GxP Password 'letmein' : Data Integrity : Security
- by Zener Engineering Services Ltd
- •
- 04 Aug, 2021
Why Are Basic Password Issues STILL Prevalent?
The BMS system had no user accounts and had a general password set as 'letmein'. To the surprise of ZES, this had been the case for some time. The system had been installed and validated by a 'reputable' GxP Supplier.
'Letmein' is one of the worst passwords ZES have actually encountered in a GMP facility. Others have included '123456' and 'password'. Passwords are one of the most critical issues in Life Science GMP manufacturing and the wider cyber security world today. Passwords such as these are too easy to guess and easy to crack.
All an employee needs, who is intent on performing malicious activities, is a fellow employee's User ID and he or she can then infiltrate a GMP secure system and alter GMP records in someone else's name. Hacking in this manner compromises the Data Integrity of GxP data and could have an impact on patient safety.
Another related issue ZES have encountered on a number of occasions is the same password used for multiple GxP systems. If GxP systems are connected via the cloud and remote access is available, weak passwords can lead to anyone accessing the GxP system. Improving password complexity will make it harder for hackers to breach the GxP System and steal sensitive GxP Data.
ZES make the following suggestions to improve password security that can be employed for little or no expense. Others require an investment which will provide dividends in the future.
Password Length and Complexity
Conventional wisdom says that a complex password is more secure. However, a complex password length is a much more important factor as a longer password is harder to decrypt if stolen.
Here’s an example of how password length and complexity can have a significant impact on the security of a GxP system:
- 'letmein' - Seconds to Crack
- 'Let3me£in3347%' - Over 6 years to Crack
Given the above, ZES currently recommend an eight-character minimum length, which should include capital letters, numbers and special characters.
In the experience of ZES many users will add complexity to their passwords by including a capital first letter and or adding a “1” or “!” to the end. Whilst technically this does make a password more difficult to crack, ZES suggest that any hacker with half a brain will know Users tend to follow these patterns and can use this knowledge to reduce the time needed to decrypt a stolen password.
Additionally, as password complexity increases, Users tend to reuse passwords from system to system, which increases the risk that the User could be the victim on multiple systems if only one account is breached.
Below ZES suggest a strategy for Users to create more complex passwords.
Password Creation
God save our gracious Queen.
Long live our noble Queen.
The corresponding password would be: GsogqLlonq
Choosing a lesser-known song, not the opening two lines and some random numbers and special characters, will increase security further. Therefore the password becomes:
Gsogq!£Llonq!802$
Password Resets
Many Life Science GxP organisations require Users to reset their passwords every few months. This is to ensure that any unauthorized person who obtains a User’s password will be locked out in a relatively short space of time. However in the experience of ZES, frequent password changes can actually reduce the security level. Here's why...
Users often find it difficult to remember a single good password and since users often have numerous passwords for numerous systems, in the experience of ZES Users often tend to change their password in a predictable way. This may include the addition of a single character to the end of their last password or replacing a letter with a similar symbol (for example a '$' replacing 'S').
Where a User’s previous password is known, it will be relatively easy to determine the latest one. ZES recommend that password changes need to be significant, and systems are able to demand significant changes, whilst checking legacy passwords.
Password Authentication
The way Life Science GxP organisations authenticate a password when a user logs on can have a significant impact on password security and subsequently GxP Data Integrity. ZES recommend the following is implemented for the User details (Unique ID and Password) input process and verification.
1. Showing Passwords While Typing.
Whilst entering complex and long passwords, typos are commonplace. Generally during typing, password entered characters are displayed as dots, which does not allow the User to check their entry.
ZES advocate that in certain circumstances, (eg. working from home using secure WIFI: definitely not in a public place using open WIFI), a User or a System can display the password during typing, which allows the User to check that the password has been entered correctly.
For Systems with limited Log-on attempts, this can improve the User experience whilst not compromising the system security level.
2. Legacy Password Checks
ZES recommend that every new User password should be checked against a legacy list of User old passwords, by the system. This ensures that any 'new' password is new and not a relatively simple variation of the previous password. The system enforcing the unpermitted use of legacy passwords increases security for that system.
3. Password Hints
Some Life Science GxP organisations systems try to prompt Users into remembering their complex passwords by offering a hint or requiring them to answer User personal questions.
However in the experience of ZES, with significant personal information now being posted on social media or maybe through social engineering, the answers to these prompts can be easily found and may be used against a User or Life Science GxP organisation. Password Hints are therefore no longer recommended by ZES.
4. Limit Log-On Attempts
Hackers with malicious intent may try to breach a password by attempting to Log-on to a system multiple times until they potentially work out the current password in use or maybe use sophisticated software to challenge a systems Log-on procedure. To reduce the potential success rate of this type of attack, the GxP System should limit the number of Log-on attempts allowed by any User, before locking the account. Account locking means any hacker will potentially have to spend more time attempting to break into a GxP system, after being locked out on a number of occasions, to the point where hopefully it becomes pointless.
5. Multi-Factor Authentication (Two-Factor Authentication)
ZES recommend Multi-Factor Authentication (MFA), also known as two-factor authentication (2FA), which requires Users to demonstrate at least two of the following in order to Log-on to a GxP System:
- Password
- One-time code sent to a personal phone or device
- Fingerprint, voice or facial recognition
Improving User Password Experience In-Turn Improves Security
GxP System security and User experience can often provide a conflict and be at odds with each other. However ZES strongly recommend that strong password security has to be embedded into the User Log-on experience.
In the experience of ZES, GxP Users will always take the easiest route, even if they know that their password practices will compromise their password security, certainly if it does not impact the User personally. Life Science GxP Organisations need to create a User password experience that uses this tendency to encourage safe behaviour, which in turn will keep their GxP-Critical and patent-impacting data secure.
Website designed, constructed and maintained in-house by Zener Engineering Services Ltd. All rights reserved.