Why should you protect passwords? Because passwords can be used to:
- Gain access to your computer or mobile device and to data on it.
- Authorize transactions without your knowledge.
- Access programs, files and applications that only you and/or a selected group of others should have access to.
- Change passwords and lock you out of your own accounts.
Use cryptic passwords that can't be easily guessed, and keep your passwords secret.
- Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols. Passwords that can't be this complex should be at least 10 characters long.
- Passwords shouldn't use complete dictionary words in any language spelled forwards or backwards, or a word preceded or followed by a digit (e.g., password1, 1password), your username or login, child's name, pet's name, birthdays, abc123, qwerty123, password1, or anything else easily guessable.
- A longer password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. For example, "The hills are alive with the sound of music!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” A shorter version using a variant on the first letter of each word could be, "ThRawts0m!" A few memorable, unrelated words can also be a good password, as illustrated in this cartoon.
- Be aware that "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements.
- Password cracker programs now also check for complete dictionary words in a row, separated by spaces or not, so it's always best to modify dictionary words. "The hills are alyve w/the sound of musyc!" is much more secure than "The hills are alive with the sound of music!" It's also harder to remember, so it's a trade-off.
- Use different passwords for different accounts. At a minimum, use a different password for less sensitive accounts than for more sensitive accounts. Also use different passwords for work and non-work.
- Passwords should not be examples you have seen in print, such as the ones on this page.
Protect your Passwords
- Don't reveal your passwords to anyone, even if they say there’s a good reason.
- This includes co-workers and supervisors.
- ITS will never ask you for your password. Neither should any reputable service provider.
- Avoid writing your passwords down.
- If you need to write your password down on paper, safeguard the paper in a locked drawer or cabinet rather than posted on your monitor, under your keyboard, or in a drawer near your computer!
- Better yet, use a phrase to help you remember your password (see above)
- Passwords can also be stored securely in free and low-cost "password vault-type" encryption tools, including your computer's keychain. See UCSC's Password Standards for details.
- Change initial passwords, password resets and default passwords the first time you log in. These passwords can be vulnerable to guessing or hacking.
- Ensure that passwords are transmitted securely. Before logging in to a web site, look for "https" (not http) in the URL to indicate that there is a secure connection.
- UCSC passwords known to be compromised will be scrambled.
Enable two-factor authentication or other layers of protection where available
Adding another layer of protection means someone needs more than just your password to get in.
- Examples include use of a one-time code in addition to a password – typically sent via text, app, or voice when you want to log in, thumb scans (biometrics) and lockouts after several incorrect login attempts.
- Google has two-factor authentication.
Special notes about mobile devices
- Password-protect your mobile device with a strong password. Set it to automatically lock after a short period of inactivity, and be sure your device requires a password to start up or resume activity.
- Don't store passwords that provide access to restricted data on mobile devices unless they are encrypted.
- More information about mobile security
Additional information and tips
- UCSC's Password Strength and Security Standards - REQUIRED for passwords that protect restricted data
- Change your CruzID password
- Printable instructions (flyer-PDF)
- Video on creating a good password from rocketboom.com
- Microsoft's password strength checker - to help gauge the strength of a password
Rev. Aug 2014