Choosing and using unique and strong passwords is an essential part of technology security. Follow these password best practices to help keep your information safe and secure.
Create and Use Unique and Strong Passwords
No matter the requirements of a given site or service, always create and use unique and strong passwords. Creating unique and strong passwords is critical for security, but it doesn’t have to be difficult. Here are two recommended methods for creating unique and strong passwords that are easy to remember.
Strategies for Creating Strong Passwords
One method suggested by many security professionals is to start with a memorable sentence or phrase. Some people use a line from a song or poem they remember. Then use a few steps of substitution, misspellings, and other tricks that are meaningful to you to arrive at a strong password that is easy for you to remember.
- Memorable phrase: “I like ham and cheese sandwiches”
- Remove spaces: “ilikehamandcheesesandwiches”
- Use shorthand, and misspell words: “ilykhamandchzsammies”
- Use some characters, numbers and mix cases: “1lYkh4m&chZsa2mies”
- It would take a desktop PC about 71 quadrillion years to crack this password
Another method suggests combining four random common words to create a strong password (e.g., cattreetireeagle). Add a number or special character between the words for increased difficulty (e.g., cat5tree$tire2eagle9)
Test the Strength of Your Password Strategy
Don't enter any of your actual passwords, but use How Secure is My Password? » to see how hard your password strategy is to crack.
Don't Re-Use Passwords
Never re-use passwords across service providers and accounts. Using a unique password for each account is far more important than the complexity of any individual password.
Criminals who steal your usernames and passwords from one online service can use them to gain access to other services. Massive data breaches at major service providers are all too common these days. If you use the same password for more than one account, and one of your service providers is breached, you've jeopardized your other accounts and the personal information they contain.
Use a Password Manager
Password managers are tools and programs you can use to manage all of your passwords. Both cloud-based services and desktop application password managers use a single “master” password to control access to your other passwords.
We recommend using these services and products, with the following cautions: Cloud-based services are subject to the limitations and potential security problems of all cloud services. Desktop applications can be more secure, but less convenient to use. In both cases, your master password must be a unique, very strong and complex passphrase.
Don't Share or Email Passwords
Sharing Passwords - Never share passwords, period.
- If multiple people need to access a single device, set up separate profiles with unique log in and password for each person.
- Always keep your passwords private and secure.
- Consider using a password manager to help you organize your passwords. See "Password Managers" above.
Emailing Passwords - Never send passwords via email. Even when encrypted, emailing passwords is not a good practice.
Don't Store Passwords in a Browser
Even when given the option, never save passwords in your browser. If someone gets access to your computer, they could easily access all of the services where you saved passwords.
Avoid Variations on Old Passwords
Make sure your new passwords are strong and unrelated to your previous password. A common password mistake is to use a variation on the previous password. This "transformation" strategy gives criminals a huge advantage because they already have most of what they need, and only have to discover what has changed.
Use Multi-factor Authentication
Turn on multi-factor authentication for all your accounts that offer it. Multi-factor authentication combines your password and username with a notification sent to your phone or another device.
At KU, information security is a shared responsibility. Choosing unique and strong passwords and using them wisely is a big step in helping keep your information safe and secure.
The KU Password Policy » spells out the password requirements for accessing KU systems and information. Your KU password must be changed every 210 days, and must meet these complexity requirements:
- 8 to 32 characters long
- At least one special character (&,#,-,_, etc.)
- At least one uppercase letter
- At least one lowercase letter
- At least one number
KU Passwords - Tips and Best Practices
- KU and other legitimate organizations will never ask you to provide sensitive personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call.
- Do not share your password with anyone, including your boss, co-workers, or technology support staff.
- Avoid using dictionary words (except when combining with at least three other unrelated words) and personal details such as the name of a child or pet.
- Take advantage of KU's password reminder service so your next required change isn't a surprise. And remember, you must change your password every 210 days, but you can voluntarily change it more often.
- In addition to KU's password requirements, be sure to follow the password best practices described on the "Intro" tab.