This article first appeared on 7.1.14 on digitalhealth.net.
My desktop computer at work has once again started warning me that my password is about to change.
I think it is set to change every 90 days. But the computer starts warning me from 15 days to go, which annoys me even more. If I change it now, I’ll be changing it every 75 days…
Passwords, passwords everywhere
I’d probably cope better with this irritation if I only had to deal with passwords at the surgery. But, of course, I don’t.
This weekend, I tried logging-in to several websites to catch up on the paperwork associated with some of the clinical trials I run.
Some don’t work on Safari and some don’t work on IE7, which means that some of the paperwork can’t be done at home, and some of it can’t be done at work. But putting that aside, I had a nightmare logging-on because of passwords.
I haven’t had to use one site for two years so, unsurprisingly, I couldn’t remember what password I’d chosen. Then, the rescue email address that the site had for me was out of date, so I had to email for support.
Another site – this time an NHS one – had a password reset option that emailed me a new password. Great. Except that the new password didn’t work.
I tried going around the loop six times. I was sent six new passwords and none of them worked. About an hour into this session, I gave up as I was getting nowhere. Is there any wonder people say there are productivity savings to be made in the NHS?
Let’s get rid of them
I’m convinced if we did away with passwords we would get a lot more work done. I’m not sure any of the sites I needed to use really needed to be password protected.
For example, I had to log-on to one of the sites in order to pass an online test that had four questions. This gave me an otherwise meaningless certificate that I needed to use another website that, if it had been designed properly, wouldn’t need an instruction course on how to use it.
I can’t believe anyone would want to do the test for me; and if I was going to cheat I’d just give them my password anyway.
There seems to be an obsession with passwords and with changing them in the NHS that the general, expert consensus has decided is likely to make sites less rather than more secure by irritating users into setting poor passwords, all-but forcing them to write them down, and making them blind to other ways of blagging the data.
I agree. We need a better way.
Some principles of hacking
The traditional method of cracking a password is to test lots of possibilities against what is called its hash.
Passwords are usually stored not in their clear text but in an encrypted form. Instead of trying to decrypt the hash, if the algorithm is known then the hacker tries lots of possibilities in turn.
They run them through the function and compare the results. If they get one that matches, they have the password.
This is so called ‘brute force’ approach and you won’t be surprised to learn that people have designed computers and also special machines that can check billions of passwords a second.
Try your password at www.grc.com/haystack or howsecureismypassword.net and you can see that, in essence, the longer a password is the more secure it is likely to be, and the more characters it contains the better.
This is why some websites insist on using Capitals and numbers; trapping people into a common pitfall – using single words that are capitalised at the beginning and adding a few numbers after them.
We know from databases that have been hacked that 80-90% of people do this. Often people use something like Password1. While not bad in principle in brute force terms – after all, it has capitals, a number and is nine characters long – it is dreadful in reality.
That is because it is known about and usually one of the first combinations tried. Hackers have built up fairly sophisticated dictionary of known passwords and their variants – sometimes based on the type of person using the website – that include known tricks like replacing I with1.
To get around this kind of issue, some ‘experts’ advocate stringing random words together that are memorable.
For instance, “YellowOctopusEatingChocolateScrewdriver” is quite memorable, but is long enough to stop brute force attacks.
Adding a space or symbol between each word makes it longer and would help to resist another type of attack, namely the dictionary attack which, as its name implies, tries to identify passwords by using a list of likely words.
Other ways of making a password long are to add the website name, so your Facebook password might start or end Face-Book, while your Linked-in password would use Linked-In.
You can also put quotes around the whole thing or a dash between each character. “F-a-c-e-b-o-o-k-!-P-a-s-s-w-o-r-d-1-2-3-!” is much harder to brute force and allows different passwords for different sites with the same root.
Some feel that initial letters from sentences rather than words is the way to go. My DadLives at 312 Hill Street might easily become MdL@3!2Hs or even “F-a-c-e-b-o-o-k-M-d-L-@-3-!-2-H-s-“
Unfortunately, while this is easy to remember – if difficult to type – and pretty secure on all fronts, I’ll still have to change it in 75 days if I choose to use it on my surgery computer.
Time for a new approach
So should we just stop changing passwords and make people use 20 or 30 character long passwords that are good and secure?
Well, possibly. But the sheer number of sites requiring passwords would remain a nightmare. Password programs can help by storing all your passwords and releasing them to the relevant sites – and I wonder if the NHS needs to develop one?
Biometrics would be an alternative, but in reality these are just passwords. So I believe authentication is better. My bank and even the online game WOW use authenticators.
These are either gadgets or apps that have a set of numbers that change every 20 seconds or so. The pattern is known only by the website and the app, and the rapid change means that hackers only have 20 seconds to break the password before it changes again.
Used with random questions with known answers these are getting pretty safe for the moment. So is it time we had a NHS identity app that all NHS users could have on their smartphones or in dongle form?
I think so. Have some centralised system that allows any authorised software to use it for a small fee, and you might just save me hours of time that I could spend on patient care.