I’ve been working in hospital labs for several years, and have followed the IT evolution in this sector. In the beginning, the lab was an isle, and the information was secure for the physical barriers. The network was restricted to the laboratory, and the access to the software wasn’t password protected.
Then, the hospitals began to connect the several ‘islands’, and implementing a centralized infrastructure.
It was the beginning of domains, and the first contact of the user with logins and passwords.
Then, rapiddly there was a proliferation of software, and each one had different logins and passwords. There was administrative software, clinical, image, lab, infection control, then appeared the intranets and portals, and when the user noticed he had more logins and passwords than he could possibly manage and memorize.
One of the first reaction from users was to unify passwords. But then, some of them had time limit, and others did not, and it was an Herculean task to manage all this info.
Some hospitals tried to implement Single Sign On, others tried to ease access through digital id cards. But the most common access control still is Login/Password.
And why should login/password be banned?
Because it is not secure!
To prove this I have made some tests attempting to figure out what the user password was in several databases installed in different hospitals.
The results leave no doubt that this method is not secure. More than 70% of the passwords were broken in the first 10 rules.
On the next post, I’ll describe the tests I made and the results I got.
0 Responses to “why login/password should be banned in health-related applications”