Skip to main content

Obfuscate, My Log In, Mate!

Healthcare Password Survey


I conducted a small survey last month. It's been quite revealing; the results aren't a surprise, but the scale of some of the biases revealed are. I'd love to redo this properly - countrywide - though I doubt that there would be that much of a difference. 

Total responses were 207. Here is the breakdown - 

Do you use least one username and password to access systems at your work?


Yes20296.7%
No52.4%
The vast majority of healthcare workers obviously need access to computer systems as part of their jobs. Everything is becoming electronic, or is already (or should be!). 


Number of Username-Password combinations?


1104.8%
2-48741.6%
5-75928.2%
8-102311%
Over 10209.6%




This is an interesting result - 48.8% of responders have 5 or more username-password combinations to remember and almost 20% have 8 or more! That's a lot of combinations to remember, even for one person. Extrapolated over the entire NHS that's 10s of 1000s of people having to remember masses of username-password combinations. 

Why is this the case? It's simple; there are multiple systems within institutions, from multiple sources, that do not communicate with one another. Integration engines are a big thing in the NHS. 

Do your username and/or passwords have to be in specific formats?

E.g. a password that must be 6 characters long with at least one letter, one uppercase letter and one number.

Yes19090.9%
No125.7%












The surprise here is that 12 people don't have to have specifically formatted credentials. Formatted credentials don't make your password particularly safe though. They do make them harder to remember. One can understand why formatting like this was invented - to make it harder for other people to guess/work out your password. In times when it's much more likely that a computer will be used to brute force a password this makes little sense though. I defer to XKCD for a most elegant explanation. 




Do your passwords have expiry dates?

Yes19291.9%
No104.8%












Expiry dates are important because if you have difficult to remember passwords (because of the format requirements) that also need to be changed from time to time you are far more likely to forget your password. This is common sense, but then one could argue that changing passwords regularly for security is too. 

The Playing Field

The data so far has established that the vast majority of respondents have multiple passwords that must be reset periodically and which have specific format requirements. Without venturing any further one might like to consider the potential implications of such a system. What pitfalls might such systems present to an individual user, what implications might that have for easy (or not) of access, for security and for patient care?

Have you ever had trouble getting access to a system you needed because of a username or password problem?

Yes18689%
No167.7%










Have you ever had problems resetting your password?

Yes15473.7%
No4823%












It should come as no surprise that many respondents have had difficulties access systems because of the previously mentioned set-up. What is more concerning is the proportion - almost 90%. This wouldn't be an issue however, if approximately three quarters of respondents hadn't had problems resetting their passwords. With so many passwords with rules to remember one could anticipate that there would be password loss/forgetting and in light of this the reset process should be easy. Resetting passwords for most online services is relatively painless so why not in healthcare? 

Have you ever had problems remembering your password specifically because you have so many different usernames and passwords to remember?

Yes18588.5%
No178.1%











I include this for completeness as I've alluded to it already; it's the logical conclusion. This is a staggering proportion and illustrates a huge part of the problem without need for elaboration. 

There are too many username-password combinations to remember. 

 The intention is to increase security. However...

Have you ever recorded your passwords in order to not forget them?

Yes15172.2%
No5124.4%











Recording your passwords arguably makes the systems less secure. Where are they being stored? There are several "password locker" apps out there for smartphones such as Lastpass and Keeper but I didn't ask where people were storing their passwords. If it's anywhere but a locker app, like in a notebook or a diary, it most certainly is less secure. 

Have you ever used someone else's login because you needed access?

Yes10952.2%
No9344.5%












This is the most surprising result in the entire survey. Using another person's login, or giving someone else your login details/allowing them to you use your login, is against most institution's policies and is likely a disciplinary offence. The survey was completely anonymous though and part of the reason was to get open responses like this. 

Sharing login details is another breach of security protocols too. People must need to do it. If this were for less crucial information that don't affect patient's safety it would be unacceptable but most clinicians will be able to image situations where patient safety is forefront in consideration, and failed logins appear like barriers to that. 

Have you ever felt that a login failure had the potential to impact negatively on patient care?
Here is the proof of my previous conjecture. The majority of respondents felt that login failure had the potential to adversely affect patient care. There are any number of reasons this may be so - no access to results, prescribing, ordering tests, etc. 

This is the takeaway message of this entire survey though - 

A system that requires multiple passwords with different formatting rules and expiry dates is potentially unsafe at best and dangerous at worst. 


Other Access

To round things off I asked about logins for work related websites or services that respondents might need access to. With people already having difficulties with the number of work passwords it's no surprise to see those difficulties extend outside.

Do you have logins for work related websites or services?




Do you ever have difficulty remembering your logins/difficulties logging in to work related websites and services?




Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

The Power Of Voting - DAS Ascot 2013

I administered the mobile phone voting system at the DAS Meeting 2013 at Ascot ( http://www.das.uk.com ) and I think all who attended agreed that this type of interactivity added a lot of flavour and stimulation to the discussion of the case presentations. These are some samples of the results. This first one is from a comparison between the expert panel, comprised of 7 members, and the audience, 140 of whom responded. Experts & The Audience This was a case regarding a large wound haematoma secondary to C-spine surgery. The haematoma was anterior to the larynx causing severe narrowing of the airway with stridor. Unfortunately I don't have the CT image from the presentation. Of the four options (and one "other") the expert panel was split between the two awake options on offer. The audience, whilst largely agreeing with the experts, gave a wider range of choices with a significant number of people opting for IV induction. Bear in mind - the audience d...
Post a Comment
Read more

Gamification and Education

Duolingo Anyone who has used Duolingo  for any amount of time will tell you - it's wonderful. Why is it wonderful? Well, it teaches you a foreign language and you can tell its working because you progress. There comes a point where you're typing (or swiping) whole sentences and you just get it. It starts to come together. Suddenly you can say "Our cat does not eat cheese" and then "His trousers are red" in another language. Your pronunciation is probably awful but so what? The thing with Duolingo is this; it doesn't just  teach you, it gamifies the teaching. Each lesson is packaged into little chunks and for each chunk you have 3 hearts, or lives. You can fail but you can't fail too many times. It's a bit like R-Type in that sense, and you can buy power-ups and extras (though I can't find the heart refill anymore, sadly). There's even a timed practice that really puts the pressure on. So as you can tell, if you've ever thought...
Post a Comment
Read more