Is a weak password risking your nursing PIN and patient data?

Nursing is amazingly diverse with a huge range of skills nurses can learn to support service-users. I've lost count of how many times a colleague has told me they're a technophobe, but tech literacy is increasingly required, digital transformation is happening now. So it's time for a chat about how a little cryptography knowledge is a surprising area you can improve your practice from.

Breaches of health data security have attracted some of the largest fines the regulator has ever imposed. Losing data compromises patient trust in digital health records, as well as exposing service-users to sophisticated spear-phishing attacks and extortion. For individual professionals (that's you!) the NMC Code requires a general duty to patient confidentiality and specifically to “take all steps” to keep records secure. What does “all steps” mean? Even if you follow local security policies, that seems to leave plenty of room for you to lose your registration. With that in mind, let’s take a look at three password gotchas and what you can do to safeguard your patients.

1 – Typical passwords are not nearly as strong as you think

In simple terms, password entropy is how resistant a password is to brute force attack. You’ve probably had a password rejected because it didn’t meet a minimum length, the idea being it didn’t have enough mathematical entropy. So, think about the four-digit code pads on the doors where you work, how long would it take you to try every combination and force your way into the room? 0000, 0001, 0002 … 9997, 9998, 9999?

Four digits, with each able to take ten values, means 10x10x10x10 permutations: 10,000. On average you’ll have to try half of them before getting the correct combination, so at one guess a second you’ll be there for ~83 minutes. It's impractical to brute-force the code.

But do people really choose passwords at random? Maybe they'll set the combination as a day/month sequence, because it’s easier to remember? Then instead of four items with ten values, we really have two items, the first with 31 “day” values (ignoring February etc to keep this brief) and the second with 12 “month” values. We’ve gone from 10x10x10x10 possibilities to 31x12, or just 372. On average taking you a bit over 3 minutes to break in. Fast fingers will get in before anyone can notice.

That’s pretty quick but you can do better. If people tend to select a birthday, you can begin with dates when more babies are born because of the dark winter months or sports teams’ wins. Add some famous birthdays like Newton or Freddie Mercury. Maybe throw in a list of holidays like Christmas and Independence Day. If you try these combinations first, you don’t need to be lucky any more. With your educated guesses you’ll crack the lock in a handful of seconds.

Here's what you need to know: this isn't just hypothetical game theory, this is how modern password cracking is done! Several billion passwords have been leaked in security breaches, giving hackers detailed insight into how real people choose passwords. Turns out we're really bad at it. And instead of one guess a second, hackers use hardware that can try billions of combinations a second! With educated guesses, hashes (the mathematical transformation of a password) that in theory cost lifetimes to crack are broken in fractions of a second. More detail can be found in this superb Ars Technica article.

So your password is more easily attacked than a naive mathematical view would predict. If you use a guessable password, common words in common patterns, I can't see how you wouldn't be risking your PIN. You're very certainly risking your patients' confidentiality. But! Your employer probably has strict password rules to try to stop you, so no worries, right?

2 – Most password composition rules are useless

There are two ways to enter your password: you either remember it, or you write it down somewhere accessible. Writing it down kinda defeats the point… so users make passwords memorable. Memorable also often means guessable, as we discovered above, so your IT department will set rules to make that difficult. Which is bad. Why? When you have password rules that try to force passwords to be more “chaotic” and less predictable, you actually make them worse with how people adapt.

You try to set your password to “pass”. As above, this is a terrible password because a dictionary attack will crack it instantly and will be the first thing anyone tries, but at four characters even if it was completely random it could quickly be brute-forced. Composition rules force you to use at least eight characters and “pass” becomes “password”. No improvement at all, still instantly compromised by a dictionary attack.

What if you use at least one upper-case character and a number? “password” becomes “P455w0rd”. This pattern is around the third or fourth attack someone will try, out of dozens of standard variations – no meaningful improvement. At least one punctuation character? “P455w0rd.” Still so predictable, still no good.

You might be thinking no one would actually use any variant of something as plainly stupid as “password” but they do, more than anything else, year after year. No amount of arbitrary composition rules will stop them. Simple fact is you need to be able to remember your password, so you use an easy pattern to match whatever rules are set.

If a system fails by people just being people, the fault is more with the system designer than the user. But you’ll still risk your PIN, because you should know better, just as your IT team should. The Code requires you to “take all steps” to secure data, remember? That must mean more than just minimally complying with local policy.

At least if your password is compromised it’ll be safe again when it's due to expire, right?

3 – Frequently changing passwords weakens security

Nope. Far from helping, if you make someone change their password regularly they unsurprisingly still act like people, reusing the same password with minimal changes to comply with the composition rules. Password#1, pAssword#2, paSsword#3… Once hashed (mathematically transformed into a random looking string) these minor, uselessly predictable changes are impossible for IT to catch and warn about. It's your responsibility not to do this.

Now you can’t stop IT from expiring your password, but... you probably do have a professional duty to tell them why they shouldn’t. Even the Chief Technology Officer at the US Federal Trade Commission had to fight to get their policy updated to current best practice. We're all patient advocates aren't we? NIST have internationally respected standards that can be referenced, if you need help nudging people in the right direction.

How to choose a good password

You want to protect your patients and yourself, so hopefully after showing some of the surprising ways we can get passwords wrong, you’re wondering how to do it right? Your password needs to be memorable, but unpredictable enough and long enough to resist modern cracking techniques.

There’s debate among security professionals about this famous xkcd strip, but I think it remains solid advice as a compromise that works for real people, acting like real people do. Ideally once you select your password it will be vetted by a password strength meter that isn't useless. You could urge your IT support to implement zxcvbn and if you’re vaguely techy you can run it locally to check your passwords against. You obviously shouldn’t test your real passwords online, but you can play with how choices make a difference here.

My personal recommendation is the Schneier scheme, it takes a bit more thought but is far more robust than the xkcd method, which is still vulnerable to dictionary lists if the hashing algorithm isn't expensive enough. Schneier takes a sentence and transforms it with a scheme that's unique to you, making it highly memorable but hard to guess.

WIw10,mbgmi2Dt!! = When I was 10, my brother got me in deep, deep trouble!

GotG=btAi_bI'llwt*2a = Guardians of the Galaxy is basically the Avengers in space but I'll watch the sequel anyway

Passphrase transformations like this are more difficult to attack at present, so much so that it's unlikely anyone would bother once they've recovered all the easier passwords other users have chosen. Just don't choose something from a book, or film, or song.

Of course, things change constantly in the world of technology and it’s difficult to keep current with it all. The NIST password standard should remain a good, updated guide to best-practice. Many of the links here go to Sophos’ Naked Security blog, which is well worth a subscription if you’ve got any interest in keeping your data secured.

There’s plenty more to talk about when it comes to health data security but I thought it’d be nice to start with a positive change we can all make for ourselves and our patients. I hope it was helpful!