While we work very hard to ensure that Jane data is secure, security is everyone’s responsibility - our product and development team who build Jane, our support team who work with you, and of course, all of you! One of the best ways to ensure the security of your account is to follow best practices when it comes to login credentials.
Now you may be familiar with some password best practices, but of course these things are always changing! Keeping that in mind, we’ve created this guide as a reference for the current password practices we’d recommend following to ensure the security of your account and your data.
Foundations of a Good Password
There are a few important considerations when choosing your password, like length of the password, complexity, uniqueness, and memorability. After all, a password won’t be helpful to you if you can’t remember it! (Or don’t have a good way to store the password, but more on that later).
Length: Jane requires a password with a minimum of 8 characters, although you may want to aim for more characters than that for Jane or other services, perhaps 10-15 characters. For your most sensitive accounts, you may even opt for a password with 20 characters in it just to be extra safe.
Complexity: The recommendations around password complexity have varied throughout the years, and you’ve likely experienced the difficulty of coming up with a password that includes the appropriate number of capital and lowercase letters, symbols, and so forth. Each website where you would create your own login seems to manage this differently! Here at Jane, we don’t specifically enforce password complexity, and some experts are saying that the longer a password is, the less important it is to include special characters.
Memorability: Now this one’s a bit trickier. When using human-generated passwords (i.e. passwords that you are making up yourself), the key is to find a password that’s easy enough for you to remember, but not easy enough for someone to guess. For instance, while your pet or child’s name would be easy for you to remember, it would also be easy for anyone who knows you to guess. A good practice to follow is to use a series of random words - for example jumpcarseedtownsupport - since it isn’t a common phrase that could be guessed.
Uniqueness: While it can be super tempting to use the same password for all of your accounts, or even just for multiple accounts, it leaves you more vulnerable if someone is able to uncover your password. Imagine if you have the same password for your Facebook account that you use for your bank, and then you find out that your Facebook password was discovered - eek! To be on the safe side, we always recommend creating unique passwords for all of the services you use. Now you might be wondering how you should keep track of all of those passwords… don’t worry, we’ve got a tip for this too!
Using a Password Manager
Like we talked about above, it can be super tricky coming up with secure passwords, not to mention remembering each when you need them! That’s why we recommend using a secure password manager. There are lots of options available and the features within them will vary, but for instance, a tool like 1Password allows you to:
- Securely store passwords for the services you use, using a single password to access them all
- Generate strong passwords
- Easily save login credentials when you create them for the first time (and at this time, 1Password will suggest a strong password for you to use)
- Securely share your passwords across all your devices
As well, 1Password will only populate your password into the exact website you have set up for your saved password. What this means is that if you were to accidentally click into a phishing email and were taken to a malicious website, 1Password wouldn’t recognize the site and wouldn’t offer to input your password. So not only does the password manager help you to generate strong passwords and store them securely, it also provides an extra line of defence.
Importance of Keeping Your Login Credentials Secure
A topic that comes up frequently is the sharing of profiles, which is something we don’t recommend doing. While it can be temping to just quickly share your password rather than create a new profile for someone, or to allow the use the account owner’s profile in order to make changes like updating the credit card on file, this leaves your profile and potentially your account vulnerable. There are a few reasons why it’s important to have separate profiles for all users and to not share login credentials with anyone:
- Since each staff profile has its own access level, separate profiles allows each staff member to have only the appropriate level of access within your account
- Similarly, if a staff member is using a higher-access profile such as the account owner’s profile, they could make additional changes intentionally or unintentionally that you may not want them to make
- Jane keeps a history of changes made in your account, including changes to appointments, payments, etc. If users are sharing profiles, this makes it harder for you to see who made what change. For instance, if you wanted to confirm that an appointment booked at an odd time was intentionally booked, you’d want to know the correct booker so that you could ask them about it
- In the event that a staff member were to leave your clinic, if users were sharing profiles, you would need to reset the password for those profiles, or worse, you would run the risk of that person accessing through the shared profile after they’ve departed
You may have been told in the past that it’s important to periodically refresh your passwords, but if you’re using long, strong passwords we don’t specifically recommend doing this. In fact, leading security researchers have changed their recommendations to no longer recommend password refreshes, generally.
All of this said, if you’re using a shared account outside of Jane such as a clinic-wide email address, these types of accounts are worth refreshing the passwords to periodically in order to prevent access from someone who had the password previously, such as an admin or practitioner no longer working at your clinic.
Still Have Questions?
Have any questions about these recommendations or anything else related to security or privacy? Feel free to email the Trust Council at firstname.lastname@example.org and we’d love to clarify anything you’re unsure on!