Good Practice

Choose Strong Passwords and Keep Them Safe


Many tools exist to guess your weak password or steal your password.

An unauthorized person can use these passwords to access files and data, including your personal information (e.g., bank, benefits, health, financial aid), email, academic work, or University private data (e.g., student grades, birth dates, protected health information, proprietary research). They can also send malicious email impersonating you.

So what makes a strong password and how can you protect it?


Choose a Strong Password or Passphrase

A password or passphrase can include letters, numbers, special characters (including spaces). Passphrases are phrases and sometimes are from a favorite song lyric or quote. A strong password or passphrase uses a combination of length and character types.

For mobile devices, use a complex password, complex drawn pattern, or fingerprint instead of a simple 4 digit pin.

Examples of a Strong Password and Passphrase

  • Password: a!Phab3T (the word alphabet with other characters)
  • Passphrase: Superman is $uper str0ng!

What to Include

Passwords  or passphrases of 8-12 characters need to include at least 3 of the following types of characters:

  • Uppercase alphabetic characters (e.g., A-Z)
  • Lowercase alphabetic characters (e.g., a-z)
  • Numbers (e.g., 0-9)
  • Special characters (e.g., ~ ! @ # $ % ^ & ( ) - _ + = ), including spaces

Longer passwords or passphrases increase the strength.

Other Things to Remember

When creating a password or passphrase:

  • Avoid a number added to the beginning or end of a word.
  • Avoid personal information (e.g., user ID, family or pet name, or birthday).
  • Avoid a keyboard pattern (e.g., qwerty) or duplicate characters (e.g., aabbccdd).

Keep Your Passwords and Passphrases Safe

Follow the good practices below.


  • Protect your University of Minnesota Internet password and Duo Two-Factor Authentication access. These allow access to important University systems (e.g., MyU, UMN Google mail/apps, and PeopleSoft).
  • Use your Duo access wherever available when accessing University systems or data.
  • Change your passwords or passphrases periodically or if you suspect someone else knows it.
  • Report suspected abuse of University of Minnesota Internet password and Duo access to University Information Security at
  • Store hints about passwords or passphrases, rather than the password or passphrase itself, in a secure location (e.g., wallet, locked file, or password manager).
  • Use a password manager application with strong encryption. Maintain a backup copy of your passwords in a password manager.
  • Completely close all applications you use on public computers when you leave and lock the screen of your personal device when it is unattended.

Do Not

  • DO NOT share your University of Minnesota Internet password and Duo access with anyone.
  • DO NOT share your passwords or passphrases with anyone. Phishing scams try to trick you into sharing your ID and password via email or Web forms.
  • DO NOT store your passwords in an unencrypted format (e.g., document, wordpad, notepad, or email).
  • DO NOT use “save my password” or “remember my password” features.
  • DO NOT reuse a password or passphrase or change only one character.
  • DO NOT use the same password or passphrase for multiple accounts (e.g., Do not use your University Internet password for your online banking account).

Post Handout

Remind yourself and others about these best practices by posting our Choose Strong Passwords (PDF) handout.