Adopting Good Password Management
Usernames and password combinations are the most common means of providing access to information. A username identifies you as a unique individual and your password is then used to prove your identity. Passwords can be used in this way, because you should be the only person that knows your password.
In reality, passwords are commonly compromised, often due to bad password management on behalf of the user. Information is placed at risk of theft or misuse when passwords are compromised; therefore, good password management is required. Adopt good password management by following these simple guidelines:
- Consider using a phrase rather than a single word
- A phrase (i.e. more than one word) usually results in a password that is longer, more complex and therefore, more secure than a password formed from a word.
- Passwords formed from phrases also help ensure your password is memorable
- Passwords provide accountability, as they prove your identity
- If someone logs in with your username and password, you are likely to be held accountable for any actions that are performed.
- You must change your password immediately if you think it may have been compromised
- Never share your password with anyone
- Do not even share with people you trust, such as friends, colleagues or the IT helpdesk. There are no exceptions to this rule.
- If you share your password, you will be held responsible for any loss, damage or misconduct that arises from its use
- Avoid saving your password anywhere
- If you must save it, ensure that it is never saved in clear text (i.e. without encryption)
- If you save your password in an unprotected file or email it in clear text, it can be viewed by anyone
- Never write down your password
- Do not post passwords or usernames near to your computer (Post-it notes are not for passwords…)
- Wherever possible, passwords should be committed to memory
- Organize all of your many passwords
- Consider using a naming convention or logic that only you know. This will increase password memorability and save you from using the same password for everything
- You may wish to use password vault software, allowing you to encrypt and store all of your passwords in one centralized place. Good examples of such software include Password Safe (http://passwordsafe.sourceforge.net/) and KeePass (http://keepass.info/)
- Passwords must not be reused or recycled
- Using the same password for multiple systems is highly insecure. If someone were to obtain the password, they would have access to all systems with that password
- Additionally, when changing passwords, do not use a previously used password
- Never use a password that could be easily deduced or guessed by others
- Do not use dictionary words, names or birthdates as these can be deduced in seconds
- Instead, use a mix of uppercase, lowercase, numbers and special characters to form your password and to ensure that it is at least 8 characters in length.
- For example, Th15_is~MyP&ssword! is a lot more secure than thisismypassword.
- Switch your password to a new one on a regular basis
- If a password never changes over time, it is more likely to be compromised
- Aim to change your password at least every quarter
Check out the Password Management video in the multimedia section of the site.