You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)." 

This result comes as no real surprise.  These conclusions build on prior studies which have repeatedly shown that password strength is weak.  It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.

The study also noted that "the files in [the] sample used the default weak encryption methods. Therefore, an adversary had two different ways to extract the PHI: by attacking the weak algorithm itself or by attacking the weak password."

The study’s recommendations?  Fairly simple:  "use the built-in password protection capabilities available in tools for common file formats (such as WinZip and Microsoft Office) and then transmit the encrypted files" and "using PGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions)."

Leave a Reply

Your email address will not be published. Required fields are marked *