21 CFR and Passwords: Mistakes You Don’t Want to Make

The free Internet that many of us loved has become a surveillance web, serving governments and mega-corps, while abusing the rest of us. It is important that you start protecting your data, while browsing the internet and using communication tools while performing your role. This article will guide you through a new set of skills using secure technology and developing careful practices.

As we know, the FDA regulates computerized systems used in clinical trials under the authority of Title 21 the Code of Federal Regulations Part 11 (21 CFR Part 11). These regulations apply only to use of systems in trials the results of which will be submitted to the FDA as part of the drug development/approval process.

As we are currently in the wake of yet another password breach, this time encompassing over 5 million Gmail passwords, it seems like no matter what you do, your password can and will be stolen. What should you do if your organization is a victim? Furthermore, how can your staff pick a safer password?

CRF 21 requires rigid and rigorous password de-activation and temporary generation protocols and data encryption and transaction safeguards to prevent sniffing (SSL, JavaScript) during a software development process of computerized systems used in clinical trials.

Here are some recommendations on how to manage your passwords:

  • Use a two-factor authentication or two-steps login: I know that it can be a pain, but it will help keep your online accounts safer. If for any reason your password is hacked, someone won’t be able to login to your account without the 2nd authentication.
  • Don’t be lazy. We have heard it all before. Using common passwords like


    • Do not choose a password that is related to anything that has special meaning to you, ie: your pets name, birthday, address, family members names, etc. We know, we know, it’s easy to remember though.
    • Use a string of random words.
Source: Free Stock Photos
Source: Free Stock Photos

Which of the following two passwords is stronger, more secure, and more difficult to crack?



ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you’ll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom  . . . is  . . . not  . . . correct! (Retrieved from: https://www.grc.com/haystack.htm)

Consider alphanumeric password of n characters. A-Z, a-z, numbers: Total 56 possible options for each slot. Therefore, a truly random password would have 56^n possible options. (Ten-character: 303,305,489,096,114,176; or, 2^58 and then some.) Of course, generating such of a password is more difficult. One way is to condense an easy-to-remember phrase, though this does limit the search space, too, if your method is know.

For disk encryption (and password safe), we recommend selecting a minimum of six words

A company I used to work for had a nice password generator for their massive database administration, which even low-level employees need to access regularly. It generates 3 words, bridges them together with special case characters and adds a spelling mistake (repeated or missing character) to one of the words.

Should your IT department provide a password generator (manager) to all clinical staff? Additionally security encryption should be taken in consideration. To make this password creator page more safe though, you should set up this page so that it didn’t cache in browser so that the initially generated password is visible there. Optionally, using SSL connection to encrypt page and hence password so that traffic isn’t intercepted.

Ask your systems administrators to look for software offering an implementation of the open standard “Time-Based One-Time Passwords” or RFC 6238.

Remember to keep a backup of your password safe

What tricks do you use when choosing and creating passwords AND keeping them safe? As far as password management goes, I’ve personally found KeePass to be an excellent solution. I use a combination of password management tools (my personal computer has a fingerprint recognition system with keepass embedded in it).

Comments? Join us at {EDC Developer}

Anayansi Gamboa, MPM, an EDC Developer Consultant and clinical programmer for the Pharmaceutical and Biotech industry with more than 13 years of experience.

Available for short-term contracts or ad-hoc requests. See my specialties section (Oracle, SQL Server, EDC Inform, EDC Rave, OpenClinica, SAS and other CDM tools)

As the 3 C’s of life states: Choices, Chances and Changes- you must make a choice to take a chance or your life will never change. I continually seek to implement means of improving processes to reduce cycle time and decrease work effort.

Subscribe to my blog’s RSS feed and email newsletter to get immediate updates on latest news, articles, and tips. I am available on LinkedIn. Connect with me there for technical discussions.

Disclaimer: The EDC Developer blog is “one man’s opinion”. Anything that is said on the report is either opinion, criticism, information or commentary. If making any type of investment or legal decision it would be wise to contact or consult a professional before making that decision.

Disclaimer:De inhoud van deze columns weerspiegelen niet per definitie de mening van {EDC Developer}.

3 thoughts on “21 CFR and Passwords: Mistakes You Don’t Want to Make

  1. Almost every corporation including persons reading this have been hacked (or their data compromised). Why would be the cloud be any different?

    A vote on a bill which authorizes warrantless access to American’s data…

    A Senate proposal touted as protecting Americans’ privacy has been rewritten to give government agencies more surveillance power than they possess under current law.

    New law in congress…
    – It would allow more than 22 agencies (including the SEC and the FCC) to access Americans’ email, Google Docs files, Facebook wall posts, and Twitter direct messages without a warrant.
    – In some circumstances the FBI and DHS could get full access to Internet accounts without notifying the owner or a judge.
    – This is a setback for Internet companies, which want to convince Congress to update the 1986 Electronic Communications Privacy Act to protect documents stored in the cloud.
    -Currently Internet users enjoy more privacy rights for data stored on hard drives than for data stored in the cloud.

    The law does not protect privacy, encryption does.

Comments are closed.

%d bloggers like this: