Passwords in Your Practice

Governor Sarah Palin's Yahoo! e-mail account was hacked.

A Quick Note on Password Protection

You may have heard that Republican Vice-Presidential candidate Sarah Palin’s email has been hacked and that unauthorized users obtained access to her private Yahoo! account took screenshots of her inbox and posted them online. What you may not have heard that the attackers used a rather simple “forgot password” hack.

UPDATE! (10/8): Lawmaker’s son indicted in Palin e-mail hacking

The Forgot Password Hack

Nearly every website which requires user authentication has a version of the “Forgot your Password” functionality. This is used when a user forgets the password and needs it reset. Most websites validate the identity of the user by asking for eaisly memorable items such as pet’s name, school mascott, and best friend’s last name.

Yahoo's Forgot Password Module

However, with a bit of creative searching, this information is easily obtainable through most social networking sites. Think for a moment about the type of user-submitted information available on LinkedIn, Facebook and MySpace. These sites are a great way to keep in touch with old friends, expand professional networks, find like-minded people, share pictures and music–but they are also a great tool for compiling a profile of any individual. The data available on these sites is nearly all “user-generated”, which means that YOU choose what’s available online. However, if that information can be the answer a security question, then you maybe susceptible to the forgot password hack.

Obtainable Information:

    • Linkedin: Past work experience, years worked, schools attended, resume
    • Facebook: Entire list friends & family, favorite books, music, magazines
    • MySpace: Favorite music, movies, interests

How is this relevant to healthcare IT?

Answer these questions:

  • Do you use a Gmail or Yahoo! mail account as your own private email?
  • Does anyone associated with your practice use a web-based email application?
  • Do you use it for your practice?
  • Have you ever used it send/receive PHI (Protected Health Information)?
  • Do you have any of your practice’s banking information in your email account?
  • Do you have the usernames/passwords to insurance company websites emailed to you?

Set Strong Passwords & Avoid Predictable Security Questions

Set passwords that are hard for others to guess. Stay away from “123456″ or “password” because anyone who figured out how to swipe your laptop will crack these silly passwords in no time at all. Security experts suggest that you use a variety of uppercase, lowercase, and special characters. Also, if you have trouble remembering a long password, use a full sentence. For example, “MTBCs medical billing is great!” would make an excellent password.

Do not tape your password to your laptop’s shell or leave the password on a slip of paper in your laptop case. Keeping your password with your laptop is akin to keeping your keys in the ignition of your car.

Avoid security questions which are easily guessed or researched. Skip the mother’s maiden name and set your own question and answer.