Good Practice

Choose Strong Passwords and Keep Them Safe

Challenge

Many tools exist to guess your weak password or steal your password.

An unauthorized person can use these passwords to access files and data, including your personal information (e.g., bank, benefits, health, financial aid), email, academic work, or University private data (e.g., student grades, birth dates, protected health information, proprietary research). They can also send malicious email impersonating you.

So what makes a strong password, passphrase, or PIN, and how can you protect it?

Solutions

Choose a Strong Password, Passphrase, or PIN

A password or passphrase can include letters, numbers, special characters (including spaces). Passphrases are words strung together into a phrase. A strong password uses a combination of length and character types, while a strong passphrase uses length and uniqueness of the words.

For mobile devices, use a complex password/pasphrase, complex drawn pattern, or fingerprint instead of a simple 4 digit PIN.

Examples of a Strong Password, Passphrase, and PIN

  • Password: a!Phab3T (the word alphabet with other characters)
  • Passphrase: supermanismyHero OR FunnyGlassOrange
  • PIN: 689174

What to Include

Longer passwords or passphrases increase the strength. Use a non-repetitive sequence of characters or words.

  • Passwords, or passphrases of at least 16 characters need to include
  • Two of the following types of characters:
  • Uppercase alphabetic characters (e.g., A-Z)
  • Lowercase alphabetic characters (e.g., a-z)
  • Numbers (e.g., 0-9)
  • Special characters (e.g., ~ ! @ # $ % ^ & ( ) - _ + = ), including spaces

Beginning November 1, 2018, to enhance security and enable more memorable passphrases, the University's password policy will require 16+ character passphrases using a only a combination of uppercase and lowercase letters. After November 1, 2018, if you reset your password you will be required to follow the new 16-character password guidelines. Learn more about how to create a secure and memorable passphrase.

  • Passwords, or passphrases of 8-15 characters need to include
    • Three of the following types of characters:
    • Uppercase alphabetic characters (e.g., A-Z)
    • Lowercase alphabetic characters (e.g., a-z)
    • Numbers (e.g., 0-9)
    • Special characters (e.g., ~ ! @ # $ % ^ & ( ) - _ + = ), including spaces

Other Things to Remember

When creating a password, passphrase, or PIN:

  • Avoid a number added to the beginning or end of a word.
  • Avoid personal information (e.g., user ID, family or pet name, birthdate, or phone number).
  • Avoid a keyboard pattern (e.g., qwerty) or duplicate characters (e.g., aabbccdd).

Keep Your Passwords, Passphrases and PINs Safe

Follow the good practices below.

Do

  • Protect your University of Minnesota Internet password and Duo Two-Factor Authentication access. These allow access to important University systems (e.g., MyU, UMN Google mail/apps, and PeopleSoft).
  • Use your University Internet ID and password for only University accounts Use a unique ID and unique password for your personal accounts (e.g., your bank, personal email, and social media accounts).
  • Use your Duo access wherever available when accessing University systems or data.
  • Change your passwords or passphrases periodically or if you suspect someone else knows it.
  • Report suspected misuse of University of Minnesota Internet password and Duo access to University Information Security at security@umn.edu.
  • Store hints about passwords or passphrases, rather than the password or passphrase itself, in a secure location (e.g., wallet, locked file, or password manager).
  • Use a password manager application with strong encryption. Maintain a backup copy of your passwords in a password manager.
  • Completely close all applications you use on public computers when you leave and lock the screen of your personal device when it is unattended.

Do Not

  • DO NOT share your University of Minnesota Internet password and Duo access with anyone. Watch for phishing scams that try to trick you into sharing your ID and password via email or web forms.
  • DO NOT store your passwords in an unencrypted format (e.g., document, wordpad, notepad, or email).
  • DO NOT use “save my password” or “remember my password” features.
  • DO NOT reuse a password or passphrase or change only one character.
  • DO NOT use the same password or passphrase for multiple accounts (e.g., your email and bank accounts).