Why should you protect passwords? Because passwords can be used to:
- Gain access to your computer or mobile device and to data on it.
- Authorize transactions without your knowledge.
- Access programs, files and applications that only you and/or a selected group of others should have access to.
- Change passwords and lock you out of your own accounts.
ITS will disable UCSC passwords that are suspected of being compromised.(Back to Minimum Requirements Main Page)
Use cryptic passwords that can't be easily guessed, and keep your passwords secret.
- Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols. Passwords that can't be this complex should be at least 10 characters long.
- Passwords shouldn't use complete dictionary words in any language spelled forwards or backwards, or a word preceded or followed by a digit (e.g., password1, 1password), your username or login, child's name, pet's name, birthdays, abc123, qwerty123, password1, or anything else easily guessable.
- A longer password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. For example, "The hills are alive with the sound of music!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” A shorter version using a variant on the first letter of each word could be, "ThRawts0m!" A few memorable, unrelated words can also be a good password, as illustrated in this cartoon.
- Be aware that "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements.
- Microsoft's password strength checker - to help gauge the strength of a password
- Password cracker programs now also check for complete dictionary words in a row, separated by spaces or not, so it's always best to modify dictionary words. "The hills are alyve w/the sound of musyc!" is much harder to guess than "The hills are alive with the sound of music!" It's also harder to remember, so it's a trade-off.
- Use different passwords for different accounts. At a minimum, use a different password for less sensitive accounts than for more sensitive accounts. Also use different passwords for work and non-work.
- Passwords should not be examples you have seen in print, such as the ones on this page.
Protect your Passwords
- Don't reveal your passwords to anyone, even if they say there’s a good reason.
- This includes co-workers and supervisors.
- ITS will never ask you for your password. Neither should any reputable service provider.
- Avoid writing your passwords down.
- If you need to write your password down on paper, safeguard the paper in a locked drawer or cabinet rather than posted on your monitor, under your keyboard, or in a drawer near your computer!
- Better yet, use a phrase to help you remember your password (see above)
- Passwords can also be stored securely in free and low-cost "password vault-type" encryption tools, including your computer's keychain. See UCSC's Password Standards for details.
- Change initial passwords, password resets and default passwords the first time you log in. These passwords can be vulnerable to guessing or hacking.
- Ensure that passwords are transmitted securely. Before logging in to a web site, look for "https" (not http) in the URL to indicate that there is a secure connection.
Enable two-factor authentication or other layers of protection where available
Adding another layer of protection means someone needs more than just your password to get in.
- Examples include use of a one-time code in addition to a password – typically sent via text, app, or voice when you want to log in, thumb scans (biometrics) and lockouts after several incorrect login attempts.
- Google's two-factor verification.
Special notes about mobile devices
- Password-protect your mobile device with a strong password. Set it to automatically lock after a short period of inactivity, and be sure your device requires a password to start up or resume activity.
- Don't store passwords that provide access to restricted data on mobile devices unless they are encrypted.
- More information about mobile security
Additional information and tips
- UCSC's Password Strength and Security Standards - REQUIRED for passwords that protect restricted data
- Change your CruzID password
- Video on creating a good password from rocketboom.com
Rev. Oct 2014