Level Up Your Password Security

Written By Philip Breedlove

Security: it’s a big, big deal. 

As a therapist, you have a responsibility to make sure your client’s information is secure, and to preserve the trust and confidentiality of the client and to solidify the therapist relationship.

Likewise, one of my primary responsibilities at Therapy Shelf is to understand and implement good cyber security measures to keep your information safe.

In both domains (Therapy and Technology), there can be disastrous consequences if that security and trust is broken.

That’s not what I want for any of us. Rather, I want to help you “level up” your password security, so that you can feel confident that you’re doing your part to protect your data, and your client’s data. 

In this article, we’ll start by answering the question: “Why do I need a Secure Password Strategy?”

Next, we’ll identify the characteristics of a Secure Password Strategy, so you can see how your current process measures up.

Once we've identified those characteristics, I’ll offer 4 simple tips that you can incorporate into your daily security habits to “level up” your password security.

Why do I need a Secure Password Strategy?

The answer to this question is a fundamental truth of human nature…sometimes people do bad things. It’s nearly impossible to accidentally hack into someone’s email, or accidentally pilfer a credit card number. The “bad actors” (as they’re called in the Cyber Security community) leverage time, money, and expertise developing techniques specifically designed to steal the sensitive personal or financial information of others for their own gain. We need protection from this real and present threat.

Your passwords play an essential role in that protection. Email addresses and usernames are generally much more common; you may log into several sites with the same email address or username. Email addresses are also much easier to find online (they might be on your facebook page, linkedin profile, etc…). Therefore, your passwords are of utmost importance when it comes to keeping your accounts secure. They are the secrets that only you should know; they are the keys to the locks that guard your data. 

I’ve outlined a few benefits and risks below to help illustrate how your password strategy can impact your daily life and practice. If you employ a good password strategy, you’ll be well on your way to potentially reaping these benefits. However, a bad password strategy, or no password strategy, increases the chances that one or more of these risks may become reality.

Benefits of a Good Password Strategy

  • You’ll have fewer password headaches (“How do I spell that again?”, “Oh, where did I leave that sticky note?”, etc…)

  • You can save time and money in the event of security audits or issues (you’ve got your ducks in a row)

  • You’ll feel more confident and secure when navigating privacy and security both on the internet, and in your work.

Risks of a Bad Password Strategy (or no password strategy)

  • There is a higher likelihood that a “bad actor” can break in and get sensitive data from a program or service that you use.

  • There can be penalties and issues if a security breach occurs, and it’s discovered that a password strategy didn’t meet the guidelines of HIPAA or other regulatory bodies.

  • You’re exchanging a bad password strategy now, for more headaches in the future.

Characteristics of a Secure Password Strategy

Now that we understand why we need a Secure Password Strategy, we’ll take a look at some of the identifying characteristics that separate the good passwords from the….not so good. 

This is by no means an exhaustive list, but here are some core tenets of a solid password strategy:

  1. Secure Passwords are long and hard to guess

  2. A Secure Password secures 1 thing or 1 set of related things

  3. Secure Passwords are stored securely

  4. Multi-factor authentication is enabled alongside a secure password

In the next section, I’ll provide 4 tips to “level up” your password security, and explain how each tip embodies one of these characteristics.

picture of a password as would be used in a platform like chronicler for ai progress notes for therapists

4 Tips to take your Password Security to the next level

1. Use strong (i.e. long) passwords

While a password of ‘ABC@123’ is easy to remember, it’s a weak password and probably won’t offer much real protection. That’s why this first tip is focused on the ‘strength’ of your password. In this case, strength is highly correlated with length. Humans are smart, but computers are fast. A longer password or passphrase is harder for a human to guess, and takes longer for a computer to crack. This ties back to the 1st tenet of a Secure Password strategy (passwords should be long and hard to guess).

A strong password is 12 or more characters in length (the longer the better!), and can contain letters, numbers, and special characters. Passphrases are also a good option, and have been growing in popularity recently. A passphrase is simply a group of random words that is used to create a long password. For example, the passphrase "digit recount fickle goose" is both relatively easy to remember and also, at 26 characters in length, very time consuming for a computer to crack.

For those who like the technical details with a dash of humor, here's an XKDC comic about passphrases:

XKDC passphrase comic
Provided by xkcd.com

2. Use a different password for each resource

Imagine a scenario where a hacker gets the username and password to your account on a popular video streaming website. You may think something along the lines of  “that’s a problem, but at least it was just my streaming account.” But what if you also use that password for your online banking?  Yikes! The stakes just got a lot higher. 

When it comes to security, a dash of “hope for the best, prepare for the worst” mentality can be a great help. We don’t want someone to get a hold of one of our passwords, but if they do, then we really need to limit the amount of damage they can do. 

Using a different password for each service provides that essential limitation, and fulfills the 2nd tenet of a Secure Password strategy (A Secure Password secures 1 thing, or 1 set of related things). In practice, this might look like:

  • I have 1 password for my video streaming account

  • I have a different password for my online banking

  • I have another, different password for my E.H.R. system

  • And so on…..

3. Use a Password Manager

The 2 tips above are all well and good, but you may have noticed that you’ll be creating a bunch of long passwords. If the passwords are hard to remember, and there are a lot of them, how can we ever expect to keep track of them all?

One solution, but not a good solution, is to keep them all in a text file somewhere on your computer. It’s easy, but that strategy is a heap of problems just waiting to happen. All it takes is for someone to double click that “definitely-not-passwords.txt” file on the desktop, and they gain access to all your credentials. 

We need a better solution, a solution that satisfies the 3rd tenet of a Secure Password strategy (Secure Passwords are stored securely).

That’s where Password Managers come in.

Password managers are applications that run on your device, and that are capable of securely storing the usernames and passwords for all the services you use and sites you belong to. There are some great free options available, and you can get even more features if you opt for a paid version. We’ve listed a few below for reference (we’re not paid to recommend these; they’re just our favorites):

  • Dashlane

  • BitWarden

  • Your internet browser (many browsers like Chrome and Edge offer autofill and password management)

Some password managers can detect when you’re signing up on a website, and not only generate a secure password for that site, but also automatically save your username and password so that you never need to type it in again. A good password manager makes passwords a breeze, even when you have a ton to keep track of. 

4. Enable Multi-Factor Authentication

A strong password is a great first line of defense, but in today's world of increasingly sophisticated cyber attacks it's very beneficial, and often necessary, to pair it with another method of authentication. This is where multi-factor authentication comes into play. As the name suggests, the goal is to have multiple "factors" (i.e. methods) of authenticating, to help ensure that only you can access the account. In this model, a password is considered one factor, and then we add on additional factors as needed.

There are many types of additional factors, but some of the most common are:

Of the the factors that I listed above, authenticator apps are generally considered to be more secure than sending a code to your email or phone, which is why we chose that option when deciding how to best secure our Chronicler web application and the Therapy Shelf store.

The chances are good that you've already encountered multi-factor authentication when using online services, but if not, I highly recommend opting in if the program or service that you're using offers it. While it can initially feel a bit inconvenient to have an extra login step, adding additional security for your account information makes the trade off very worthwhile.

In Conclusion

The world of cyber security can seem daunting at times, but by incorporating a Secure Password Strategy into your daily habits, you can help to keep your (and your client’s) data safe, gain some peace of mind, and get back to what matters most. 

Philip Breedlove

Technical Cofounder of Therapy Shelf, LLC.

Next

The Ultimate Guide to Finishing Progress Notes on Time