Password policy for elderly clientele

Question

I work for a company in which the age of our average user is over 70. We have an app* that helps them collect and submit physiological data to their doctors.

I found this question that I believe is helpful if you're helping your mother set a password: Secure Memorable Passwords for Older Users

However, we're struggling to develop a policy for our 5000+ users, particularly given these additional wrinkles:

• The users' accounts are set up at the doctor's office by a non-technical medical professional that probably thinks "Dog123" is a good password. We can educate them about password complexity, but getting them to similarly educate users on-site is a different ballgame.
• Many of our users don't have an email address, making it infeasible to send a password reset email
• Password managers are also infeasible, because we can't expect our medical staff to be setting up LastPass for the users (especially with no email address)
• This is medical data, with all the regulation that comes with it.

Any suggestions for a password policy that secures our sensitive data without frustrating and driving away our entire user base?

*EDIT: Mobile app. There is a web app in the ecosystem in which medical staff reviews collected data, but it currently has no functionality for the patients.

ALSO EDIT: A lot of debate here between "you can assume they have smart phones" and "no you can't." It's a bit moot in our case because we provide $20 Androids to patients without one.

Answer 1

Disclosure: I work for the referenced company, and I'm not sure how to get the suggestion in this post across without it seeming like a sales pitch. Here goes.

It seems to me that "memorized passwords" and "our average user is over 70" are not going to play well together. Have you considered solutions other than passwords? You'd want something which is:

• A physical object; ie non-memorized
• Inexpensive for the doctor's office to hand out
• Easy to use even for the (potentially severely) technologically-challenged.
• Meets the security (and/or compliance) requirements for this product. Ex.: would you be allowed to use a physical object instead of a password? What if you coupled it with a weak password or knowledge-based set of questions.

You could consider having the doctor's office generate random passwords and print them out, but we all know that passwords of the form x7a8Cqr4dPt20 are not user-friendly.

The solution that comes to mind is Entrust Grid Cards (disclaimer: there may be other vendors who have similar features, but I'm not aware of any)

The doctor's office could print off a grid card on their standard office printer; when using the website / app the user will be challenged to provide three cells from the grid, if they lose the paper then they go back to the doctor's office and get a new one printed.

Answer 2

I know this doesn't entirely answer the question as asked, but another approach is to accept that, given your user community, a breach will happen sooner or later, and move instead to minimise the harm that then occurs.

You write that your app "helps them collect and submit physiological data to their doctors". Why, then, does the app have to enable them to read historical submitted data? If the app is instead write-only - fill in today's data, maybe go through a review screen to confirm all is as the user wishes, then press "submit" and the data is delivered to the surgery server and forgotten by the app - then compromise of the app doesn't compromise any stored medical data. You do still have the problem of someone maliciously submitting noise data, but you no longer have health records privacy issues.

Any suggestions for a ... policy that secures our sensitive data

Don't build an app that can get at it!

Answer 3

Forget passwords.

Have them bring their phone to the doctor's office to pair it.

The (non-technical, but trained) medical professional verifies the patient's identity (which they should do already?), and links the phone app to the system using a QR code, a one-time password, or whatever mechanism you prefer.

Then, the phone saves those credentials and doesn't need them to be entered again.

The patient may choose to optionally put a password on the app to prevent their grandchildren from using it. But this is not required to protect the system from attackers without physical access.

Edit: If the patient is not comfortable handing their phone to the medical staff (probably the receptionist), you could have it so they show the patient a QR code that the patient has to scan. Considering your target audience, I suspect that many of them will be more comfortable with having the receptionist do it.

Answer 4

Suppose you've decided that "At least 8 characters, 1 symbol, 1 number, etc." is suitably random, but results in impossible-to-memorize passwords.

There are about 70^8 possible 8-letter passwords (assuming 52 letters, 10 digits, and 18 symbols). This offers 5.8e14 passwords.

A password generated randomly by concatenating 4 words from a list of 100,000 4-5 letter words will give you a 16-20 character password. This offers 1e20 possible passwords. This is enough of a buffer to allow staff to run the program 100s of times until they (or the client) see a password that they like.

Then just print out the password and hand it to the client.

The downside of this approach is that you end up with longer passwords.

Answer 5

FORGET COMPLEXITY - even the NIST has moved away from that. Length beats complexity.

For your seniors, neither is useable. They typically type slowly and their memory isn't the best anymore. Thinking they can remember YuVM5nUf%ui? correctly is delusional.

You need to think a bit sideways here. Check your threat model - what is the danger of someone with physical access? If that's not on your threat list, let them write the password down, and keep it in their wallet or something. That's not "best practice" but it's better than Dog123.

The best solution is probably to transition to passwordless login via a smartphone app. It's 2021, I think we can assume that even the seniors have a smartphone.

The slightly worse alternative is to move to 2FA with SMS auth codes. In this case, Dog123 is a perfectly good password because all it does is trigger an SMS. Typical auth codes are 4-6 digits, which is also good enough as it's a one-time password and even a probability of a correct guess of 0.1% (4 digits) is perfectly acceptable as we're not talking about nuclear launch codes.

Answer 6

What percentage of your clients carry smartphones? Do you think they would be able to use a "passwordless login" system with their phone? (i.e. FIDO)

All the FIDO systems use a one-time initial registration process, which consists of installing an app on the client's mobile device by scanning a QR code printed in an instructional brochure. That's the easy part, and your staff can help them do it in the office.

The tricky part is next: once the client is home at their computer, they have to navigate to your site, and click the "register" button. The client must then point their phone's camera at a registration QR code displayed on the computer's screen. It's a one-time process, and on-screen video instructions are supposed to help guide the user through registration, but it's not intuitive. On the plus side, once they know how to scan a QR code there's no Bluetooth pairing, NFC, WiFi logins, or other technical hurdles to overcome.

After the computer is registered, everyday operation is much easier. When they visit your website and click "Login", their phone pops up an alert that shows something like ( ) Decline ( ) Confirm. The client then taps the confirm button on their phone, and the web site logs them in.

They eliminate the need to remember passwords and are supposedly secure against attacks like phishing, but all the registration processes I've seen require an awkward step with a QR code.

Answer 7

The way this is usually done where I am is by asking the user to enter their name and date of birth, and then sending a 4-digit or 6-digit SMS verification code to the phone number associated with the account.

So the username and password are just their name and birthday (easy to remember), and the 2FA is the SMS code (and if they're using an app to view/submit scans etc then they probably have a phone).

You can't get much simpler than that, and it provides adequate security and minimal inconvenience, making it an ideal system for medical apps.

Answer 8

Smartphone users, use a password manager. Others use a communal computer which prints 2 or 3 pieces of paper with a strong enough random generated password, 10-20 characters long.
Client stores paper in a secure location.
The client's trusted 2nd person stores paper in a secure location.
Management of elderly home store paper in a secure location.
I for Igloo, L for Lima, O for Oscar, and 0 for Zero are unambiguously written.
Symbols to have the pronunciation written below, as most people do not know.

Answer 9

Here are the authentication steps you should take to minimize the memory burden. But be aware that any customer who is not capable of interacting with this model will need a human being on hand to interact manually with them. To fail to provide that human-to-human support is to fail your customers.

There is no magic. If they can't remember their passwords and have no phone for password recovery, then you are going to have to help them using other means... Like paying for someone to be on staff to talk to them. For those who are capable though:

1. Make sure your app is compatible with all common biometric authentication systems, so the user can use fingerprint or facial recognition if available to them.
2. Make sure your app works well with password managers, so the users can safely avoid remembering their passwords, and look them up for the few cases where it may be needed.
3. Do not require ineffective and counterproductive password complexity. "MyPurpleShoes" is a far better password than "hW#*Qx33", and if the user has purple shoes they will be far more likely to remember it.
4. Do not choose a user's password for them. Let them choose a memorable passphrase of their own.
5. Offer text and email based password reset functionality, and make it easy.
6. Do not force password changes or block the reuse of passwords during password reset.
7. Offer text and email based two-factor authentication.

Answer 10

For totally nontechnical users: Create a password form two components. First part is complex to thwart online hackers, one is very simple (like 4 digits) and has to be remembered.

You decide on the first part, and you write it down. The second part is remembered by the user. The first part should be easy to type on a phone, all lowercase for example, if you need a bit more security, make it longer.

So the password could be something like “anerkumse3527”, where you write the first part down on paper for them, and the number might be their house number and day of birth, or their credit card pin code. Hackers find it hard to crack because of its entropy, and an opportunist finding the card with no hacking experience can’t find the last four digits.

It’s not how I would protect state secrets, but it’s easy to use and may be good enough for your purposes.

Answer 11

Given your user base, I think they should rely on having the passwords written in paper.

Note that when setting up the account at the doctor's, their initial password should not be generated by the technician. Just have the system generate an initial password for them. If you are generating the password, you can be sure it is properly random, even using normal words simpler to remember, and having the document appear with lots of screenshots, and the items properly substituted (if there is a field where they need to write "jdoe", put it there, not "username"):

Dear John Doe

Thanks for signing up with us. In order to submit a request you can do this:

1. Open your internet browser

(logo, browser imagee, etc)

2. Write https://capnmojocompany.com

(screen capture of your main page)

3. Click on "Submit request"

(mouse pointer on the zoomed button)


4. Enter the following data:

User: jdoe

Password: slobbery abroad plausible semester upstage

5. Press Enter

(new zoom on the button)

and so on explaining the needed steps

Yes, some will still have issues. Or not have internet access at all. I would recommend offering phone support for people when they get stuck. And to support in the user settings that they can put a designated person allowed to submit on their behalf (i.e. for the family member which will probably end up doing it for them)

I would recommend generating passphrases, I made the above sample password with xkcdpass, but the most important part is to have an adequate wordlist. You might want to ignore case (or accept passwords with inverted case)

You can then allow them to change the original password if they really want, but this setup seems reasonable. You should think how you want to handle the throttling. And what to do when they forget their password. Should they call you? Would you trust the doctors to be able to reset the password for any of your patients? Only of those they signed up themselves?

Also, I would preferably make the have doctors use a local application which sends directly to the printer the document with the credentials. If it's a pdf they can download, they might end up with the credentials of all their patients in their Downloads folder.

Answer 12

Can I suggest implementing something like MFA? This will keep you secure whilst caring a little bit less about Dog123. Especially when the elderly will require something simple like that. Chances are they have written the password on paper anyway, so your best bet on maintaining a secure platform is to have MFA regardless.