Passwords: Their requirement and vulnerability

Passwords: Their requirement and vulnerability, is the main topic for this ninth post in our “compliance - why and how” series. But passwords is not the only topic; we’re also throwing in Threats and Manual Tracking for good measure.


Applications residing on the company network should rely on integrated authentication. When authentication fails, access to the application and its data is automatically denied.

Compliance with password policies is required at all times. The vulnerability severity for weak passwords is judged to be high. Guessing passwords is a popular and often successful method that unauthorized persons use to gain access to systems. After they are inside the firewall and on the target computer, most attackers can use widely accessible exploits to gain root or administrator access, which is another way of saying, “they have total control of your computers.” Worse, since most users have local administrative access, they only need the user’s weak password to control their system.

One of the weaknesses we find all too often is the inability of users to create secure passwords. That said, here are some good rules to follow when you’re creating passwords.

Creating Passwords

The following are the “generally accepted” rules for creating a secure password:
1. There must be a minimum of one capital letter, one number, and one symbol.
2. The number and symbol must not be either the first nor last character (i.e. must be somewhere “in the middle”).
3. The capital letter must not be the first letter of any word.
4. The password must be a minimum of 8 characters in length, preferably 9-10.
5. Must not contain common keyboard patterns, like qwerty or asdfjkl – these are commonly used and easily hacked.
6. The password is not used anywhere else. No sense making “one great password” and then having your favorite e-mail site’s password list hacked and compromised, only to reveal the password you use for your secure banking sites.

Password1$ - Is not secure
pas$sw1oRd – Is secure, even though it uses the identical characters, just with different capitalization.

There’s still only one word, but the security comes from non-standard capitalizations and unusual placements of the symbol and number. Seasoned hackers use tools that can easily guess common security myths, like putting a “!” at the end of your password.

The passwords we commonly use and recommend are derivations on two words with a symbol, such as siGnal$port4l (“signal portal”)—these are easy to remember (i.e. no one needs to write it on the post-it note stuck under their keyboard), and yet very secure at the same time.

Moving on to . . .

Auditing and logging

Application developers must follow auditing and logging rules. Such logs help identify and respond to suspected or known security incidents in a timely and intelligent fashion.


Threat modeling provides a consistent methodology for objectively evaluating threats to applications. It consists of the following steps:

• Identify known threats to the system
• Rank threats in order from highest to lowest risk
• Determine how you want to respond to the threats
• Identify the techniques that mitigate the threats
• Choose the appropriate mitigation technologies from the identified techniques

Technology Comparison to Manual Tracking

HIPAA compliancy preparation is a daunting task. The full spectrum of activities that must be completed place a severe strain on existing manpower. Typically compliance demands a complete overhaul of written policies and procedures. It also requires a comprehensive training program—not to mention a change in the employee mindset regarding privacy and security. There is a need to take these activities of complex processes and break them into specific repeatable steps that when completed, render a powerful picture of where the gaps are located.

DTS InfoTech Can Help

Many health care providers are not HIPAA Compliant. If this describes you, we can help you Achieve compliance, Illustrate compliance to auditors and Maintain full compliancy.

Return to main HIPAA page

For more information:

Dedicated to your success,

Wally Moore
General Manager and Compliance Officer
dts|infotech . . . computer networks that work