicks in.
Play around with these concepts and see if you can come up with a few clever tricks of your own.
And lastly, do NOT share passwords. What if an very nasty email gets sent out from your login? What if a patient gets a wrong medication under your login? What if harm is done to shared files or network resources from your login? What if someone visit inappropriate websites under your login? Why risk it?