01
Apr
09

why login/password should be banned in health-related applications – II

fs567012In my last post I’ve stated that the login/password is not secure.

Maybe the problem resides not in the ‘technology’ but as many times on the human factor.

In fact, the main problem is not the login/password procedure, but the way you use it.

So,  in order to study my customers passwords, I tried to create several simple rules to determine if the password used by them are easily crackable or not.

I have done this study using data from an hospital, and having a 400 user accounts.

Let me remind that although our software has several rules implemented for password management, we were asked to turn them down. This rules include:

- time validity

- minimum chars used

- time period for using the same password

- among others.

So, the rules I’ve come up with, are 10 very simple and common sense rules:

Rule 1: Verify if the users ever changed the password (12% didn’t, meaning that they still use the original random password assigned to them)

Rule 2: Verify that password is the same than login (4% use password=login)

Rule 3: Verify if the password is the Institution name (1%)

Rule 4: Verify that the password is the Application name (4%)

Rule 5: Verify if the password is the official employee number (14% use their official number, that is published in every institution document)

Rule 6: Verify if the password is between 1900 and 2009 (25% a year like password)

Rule 7: Verify that password is a 4 digit number, not like Rule 5 (5%)

Rule 8: Verify that password is the user first name (2%)

Rule 9: Verify that password is the user last name (1% use last name, although I haven’t tried maid name)

Rule 10: Verify if the password is a portuguese name (3% use Portuguese names, which I suppose to be children names, or wife/husband names)

This simple 10 rules, allowed me to crack 71% of a 400 user accounts password, meaning 284 user accounts.

I suppose that if I apply this rules to the same users on different applications, I would have got similar results, because the crackable passwords were personal data.

“Do you really think your health data is safe?”

Let´s ban login/password NOW!

About these ads

6 Responses to “why login/password should be banned in health-related applications – II”


  1. December 21, 2009 at 3:18 pm

    Okay, if password and login information is removed — what is the alternative method for security?
    All of your “rules” can be broken if passwords are changed frequently, and these passwords use symbols (@,!,#,$, etc). If login information was banned then ANYBODY (professional hacker, or some random Joe Shmoe off the street) could waltz right in and take whatever information they like. When it comes to Healthcare Technology and the protection of information there has to be excellent security!

    • 3 pmfonseca
      April 19, 2010 at 5:11 pm

      I agree with you Zoleeta.
      The fact that we are in the presence of a serious problem, does not justify that we should eliminate the security (without security, there is no problem)
      In fact, I think that we should think on alternatives to the traditional Login/Password paradigm.

      For now I’m thinking on hybrid methods. We’ll post on this soon.

  2. January 1, 2010 at 5:46 pm

    Not really sure what your point on the password rules were. We have rules more like this:

    Users must change password every 90 days
    Must be at least 8 characters
    Must contain letter and numbers
    Must not be a “dictionary” term
    etc…

    • 5 pmfonseca
      April 19, 2010 at 5:08 pm

      To be honest, I don’t know what the point really is.
      Although I agree that the access should be controlled somehow, it should be in a way that:
      – must garantee the correct access to the correct user
      – must allow alternative forms of access. For exemple if it is based on a Token policy, the user should access the information also without the token
      – must uniquely identify the user

      So I’m thinking on hybrid methods. We’ll post on this soon.

  3. April 16, 2010 at 9:48 am

    How about replacing the password with a token that would be accepted by the user: the USB key, phone or computer itself becomes the authentication token – a strong authentication token (two factor). This is what the french Mobilegov company provided with its Digital DNA:
    – no cost for dedicated tokens (as they already exist: Smartphone, USB Keys, PCs)
    – no deployment cost (no logistics, losses & replacements)
    – simple management and use


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: