Overview

Passwords are the key to many systems and applications. Your password helps to prove who you are, ensure your privacy, and protect the privacy of data you may have access to.

Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but may also have access to your personal information (e.g. benefits, bank information) and may impersonate you to send malicious e-mail.

Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screensaver).

It's important to choose a strong password and protect it since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. A strong password makes it reasonably difficult to guess the password in a short period of time either through human guessing or the use of automated password cracking programs.

Choosing a Strong Password

The following are general recommendations for creating a Strong Password:

A Stong Password should:

• Be at least 8 characters in length
• Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
• Have at least one numerical characters (e.g. 0-9)
• Have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)

A Strong Password should not:

• Spell a word or series of words that can be found in a standard dictionary
• Spell a word with a number added to the beginning and/or the end
• Be based on any personal information such as user id, family name, pet, birthday, etc.
• Be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)

Use a passphrase or a nonsensical word

A passphrase could be a lyric from a song or a favorite quote. An example of a strong passphrase is “Superman is $uper str0ng!”. A nonsensical word can built using the first letter from each word in a phrase (e.g. C$200wpG., represents "Collect $200 when passing Go."). These typically have additional benefits such as being longer and easier to remember.

Each system or application may have different password restrictions or requirements.

Using Passwords

The following are several recommendations for using Passwords:

Do not share your password with anyone for any reason
Passwords should not be shared with anyone. In situations where someone requires access to another individual's protected resources, delegation of permission options should be explored.

Change your passwords periodically
The frequency of password changes is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their password changed more frequently. If any password has been compromised or you suspect it's been compromised, change your passwords immediately.

Do not write your password down or store in an insecure manner
As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location (e.g. in your wallet or in a locked file) and properly destroyed when no longer needed. Consider writing down hints, not the password. Never store a password in an unencrypted electronic file or use the "save my password" feature for important passwords.

Use a password manager with strong encryption
Using a password manager to store your password is not recommended unless the password manager leverages strong encryption and requires authentication prior to use. Be sure to use a strong password for your password manager.

Avoid reusing a password
When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared, reusing that password could allow someone unauthorized access to your account.

Avoid using the same password for multiple accounts
While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an unauthorized person to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your online banking account. These passwords should differ from the password you use for online newspapers and other web-based accounts. Avoid using the same password for test and production systems.

Do not use automatic logon functionality
Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, they will be able to take control of the system and access all your information.

Log out and quit applications
When vacating your workstation, completely log off the computer or otherwise secure your workstation from unauthorized use (e.g. locked screensaver). When vacating a public computer (kiosk or public lab), completely log out and quit the application before you leave.

Be aware of phishing tricks
Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank.

Notify technical staff if access is no longer needed
If you terminate your employment or change departments, contact your technical coordinator to let them know that access is no longer needed.

Based on materials of Carnegie Mellon University.