BLOG HOME > HIPAA > Auditor Tips: Unique ID, Passwords, and Passphrases

Auditor Tips: Unique ID, Passwords, and Passphrases

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide. 

“Security professionals recognize that passwords alone are no longer a sufficient method to secure access to systems that store critical data.”

Have a HIPAA Deadline?

Request a Quote

This requirement is all about having unique, difficult-to-discover account information. For example, you must have your own unique ID and password on your laptop, with strong password cryptography. Never use generic account names, shared group passwords, or simple/vendor default passwords.

Thankfully, we are starting to see much broader adoption and enforcement of multi-factor authentication even outside of the HIPAA realm, which greatly enhances security when it is implemented properly. This can include your personal email, social media accounts, personal file sharing, and for other critical services such as financial services.

Security professionals recognize that passwords alone are no longer a sufficient method to secure access to systems that store critical data. But while passwords alone are insufficient to adequately secure your systems and the data that reside on them, or connected to them, they are still an important first line of defense. It is critical that you utilize passwords of sufficient length to make it statistically improbable that they could be brute forced or discovered as part of a dictionary attack in any reasonable amount of time. In the past, password complexity (the use of uppercase and lowercase letters, numeric digits, and symbols) was stressed as a best practice way to make passwords difficult to discover by bad actors, unfortunately this also made them hard for the users themselves to remember.

More recently, password length, in the form of longer, memorable word strings have proven to be a more important security practice than the use of shorter complex passwords. An easy way to remember long, difficult to crack passwords is by using passphrases. Passphrases are groups of words that might include spaces and punctuation (e.g., “The Best Is Yet To Come, I Hope!”).According to “”, this sample passphrase would take a staggering 63 Tredecillion years to crack; whereas a shorter, but more complex password like “X8!aM@5D” would take only 8 hours.

Get my free SecurityMetrics HIPAA Guide

Download now

A passphrase should typically be at least 16 characters long and contain special symbols, upper and lower-case letters, and numbers, and doesn’t have to make sense grammatically. Passphrases are generally much easier to remember, but exponentially harder to crack than shorter complex passwords.

In addition to long passphrases, password manager software can help you keep track of different passwords/passphrases for all of your accounts. Some password managers can even work across multiple devices by using a cloud-based service.

With the constant flow of data breaches happening throughout the world which often expose user account information, it is vital that you use different passwords for every service used. That way if one service gets compromised, it doesn’t expose credentials that will also allow access to sensitive, critical data on other sites. For example, if your social media account password is compromised in a future data breach, and you use the same password for your email account or online banking, you risk having a major, and potentially costly, security issue to deal with.

New, even more secure passwordless authentication technologies are currently being developed and commonly used. Passwordless authentication works by replacing passwords with other authentication factors that are intrinsically less risky. It uses more secure alternatives like OTP’s, magic links, or biometrics.

Todd Hovorka, SecurityMetrics
Security Analyst

Join Thousands of Security Professionals and Subscribe