The first thing I ask a practice when I do a security assessment is “do you have a password policy?” More than 50% say “no”. From my experience, it’s not because they don’t “have one”, it’s because they don’t want to go through the pain of implementing one. And let me tell you…it IS disruptive to not have a password policy, and then implement one.
The number one call to our medical IT support helpdesk are password issues. “I can’t remember my password” or “I just came back from vacation and my password had expired”, or “I changed my password yesterday and now it doesn’t work today”. These are just a few of the calls we get for password resets. It causes a lot of anxiety for the user because they are trying to log in to do their work, and now they have to stop, pick up the phone, and contact the helpdesk. Let’s face it. It’s irritating. I wish I had a solution for it, but I will tell you that not having a password policy is not the solution. With all the hacking and viruses going on today, a practice must have a password policy.
How to implement a password policy
I would not do it all at once. I would take 5-10 users per day, and set them up to change their password on their next login. Encourage them NOT to write it down. Help them out by giving suggestions, like using 3’s in place of e’s, or dollar signs in place of S’s. For example, if they want to use the word mercedes, the password could be m3rc3d3$. It would be secure, plus they could remember it. So, I would say to ease into password changes by using these simple tricks. They can also use an exclamation point for an “i”, a zero for the letter “O”, or a number one for an “L”. If you have had the same password for 2 years, and it is your dog’s name which is “Lester” you can use 13$t3r. Get it?
After being in the IT business for 25 years, and working directly with IT users, I can tell you even the slightest change is disruptive. Anything you can do to help is appreciated. It is not easy, and disrupting the work force is no fun. The IT department is not popular, but trust me…we are here to help you, and to protect you. Let’s hope that the next time I ask…”do you have a password policy?” , that the resounding answer is YES!