Strengthen Your Passwords or Passphrases and Keep Them Secure
This article provides tips for choosing strong passwords or passphrases and keep them safe.
Passwords and passphrases are used to access many online services, such as email, credit card and bank accounts, e-commerce sites like Amazon, and social networking sites like Facebook and Twitter. It is important to choose strong passwords or passphrases to make sure no one but you gains access to your private information.
The CNetID passphrase is an alternative to the CNetID password and functions identically to a CNetID password by authenticating you for all the common services you are eligible to use based on your affiliation with the University.
If you struggle to create and remember complex passwords, a passphrase is an equally secure option. Passphrases are simple sentences that are more secure due to their length rather than their complexity. Passphrases at the University of Chicago must be at least 19 characters long. For more on passphrases, refer to the Choose Strong Passphrases section in this article.
Alert: CNetID passwords and passphrases should never be used for any services or applications outside of the University.
Here are some tips for creating secure passwords and passphrases and keeping them secure.
Strengthen Your Passwords
Secure passwords at the University of Chicago must have at least 12 characters and combine letters, numbers, and symbols. Choose passwords that are memorable, but not easily guessed.
Below are some tips for choosing strong passwords.
Do not use dictionary words or names in any form in passwords.
Dictionary words are any common words, names, dates, or numbers. Don't assume that this is limited to English dictionaries: if you can find it in the dictionary of any language, even fictional ones like Klingon, don't use it! One standard method for cracking passwords is a brute force attack, in which the attacker tries possible passwords over and over again. They try passwords in all sorts of languages using dictionaries of common words and names.
Do not use common misspellings of dictionary words either.
Many of the dictionaries include both common misspellings and words with letters replaced with similar-looking numbers, for example, replacing E with 3). You should also avoid simply adding a numeral to the beginning or end of a word.
Do not use the name of the computer or your user account.
Since this kind of information can be easily discovered, these passwords can be very easy to guess.
Do not use sample passwords.
Obviously, if the password appears in a document such as this for the whole world to see, don't use it.
A password must be at least 12 characters long.
The longer your password is, the harder it is to crack.
Use multiple character sets.
Use a mixture of upper and lower case letters, numbers, and punctuation such as !, @, #, etc. Try to use at least three out of the four character sets available on your keyboard, which include KK, nn, 123, !@#. However, avoid using characters that do not appear on a standard US 101 keyboard, as they may not work correctly in all circumstances.
Use letters chosen from words in a phrase or song lyric.
Think up a phrase. For example, "Marx's Communist Manifesto has 8196 words in it!". You can use that as your passphrase, or choose the first letter from each word. "Marx's Communist Manifesto has 8196 words in it!" You'll notice that in this example we've decided to include all the punctuation to improve the quality of the password. So, your password would be M'sCMh8196wii!. It is a nice, long password with a good mixture of character classes.
Combine a few pronounceable nonsense words with punctuation.
For example nuit+Pog=tWi. Pronounceable nonsense words are easier to remember than random characters.
Secure passphrases at the University of Chicago must be at least 19 characters in length, and these characters include punctuation and spaces between words or letters. Note that the criteria for what constitutes a good password and what constitutes a good passphrase may differ. Unlike a password, for example, passphrases obviously need at least some dictionary words to function as they are intended to.
Select something memorable to you.
Part of the reason someone might choose to use a passphrase instead of a password is because he or she finds a passphrase to be more memorable. Examples include a favorite childhood memory, favorite foods, places you've visited, experiences you've had, or some combination of these things. Space camp MashedPotatoes4!, a favorite childhood memory and favorite food, is a particularly strong passphrase. While a hacker may try any of these words individually, only you know all the words and characters in this specific combination that forms your passphrase.
Add unexpected characters.
Consider adding unexpected additional characters that only you know. So, for example, "space camp" and "mashed potatoes", your favorite childhood memory and favorite food, becomes space camp MashedPotatoes4!
Adding other characters such as symbols, numbers, and capital letters increases the complexity of your passphrase and makes it more difficult for hackers to crack.
The longer, the better.
Passphrases must be at least 19 characters long. Since passphrases rely on length for security instead of complexity like passwords do, your passphrase is harder to crack the longer you make it. Creating a longer passphrase that includes spaces and punctuation is easier than you might think. As noted earlier, the passphrase, space camp MashedPotatoes4! is memorable and hard to crack because it's 29 characters long.
Do not choose famous or well-known lyrics, lines, sayings, etc.
While lines taken from the U.S. National Anthem might seem like a good passphrase, these lines are widely-recognized and famous. In practice, they make bad passphrases that are easy to crack. If you like the idea of basing your passphrases on a favorite book, song, movie or play, consider taking a passphrase from a work that is both meaningful to you and not very well-known. Do not use anything easily found in a book of quotations, an online quotation compiler, or that can be found easily by Google.
If you must choose a passphrase from a favorite book, movie, play, and you are certain it is obscure, you should still add unexpected characters to it like numbers and symbols. Also, consider abbreviating or changing it to an even more obscure form that only you would know. For example, "To be or not to be/that is the question" would become tB or not TB/titq7!
A strong passphrase will generally not be a quote but a seemingly nonsensical list of items like space camp MashedPotatoes4!: memorable, meaningful, and unique only to you.
Select something unique or specific only to you.
For example, the passphrase "DavidHasselhof@RollingStones!" could be a list of posters hanging on the walls of your office, home, or dorm room. This is a good passphrase because it is easy to for you to remember because you know what the category is ("posters I have hanging in my office going from left to right), it is long (29 characters), it has the unexpected characters @ and !, and it is unique and specific only to you ("wall posters I have for things I like or am interested in"). To anyone else this list might seem strange and arbitrary, but you are unlikely to forget it because these are your posters in your office.
Do not use reuse a word or phrase if your account or passphrase has been compromised.
For example, if your first passphrase was spacecamp MashedPotatoes4!, do not reuse any of these words in your next passphrase. Never create a new passphrase by reusing an old passphrase with new words or characters. For example, spacecamp MashedPotatoes Hi5! Hackers who have your old passphrase can crack this easily.
Other examples of strong passphrases.
It takes little effort to come up with a strong passphrase if you follow the criteria outlined in this article.
Below are some other examples of strong passphrases and the reasons they are strong:
Zelda Katamari MGS3#: These are all video games. Lists of various categories, such as favorite items (food, games, books, etc.) can make good passphrases, so long as that information is not easily available online on your Facebook profile, in your email, or on other social media accounts, or can be easily guessed by someone (everyone knows you love all the Harry Potter books, and there's a picture of you on Google images at a Harry Potter convention)
Fido&Mr.Kitty&Bandit: A list of all your childhood pets' names is very easy for you to remember, contains the unexpected & character, is 20 characters long, and is unique to you. It is something that only you would know in this specific order.
That time I slipped on a Hot Pink Banana Peel $ or Bullriding at a Taxidermy Convention?!: Both phrases are funny and unique, and therefore easy for you to remember, long, complex, and contain unexpected $, ?, and ! characters.
These examples illustrate the flexibility you have in choosing a passphrase. Not all examples will be equally memorable to you, even if they are information only you know. For some people, a list of items they love with unexpected characters thrown in is very easy to remember. Other people may need spaces between words or a funny phrase to help them create and remember a passphrase. In other words, you may have trouble remembering Zelda Katamari MGS3# but not Bullriding at a Taxidermy Convention?! Along with the principles in this article, what makes a good passphrase depends partly on you.
Smart Computing with Passwords and Passphrases
Creating strong passwords and passphrases is not enough by itself. You also need smart computing habits.
Don’t use the same password or passphrase for all your accounts
Using the same password or passphrase for multiple services is very dangerous because if it is stolen from one service, hackers can use it to access all your other accounts. While having a completely different password or passphrase for each service you use is impractical, you should consider what the password or passphrase is protecting when you choose a password or passphrase. Some services may not require very strong passwords or passphrases if they do not collect any private information. If you are unsure, always opt to use a different password or passphrase. Consider using a password or passphrase manager, such as Password Safe or LastPass to help manage multiple passwords/passphrases.
Alert: You should carefully consider whether or not you want to store passwords and passphrases for financial institutions with a password or passphrase manager.
For less important passwords or passphrases, you can use different iterations of the same basic password. For example, the password above, M'sCMh8196wii! could become nM'sCMh8196wii!NYt for a New York Times account: NYt added after the core and n added before for “news”. However, the passwords or passphrases protecting your most sensitive information should always be completely different from other passwords or passphrases.
Never share your password or passphrase.
Never give out your password or passphrase online or over the phone to others. Email and phone requests for your password or passphrase and other private information are phishing scams. University administrators or reputable companies, such as your bank or credit card company will never request this kind of information through email, fax, or phone.
Don't even share your passwords with friends or family members. Especially do not give them your CNet password or passphrase to gain access to any UChicago service, such as the virtual private network (VPN) or the wireless networks on campus. This is a violation of the The University of Chicago Policy on Information Technology Use and Access. Instead, may obtain wireless access credentials for your guests through the UChicago Guest Network.
Use non-secure networks with care.
As a convenience, hotels, restaurants, and businesses often offer public internet access. Please use this access with care, and avoid accessing confidential information such as financial data using these networks. Hackers often target these networks to obtain confidential information for financial gain. Whenever possible, use the UChicago VPN (cVPN) to conduct university business for an added layer of protection. Still, be aware that hackers may be able to access your username, password or passphrase, and other private information by tracking your keystrokes remotely.
Change your password or passphrase regularly
The longer you have used a password or passphrase, the more likely it is that someone has managed to figure it out. Change your passwords or passphrases regularly, at least once a year. Passwords protecting your most sensitive information should be changed more frequently. To change your CNet password or passphrase, visit http://cnet.uchicago.edu.
Do not store your password or passphrase within web applications.
Many web browsers and email clients offer to store your password or passphrases (where applicable). This is not the best idea and should only be done with care. Never store passwords or passphrases associated with important services, such as financial accounts. Computer viruses and spyware programs can easily retrieve stored passwords or passphrases from these accounts. They may even be able to distribute your passwords or passphrases before you notice that anything is wrong.
The sole exception to this is what we'll call throwaway passwords. Throwaway passwords are passwords or passphrases for accounts of little significance and that do not contain sensitive information, such as credit card information, medical history, phone records, etc. A throwaway password might be one of several passwords you reuse for services or applications you rarely visit, which won't harm you if they are cracked by hackers and which do not contain sensitive data.
Never use information in a password or passphrase which can be found online.
For example, the names of the street you grew up on, your Harry Potter blog, the states you lived in, your obsession with making homemade canned goods on Pinterest, your likes on Facebook, and relatives' names can all be easily found online, and some websites are devoted solely to compiling biographical information about you, like MyLife or Ancestry.
Store written copies of your passwords or passphrase safely.
If you need to write down your password or passphrase temporarily or access it from a written source, please store it in a safe place. Do not write your passwords or passphrases down and place them under your keyboard or an unlocked drawer. If you must write them down, consider leaving out some of the easily-remembered characters and inserting them when you type them in. Destroy the paper once you have memorized the passwords or passphrases.
Here are some tips for safely storing a hard copy of your password:
- Never write down the name of the service the password is for. For example, if the password is for an Adobe application, do not write Adobe: spacecamp MashedPotatoes4! on a sheet of paper, no matter how safe you think that sheet of paper is.
- Leave some characters out. Instead of writing spacecamp MashedPotatoes4! write down an abbreviated form that only you'll understand, for example, sc MP4!
Use a password or passphrase escrow service.
Departments can store a sealed package of passwords or passphrases in a fire safe with IT Security. Only designated parties will be able to retrieve the sealed package. For more information about this free service, see Password Escrow.
2Factor Authentication (2FA)
A final note: to strengthen your account security, IT Services strongly encourages you to opt in to 2Factor Authentication (2FA). 2Factor Authentication (2FA) enhances the security of your CNetID by using your phone, tablet or another device to verify that you are really you when you attempt to access university applications. This prevents anyone but you from using your account to log in to websites like MyUChicago, even if they know your CNetID password or passphrase.
General Safe Computing Tips
For more security tips, visit our Safe Computing web site.