New security enhancements: password complexity and multi-factor authentication

Posted By on 15 September 2020

There has been an interesting debate between HosPortal healthcare scheduling software and customers recently about the merits of various security enhancements and privacy controls.

We are aware that many of our customers want their data stored in Australia. This has been available for an additional fee (due to costs related to some of the aspects of our software architecture) but will soon be the default for all Australian customers.

More interestingly has been a discussion about password complexity and multi-factor authentication (MFA) which we will soon have implemented at the request of a customer.

For those interested in password complexity and reflect – as we do – on how silly some of the industry-standard rules are, it is worth reading this article about the zxcvbn algorithm, developed by Dropbox and now implemented in HosPortal. It is considered a good measure of real password sophistication to ensure protection against a range of real-world attacks. An implementation of the algorithm can be assessed here (although we recommend you do not test it by entering your actual real personal passwords).

We have been deliberately slow to implement MFA for some time, but aware that we are increasingly swimming against the river of expectations for cloud-based logins (the flow of that river is increased by articles like this one). Our target users, being doctors, are often not keen on having a two-step login to find something in a hurry, and the sensitivity and volume of information that people get access to through their login is pretty low (HosPortal often replaces roster and contact information that would otherwise be kept on public display or stored on shared drives at many hospitals), and MFA means that it is not possible to have a generic login that hospital can issue to the switchboard or nursing station for read-only access.

We have listened to some strongly-held views from our customers and have now enabled a minimum password complexity, and the optional ability to turn on MFA for your users.

We know that many doctors hate both of these changes. But the times are changing and we have at least implemented a system that is useable while at the same time does in fact protect user accounts, rather than just pretend to do so.

Back to News