Password Security and Multi-Factor Authentication

Strong passwords are difficult for both humans and computers to guess. Understanding what attackers actually do helps you understand what makes a password resistant:

• Length is the most important factor — a 16-character password is exponentially harder to crack than an 8-character password, regardless of complexity. Every additional character multiplies the possible combinations by the number of characters in the set. A 20-character password of random lowercase letters is more secure than an 8-character password with symbols. Current recommendations from NIST (the National Institute of Standards and Technology) prioritize length over mandatory complexity rules.
• Avoid predictable patterns — attackers use dictionaries of common passwords and common substitution patterns (3 for E, @ for A, 0 for O). 'P@ssw0rd' is no more secure than 'Password' to a modern cracking tool that tests all common substitution variants. 'Tr0ub4dor&3' is famous for being highly memorable to the person who invented it but still vulnerable. 'correct-horse-battery-staple' (random common words strung together) is both more memorable and more secure.
• Never reuse passwords across different accounts — if any one account is breached (as in the scenario above), attackers immediately try your exposed password against every other service using the same username or email. This attack is called credential stuffing and is automated — within minutes of a breach, attackers attempt your exposed credentials against hundreds of sites. A unique password for every account limits breach damage to one account.
• Change passwords only when there is reason to — contrary to outdated guidance, changing passwords on an arbitrary schedule (every 90 days) without a specific reason leads staff to create predictable passwords (adding a number at the end each quarter: 'Password1,' 'Password2'). The current guidance is: use a strong, unique password and only change it when you know or suspect it has been compromised, or after a service you use reports a breach.

The only practical way to have a unique, strong password for every account is to use a password manager — software that generates, stores, and fills in passwords securely:

• A password manager stores all your passwords in an encrypted vault protected by one strong master password — you only need to remember one very strong master password, and the password manager handles everything else. Popular options include Bitwarden (free, open source), 1Password (business-focused), and Dashlane. Your IT department may have a specific recommendation or requirement for which password manager to use for work accounts.
• Password managers generate strong random passwords for new accounts — when you create a new account, click the password manager's generator to create a 20-character random password. You never need to see, type, or remember it — the manager fills it in automatically when you log in. This is the correct solution to the password reuse problem: unique, random passwords for every account, no memorization required.
• Never store passwords in a browser if a password manager is available — browser-built-in password managers are convenient but less secure than dedicated password managers. On shared workstations, browser-stored passwords are accessible to anyone who uses the browser on that computer. Use a dedicated password manager instead.
• The master password must be exceptional — since one master password protects all others, make it long (20+ characters), unique (not used anywhere else), and memorable only to you. A passphrase of four or more random words works well: 'purple-telescope-mountain-river-2025.' Write it on paper and store it in a physically secure location (not a sticky note on your monitor), or use a backup method provided by the password manager.

MFA is the single most effective security measure available to an individual user — it means that even if an attacker obtains your password, they still cannot access your account without the second factor:

• What counts as MFA: something you know (password) + something you have (phone with an authentication app or SMS code) + something you are (fingerprint or face). Any combination of two or more of these factors is MFA. The most common combination for work accounts is password + authentication app code.
• Authentication apps (Microsoft Authenticator, Google Authenticator, Authy) generate a new 6-digit code every 30 seconds — when logging in, you enter your password and then the current code from the app. Even if an attacker has your password, they cannot log in without access to your physical phone. This is significantly more secure than SMS codes (which can be intercepted via SIM swapping attacks), though SMS MFA is far better than no MFA.
• Enable MFA on every account that offers it — at minimum: your Microsoft 365 work account, any EHR or clinical system, any insurance portal, and any billing system. If a service does not offer MFA, be aware that it is more vulnerable and treat its password accordingly.
• MFA fatigue attacks are real — attackers who have your password can flood you with MFA approval requests (push notifications from the authenticator app) hoping you accidentally approve one. If you receive unexpected MFA prompts you did not initiate — especially multiple in a row — deny them all, notify IT immediately, and change your password. You did not forget logging in; someone else is trying to.