Password policy: protections and precautions
Most people were never formally taught how to create a secure password. It was just something you did when a form asked for one. That informality has not aged well. Brute force attacks are increasingly automated and sophisticated, computing power has made short or predictable passwords trivially breakable, and the market for stolen credentials is substantial. In a research environment, where sensitive health data is involved, the consequences of a breach extend well beyond the team.
The most common problems
Memorable passwords are guessable passwords. Names of family members, pets, or favourite sports teams are easy to remember precisely because they are personally meaningful. They are also exactly what automated attacks are designed to try. Public social media profiles often make the guesswork even easier.
Reused passwords multiply your risk. If you use the same password across multiple platforms and one of those platforms is breached, all of your accounts using that password are now at risk. You have no way to verify the security practices of every service you sign up to.
Passwords shared insecurely can be intercepted. Email, text messages, and messaging apps are not secure channels for transmitting credentials. Neither is a sticky note near a workstation. Both are still surprisingly common.
Browser-saved passwords carry their own risks. It is not always clear how browsers encrypt stored passwords or where they are held. Browser extensions and plugins may have access to stored credentials.
Two-factor authentication is often avoided. It adds a step, so people skip it. But a one-time code sent to a verified device or generated by an authenticator app is one of the most effective barriers against unauthorised access, even when a password has been compromised.
How quickly passwords fail
Short or simple passwords are not just weak: they are effectively no password at all against modern attacks.
- A 7-character lowercase-only password: cracked instantly
- A 10-character numeric password: cracked instantly
- A 5-character password using mixed case, numbers, and symbols: cracked instantly
The minimum bar of 8 characters with some complexity, which many systems still enforce, is no longer meaningful protection. Twenty or more characters is a more realistic starting point.
What actually helps
- Use a reputable password manager (such as Bitwarden) to generate and store unique passwords for every account
- Never reuse a password across platforms, regardless of how strong it is
- Use long, randomly generated passwords rather than predictable substitutions (swapping "e" for "3" or "s" for "$" is a well-known pattern that attackers already account for)
- Enable two-factor authentication wherever it is available
- Never share passwords via email, text, or messaging apps
- Treat the master password for your password manager as your most important credential
In a clinical research context, where data security is both an ethical obligation and a regulatory requirement, these practices are not optional. They are the baseline.