Office of Information Security

October 12, 2023

Passwords are still here and still important

For at least a decade there has been an interesting and complex discussion about whether passwords are “dead” or not, but to this day, strong passwords remain a vital part of securing personal and institutional data.

Below are some quick reminders about good password practices; review our passwords tip sheet and online training for more information.

  • Use different passwords for different accounts so that if one account is compromised, at the others won’t be at risk. University accounts have been compromised because of passwords being used across accounts.
  • Use multi-factor authentication or two-factor authentication (MFA/2FA) to add another layer of protection to your password. Generally, the additional factor is a mobile phone app allows you to confirm that you really are trying to log in. Learn more about Duo, the UW’s 2FA solution, on IT Connect.
  • Length is more important than password complexity. The longer a password is, the harder it is for adversaries to compromise your account. Use at least 16 characters whenever possible. Review this article to find out why.
  • But complexity is also important, so include upper and lower case letters, numbers, and special characters. A password should use at least 3 of these choices whenever possible.
  • Password managers are a great way to organize your passwords. They provide a way to back up your passwords and synchronize them across multiple systems.
  • Change default passwords on any account, system, or device that you use. Malicious hackers sometimes use tools that search networks for devices and applications that are still using the default username and passwords set by the vendor. Some tools allow them to find such devices within minutes after they are connected to the Internet. Additionally, default passwords for many devices are published online. Be sure to immediately change the default password on any account, device, or system you are responsible for, including wireless routers in your home.

Learn more

Wired: Why the Password Isn’t Dead Quite Yet
IT Connect: LastPass Enterprise Password Manager
Cybersecurity & Infrastructure Security Agency (CISA): Password guidance
Learn more about CISA’s Cyber Smart campaign
SANS: Strong, Secure Passwords Are Key
Schneier on Security: Passwords Are Terrible (Surprising No One)