Dr. David Topps (biography and no disclosures)
What I did before?
Ever been frustrated by the number of passwords you have to keep track of in your daily life as a professional? At one time, you might have only a few – some simple ones for unimportant sites, some stronger ones and perhaps a really good one for your most important data. I had thought that the use of a secure way of tracking your passwords was commonplace but in chatting with colleagues, it seems that we have a way to go. Surprisingly many simply store them in a Word document, a system with rather weak security.
What changed my practice?
Now we use online systems for so many functions: access to our hospital and clinic data, banking, not to mention a whole range of social and collaborative sites such as Facebook and Google Drive. The ever-increasing risk of identity theft now has potentially disastrous consequences.
I have 507 passwords – how do I know? I use a password manager app. Password managers have been around for a while. They basically provide a single spot in which you can securely store all your passwords and logins.
There are many password manager apps available. You can read online reviews and comments from users to make an informed decision on what application you should use. Different review boards suggest various options. Check out these links which provide comments on their various strengths:
The app that I have been using is 1Password (1) but you should choose one that is most suitable for you. Some are free and some have annual fees. Here is a good general article about password managers and why you should use one: http://thesweetsetup.com/apps/best-password-manager-and-why-you-need-one/ (2).”
With 1Password, my password details are kept very secure but I can access them from my phone, a web browser or any computer. Changes made to my data on one device are synchronized across all of them. Despite being stored in the cloud, the security model is top notch. The company, AgileBits, does not have access to your data or your master password. Beware this fact and store this key factoid under lock and key – they cannot help you if you lose it. But it also means that your data cannot be exposed to prying eyes.
What I do now?
I use this password manager for all of my sensitive data, not just passwords. I also store credit card details, personal identifiers such as social insurance, driving license (including an encrypted image, which saved my derriere one time when I left mine at home, although I would not recommend relying on this – small community cops are great!), and instructions on how to access our complex VPN tunnel (3).
The data is strongly encrypted, whether in the cloud or on your phone. The app itself will shut itself down after a few minutes of inactivity so you cannot inadvertently leave your precious data exposed if you become distracted and forget to shut it down.
I can ask 1Password to generate really arcane strong passwords for me. Humans are notoriously predictable at creating passwords. Yes, the commonest password is ‘123456’ (4). And don’t you hate it when you are forced to change your password on a rotating basis? Contrary to common practice, this does not enhance security (5).
We all hate the time it takes to enter really long complicated passwords. Because 1Password ties into my web browser, it will auto-fill the login details on many sites so, in effect, I only need to remember one password – the app remembers the rest, and will easily generate more for me when needed.
Now does this put all your eggs into one basket? – a thief only needs to crack one password in order to gain access to all of my identity data? While this is theoretically a concern, the strong security model really mitigates this risk. You can also enable three-factor authentication (6): something you own, something biometric and something you know. For me, this is my phone, my fingerprint and the master password respectively.
So, stop scribbling passwords on Post-It notes – invest in a password manager now.
- AgileBits Inc. 1Password [Internet]. AgileBits home page. 2016 [cited 2016 Nov 6]. Available from: https://1password.com/
- McGinley Myers R. The best password manager (and why you need one) – The Sweet Setup [Internet]. The Sweet Setup. 2016 [cited 2016 Nov 6]. Available from: http://thesweetsetup.com/apps/best-password-manager-and-why-you-need-one/
- Topps D, Ellaway R, Cullen M. Why use VPN in healthcare? [Internet]. CRAWWLA. 2016 [cited 2016 Nov 6]. Available from: http://crawwla.space/why-use-vpn-in-healthcare/
- Schneier B. Common Passwords [Internet]. Schneier on Security. 2006 [cited 2016 Nov 6]. Available from: https://www.schneier.com/blog/archives/2006/05/common_password.html
- Goodwin D. Frequent password changes are the enemy of security, FTC technologist says | Ars Technica [Internet]. Ars Technica. 2016 [cited 2016 Aug 14]. Available from: http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/
- anon. What is three-factor authentication (3FA)? [Internet]. Tech Target. 2014 [cited 2016 Nov 6]. Available from: http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA