Office of Information Security

Use strong passwords and passphrases

Strong passwords and good password practices are vital for protecting data.

Tips

  • UW NetID passwords should never be re-used on other accounts.
  • Use multi-factor or two-factor authentication for added protection.
  • Passwords should be at least 16 characters.
  • Use a passphrase to make your password memorable.
  • Use a combination of letters, numbers, and keyboard characters.
  • Password managers can help you create long, random passwords for your accounts.

More details

Use different passwords for different accounts so that if one account is compromised, at the others won’t be at risk. University accounts have been compromised because of passwords being used across accounts.

Use multi-factor authentication or two-factor authentication (MFA/2FA) to add another layer of protection to your password. Generally, the additional factor is a mobile phone app allows you to confirm that you really are trying to log in. Learn more about Duo, the UW’s 2FA solution, on IT Connect.

Length is more important than password complexity. The longer a password is, the harder it is for adversaries to compromise your account. Use at least 16 characters whenever possible. Review this article to find out why.

But complexity is also important, so include upper and lower case letters, numbers, and special characters. A password should use at least 3 of these choices whenever possible.

Password managers are a great way to organize your passwords. They provide a way to back up your passwords and synchronize them across multiple systems.

Change default passwords on any account, system, or device that you use. Malicious hackers sometimes use tools that search networks for devices and applications that are still using the default username and passwords set by the vendor. Some tools allow them to find such devices within minutes after they are connected to the Internet. Additionally, default passwords for many devices are published online. Be sure to immediately change the default password on any account, device, or system you are responsible for, including wireless routers in your home.

More about passphrases

If it’s difficult to remember a long password, consider using a passphrase or a combination of words instead. Use spaces or special characters to make your password random and long, yet memorable to you. Here is an example:

Buddy likes 2 b&rk @squirrelz. (But don’t use this particular password, by the way)

When creating memorable passphrases, keep in mind that it’s important to use phrases that are unique and   meaningful only to you. Don’t use well-known phrases, such as movie titles or quotes from Shakespeare texts.

Resources

OIS Passwords Tip Sheet
OIS Passwords and Passphrases online training
IT Connect: LastPass Password Manager
CISA: Secure Our World infographic