Updated 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

Strong Passwords – Your Employees Most Important Contribution to Network Security

Are your passwords so easy that a seven year old can figure them out?

In 2012, Dropbox verified that the user information of 68 million Dropbox users was stolen. This information included both usernames and passwords. Though Dropbox was aware of this breach, there was no evidence at the time that any accounts had been accessed with the stolen information. Upon discovering that user information was stolen, Dropbox tried to fix the problem. All users with accounts at the time were urged to change their usernames and passwords. Dropbox also offered a two-factor authentication solution and advised users to avoid reusing passwords across different websites.¹ Unfortunately, many Dropbox customers ignored the warning.

Now, 4 years later, it has been discovered that the usernames and passwords were not only stolen, but also have been leaked on the internet.¹ All user information is now available to the general public for a small amount of money. If someone’s user information is purchased and that same password is used on another website, then important personal information is at risk.

In order to combat security problems like this, here are some tips on protecting your online accounts:

  1. Update passwords: Ideally, passwords should be changed every 6 months. Frequently changing passwords reduces the chances of a brute force attack on your account. A brute force attack is a trial-and-error process that uses logic to try many different combinations of characters and guess your password.
  2. Password strength: It was revealed that the 2012 LinkedIn breach included millions of accounts that contained very easily cracked login credentials. At the top of the list was “123456” (appearing over 1 million times) followed by other equally simple passwords like “linkedin” and “password”.² A random assortment of characters is a lot harder to crack than a simple password or one that contains words in the dictionary. Research has found that a password strength meter can result in longer and stronger passwords.³
  3. Different passwords: One of the main problems in this breach is the reuse of passwords across multiple websites. The origin of this Dropbox leak was the “result of the reuse of a password a Dropbox employee had previously used on LinkedIn.”⁴ When LinkedIn was breached, hackers used this Dropbox employee’s LinkedIn credentials to to gain access to the Dropbox corporate network where they had used the same password.
  4. Two-Factor Authentication: Two-Factor Authentication is an extra layer of security when logging into an account. Not only do you enter your username and password, you are sent a text message to a mobile phone or tablet with a pin number. You can choose to have a confirmation email sent to an account of your choice for authentication. Another solution is Google authenticator that produces new pin numbers every minute. Upon opening the app you are given a 6-digit pin number to enter and authenticate your login.
  5. Backup: For online accounts that contain information that is important to you, we suggest you back up this information. For example, a website that tracks business transactions holds important information about your business and clients. Information like this should at least be locally backed up either to your computer or external hard drive.

Security measures can also be taken on a company-wide scale. When training employees on policies and procedures, password security should be included. Password training should cover how to come up with a strong password. A common practice now used in organizations is the idea of “passphrases”. With passphrases, you come up with a phrase and use the first letter of each word in the phrase to create a password. For example, the phrase “Mary had a little lamb” could become “Mh@ll”. These types of passwords are effective because they do not contain words in the dictionary. They are also a lot easier to remember because you can choose your favorite quote or lyrics.

Password training should include password security. Employees should be advised against using the same passwords across multiple websites and applications. Using the same password for different accounts increases the chances of accounts being hacked. If one account is compromised, all other accounts with that same password are at risk. Password security also includes policies about unsecured passwords. Passwords should never be written down or saved in the “Notes” application on your phone. If necessary, a password manager like LastPass,1Password, or Zoho is a good solution. These programs are safer because the information is encrypted, and they generate strong passwords. You only need to remember one master password.

Conclusion

Weak passwords are just low hanging fruit in the eyes of hackers. Practicing good password hygiene does not take much work, but it does help protect your accounts. Events like the Dropbox or LinkedIn breach remind us of the importance of our account passwords. Follow the tips above to secure your accounts and protect your information online.

    1. http://searchcloudsecurity.techtarget.com/news/450303623/Dropbox-passwords-breach-exposed-68-million-users
    1. http://www.theregister.co.uk/2016/05/24/linkedin_password_leak_hack_crack/
    1. http://searchsecurity.techtarget.com/answer/Will-a-password-strength-meter-lead-to-stronger-passwords
  1. https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)