Protect Passwords

Why should you protect passwords? Because passwords can be used to:

• Gain access to your computer or mobile device and to data on it.
• Authorize transactions without your knowledge.
• Access programs, files and applications that only you and/or a selected group of others should have access to.
• Change passwords and lock you out of your own accounts.

ITS will disable UCSC passwords that are suspected of being compromised.

Use passwords that can't be easily guessed, and keep your passwords secret.

• Passwords should be at least eight (8) characters long with a mixture of upper- and lower-case letters, numbers, and symbols. Passwords that can't be this complex should be at least 10 characters long.
• Passwords shouldn't be a complete dictionary word in any language spelled forwards or backwards, or a word preceded or followed by a digit (e.g., password1, 1password), your username or login, child's name, pet's name, birthdays, abc123, qwerty123, password1, or anything else easily guessable.
• A longer password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. For example, "The hills are alive with the sound of music!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” A shorter version using a variant on the first letter of each word could be, "ThRawts0m!" A few memorable, unrelated words can also be a good password, as illustrated in this cartoon.
• Be aware that "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements.
  • Microsoft's password strength checker - to help gauge the strength of a password
• Password cracker programs now also check for complete dictionary words in a row, separated by spaces or not, so it's always best to modify dictionary words. "The hylls are alyve w/the sound of musyc!" is much harder to guess than "The hills are alive with the sound of music!" It's also harder to remember, so it's a trade-off.
• Use different passwords for different accounts. At a minimum, use a different password for less sensitive accounts than for more sensitive accounts. Also use different passwords for work and non-work.
• Passwords should not be examples you have seen in print, such as the ones on this page.

Protect your Passwords

• Don't reveal your passwords to anyone, even if they say there’s a good reason.
  • This includes co-workers and supervisors.
  • ITS will never ask you for your password. Neither should any reputable service provider.
• Avoid writing your passwords down.
  • PASSWORD MANAGERS: Passwords can also be stored securely in free and low-cost "password vault-type" encryption tools, including your computer's keychain. See UCSC's Password Standards for details.
  • If you store your passwords in a file on your computer, don't include the word "password," "pwd" or anything along these lines in the filename or in the file, itself.
  • If you need to write your password down on paper, safeguard the paper in a locked drawer or cabinet rather than posted on your monitor, under your keyboard, or in a drawer near your computer!
  • Better yet, use a phrase to help you remember your password (see above)
• Change initial passwords, password resets and default passwords the first time you log in. These passwords can be extra vulnerable to guessing or hacking.
• Ensure that passwords are transmitted securely. Before logging in to a web site, look for "https" (not http) in the URL to indicate that there is a secure connection.

Enable two-step/Multi-Factor authentication or other layers of protection where available
Adding another layer of protection means someone needs more than just your password to get in.

• Examples include use of a one-time code in addition to a password, typically sent via text, app, or voice when you want to log in; thumb scans (biometrics); and lockouts after several incorrect login attempts.
• MFA is required for access to the Data Center VPN, and will be increasingly required for access to restricted data or privileged accounts.
• Enable Google's two-step verification for your UCSC Google account.

Special notes about mobile devices

• Password-protect your mobile device with a strong password. Set it to automatically lock after a short period of inactivity, and be sure your device requires a password to start up or resume activity.
• Don't store passwords that provide access to restricted data on mobile devices unless they are encrypted.
• More information about mobile security

Additional information and tips

• UCSC's Password Strength and Security Standards - REQUIRED for passwords that protect restricted data
• Change your CruzID password

GETTING HELP:

Contact the ITS Support Center if you would like your computer configured to meet these requirements. If you have questions, contact the Support Center or your ITS Divisional Liaison.

(Back to Minimum Requirements Main Page)

Rev. Sept 2015