Recently, I have been getting lots of requests from the patient community about how to manage passwords. Correct password management is not that hard, once you learn the rules, but it can be difficult to remember all of the things. So this going to be a 10000ft summary, with some links for those who want to go deeper.
First, there are two different types of people who might find this useful.
- Patients or others who are concerned that their healthcare information might be used against them.
- Patient activists and community leaders who are responsible for the managing web resources for other patients.
If you manage data for other patients on the Internet, then you need to have much better password management than if you are just concerned about your own/your families data. If you manage an online patient community, then you might be the target of a focused attack from a very sophisticated online opponent.
But lets start with the easy case first. If you are just concerned about your own healthcare data online, then I recommend you simply follow the advice offered by the EFF on strong passwords. To summarize that article, which you should read in full.
- Use a different randomly generated password for every site that you visit.
- Use a password manager to centrally store and protect your passwords. Most browsers now come with one, and that should be adequate for you.
- You can also try and online password manager. The advantage of these services is that your passwords are not just stored locally on a single computer, these can be safer because you do not lose your passwords if you lose your computer.
- LastPass
- Google Password Service (only works with chrome)
- Apple iCloud Keychain (only works for safari)=
- Protect your password store with a pass-phrase rather than a password.
- Turn on two factor authentication, preferably using an app, rather than text-message.
All of this is echoed in the EFF article. Generally, you can trust resources from the EFF, and unlike this article, they are much more likely to maintain the information on that page with the “right answer” much longer than I maintain this blog post. So if my advice ever differs from the EFF advise, choose the EFF advice.
However, if you are responsible for the security of other people online, then I recommend further steps.
Further steps for patient community managers
The simple reality is that having a third-party manage your passwords for you puts a big target on those third parties. Imagine if LastPass or the google password service ever got hacked. The problem with those resources is that they create a single point of failure. They are also likely to be far better managed then you can easily replicate. But if you are responsible for more than 100 other peoples health information on the Internet, you may want to go further and ensure that your password information is not stored in any central password management system.
You do not need to store all of your passwords this way, only those that are protecting the privacy of lots of other people. Remember, if you can “reset” your patient community password with your email, then you email password is also on the list of critical passwords that you must take extra steps with.
To do this, I recommend that you use pwsafe. This is a downloadable password manager. It allows you to create an encrypted local repository for your passwords. Then you need to keep a copy of your local password store (called a .psafe3 file) in an offline usb backup drive, as well as in a online backup service like DropBox.
pwsafe can also help you generate secure passwords.
You should not use the any browser extension to automatically fill-in critical passwords for you. Instead copy them from pwsafe and paste them into the password field for the resources that you need to login to.
Further, you need to change your passwords occasionally. I recommend that you do this once a year at least, twice is better.
Am I doing this password thing right?
Here are some hints. No matter which version of the advice you which to follow, the process for working with your passwords needs to be something like:
- You decide you want to login to an website or other resource.
- You login to your password manager using a pass phrase something like “Fred Meows At The Puppy”
- Then your password manager gives you (or automatically fills in) the real password to the site, which will look like A^4Fa@ath*^23Asg%9Sd*f(ba
If that is your basic work flow you are probably doing it right.
Anything else to remember
Yes, never click a link you get in an email to go to an important web resource. Lets say your website is patientcommunity.com
If you get an email saying “Your account has been compromised, click here to login and change your password” or even “Someone sent you flowers on patientcommunity.com click here to login”
Never click the link in the email. Maybe its a legit email from patientcommunity.com, maybe its not. If I had several hours to spend with each one of you, I could explain how DNS, and spoofing and SMTP works, so that you too might be able to figure out if those links are legit.
oooorrrrr.
Just do not click the links in emails that you did not solicit. Just go to a browser and type “patientcommunity.com” into the url space and hit <enter>. Maybe your account really was compromised, maybe you really did get some flowers. There is no reason to every use a link you got in your email to find out!
Now if you ASKED to be emailed by patientcommunity.com, (say to reset your password) then it is ok to click the link that they sent you. But if you did not initiate the site sending you an email… then do not click the links. This is a bother, I know, but it will make you much safer browsing online.