Skip to main content

Information Security

Cyber Awareness Items

Passwords

HOW DO I KEEP MY INFORMATION SAFE: PASSWORDS

Passwords are designed to keep your information safe from prying eyes; they essentially act like locks. Sometimes a hacker breaks down that lock, but most of the time a strong lock keeps people out. Of course passwords can be a hassle. Remembering them can be annoying, so we often opt for the easy route and use simple passwords. However, the easier they are to remember, the easier it will be for people to guess. Just keep in mind: the more complicated a password is, the safer your data will be. Below are various ways and tips about passwords that will help you protect your information.

Password Rules to Keep in Mind

  • Password Length: Instead of using a password that meets the minimum character length, add more characters to make the password longer. If the password minimum is 8 characters, use 10 or more. The longer the password is, the longer it will take for someone to crack it.

  • Password Complexity: The best passwords use a combination of a) lower case letters, b) upper case letters, c) numbers, and d) special characters/symbols. The passwords should contain at least one of each. Don't take the easy route and capitalize the first letter of the word or use the numeral "1" in place of the letter "l" or a zero in place of the letter "O." Throw in a few random numbers or characters like a plus sign (+) or underscore (_)

How to Avoid Weak Passwords

Don’t use the following things in your password:

  • Usernames or part of usernames.

  • Name of family members, friends, pets, etc.

  • Personal information about yourself and/or family members. This includes the personal information that can be obtained very easily, such as birth date, phone number, vehicle license plate number, street name, apartment/house number, etc.

  • Sequences, consecutive alphabets, numbers or keys on the keyboard (e.g. abcde, 12345, qwerty).

  • Dictionary words with number/character in front/back.

  • Real words of any language.

  • Words found in the dictionary with a number substitution for word look-alike (e.g.

    passw0rd).

  • Any of the above in reverse sequence.

  • Any of the above with a number in front or back.

  • An empty password.

Password Common Sense 101

  • Create a unique password every time. When you are changing a password for an existing account, it should not be the same as the previous password. Do not use incremental passwords while changing it either (e.g. password1, password2).

  • Change your passwords for all your accounts once every 6 months. Since passwords have a fixed length, a brute-force attack to guess the password will always succeed if enough time and processing power were available to the attacker. Change your passwords often.

  • Never write down your passwords. Creating a strong password and writing it down is as bad as creating an easy to remember password and not writing it down anywhere. People who write down their passwords often keep it somewhere near their computer (e.g. under the mouse pad). You should never write down your password on paper. It is a security risk. If you must carry your password with you, use a password manager tool that runs from a USB stick instead.

  • Do NOT share your password with anyone. This includes your friends, family, and coworkers. Here’s a phrase to remember: “Passwords are like underwear, don’t share them with anyone”.

  • Never use the same password for multiple sites. It can be very tempting to create the same password for different sites (i.e. emails, banking sites, and social media sites). You’ll have fewer passwords to remember. However, this can become a nightmare once someone has figured out your password and uses it to hack into your other sites. Avoid this by using unique passwords for all your accounts.

  • Do NOT type your password in when someone is looking over your shoulder. It’s very easy for someone to figure out your password, especially if you type slow, are searching for the letters on the keyboard, or type with only one finger.

  • Never send your password to anyone through an email. Remember the phrase: “Passwords are like underwear”. Sometimes, people pose as a support person or company and send you emails asking for your username and password. Legitimate website or organization will never ask you for your user name and password either via email or phone. Often times, those emails are phishing attacks.

  • Change passwords immediately when they are compromised. If you have the slightest doubt that your password has been stolen or compromised, change it immediately.

  • Don’t use the “Remember password” option on the browser. Don’t use this feature to store your username and password. Anyone who has access to your computer can get into your accounts. Always say ‘Not Now’ when the ‘Remember Password’ box pops up, especially if you’re using a computer that does not belong to you.

  • Do NOT type your password on a computer that does not belong to you. If possible, don’t use someone else’s computer that you don’t trust to login to any website, especially to very sensitive websites such as banking. It is a very common practice for hackers to use key loggers to log all the key strokes on a system, which will capture everything you type, including the passwords.

  • Always log off after you are done with your account. Think of all the times your Facebook account has been hacked because you left your account signed onlogged on. Don’t stay logged on and log off in case someone gains access to your computer or if your computer is lost or stolen. This also applies with phones. Log off or make sure you lock your screen.

Additional Note

While we may find passwords to be annoying, and even take them for granted, it is important to remember why passwords are important: passwords are often the first (and possibly only) defense against intrusion. They protect personal information – information we don’t want anyone to know. In our personal lives, this means financial information, health data, and private documents. In a professional context, this may encompass anything considered crucial to the success of the organization: trade secrets, financial data, intellectual property, customer lists, etc.

To ensure that your information is protected, please take the time to update and strengthen your password. Remember, a password is like a lock. The stronger it is, the harder it is for someone to break in.