Choose Strong Passwords and Keep Them Safe
Many tools exist to guess your weak password or steal your password.
An unauthorized person can use these passwords to access files and data, including your personal information (e.g., bank, benefits, health, financial aid), email, academic work, or University private data (e.g., student grades, birth dates, protected health information, proprietary research). They can also send malicious email impersonating you.
So what makes a strong password, passphrase, or pin, and how can you protect it?
Choose a Strong Password, Passphrase, or Pin
A password or passphrase can include letters, numbers, special characters (including spaces). Passphrases are words strung together into a phrase. A strong password uses a combination of length and character types, while a strong passphrase uses length and uniqueness of the words.
For mobile devices, use a complex password/pasphrase, complex drawn pattern, or fingerprint instead of a simple 4 digit pin.
Examples of a Strong Password, Passphrase, and Pin
- Password: a!Phab3T (the word alphabet with other characters)
- Passphrase: supermanismyhero OR funnydrinkorange
- Pin: 689174
What to Include
Longer passwords or passphrases increase the strength.
- Passwords, or passphrases of 8-15 characters need to include at least 3 of the following types of characters:
- Uppercase alphabetic characters (e.g., A-Z)
- Lowercase alphabetic characters (e.g., a-z)
- Numbers (e.g., 0-9)
- Special characters (e.g., ~ ! @ # $ % ^ & ( ) - _ + = ), including spaces
- Passwords, or passphrases of at least 16 characters need to include:
- Non-repetitive sequence of characters or words.
Other Things to Remember
When creating a password, passphrase, or pin:
- Avoid a number added to the beginning or end of a word.
- Avoid personal information (e.g., user ID, family or pet name, birthdate, or phone number).
- Avoid a keyboard pattern (e.g., qwerty) or duplicate characters (e.g., aabbccdd).
Keep Your Passwords, Passphrases and Pins Safe
Follow the good practices below.
- Protect your University of Minnesota Internet password and Duo Two-Factor Authentication access. These allow access to important University systems (e.g., MyU, UMN Google mail/apps, and PeopleSoft).
- Use your University Internet ID and password for only University accounts Use a unique ID and unique password for your personal accounts (e.g., your bank, personal email, and social media accounts).
- Use your Duo access wherever available when accessing University systems or data.
- Change your passwords or passphrases periodically or if you suspect someone else knows it.
- Report suspected misuse of University of Minnesota Internet password and Duo access to University Information Security at email@example.com.
- Store hints about passwords or passphrases, rather than the password or passphrase itself, in a secure location (e.g., wallet, locked file, or password manager).
- Use a password manager application with strong encryption. Maintain a backup copy of your passwords in a password manager.
- Completely close all applications you use on public computers when you leave and lock the screen of your personal device when it is unattended.
- DO NOT share your University of Minnesota Internet password and Duo access with anyone. Watch for Phishing scams that try to trick you into sharing your ID and password via email or Web forms.
- DO NOT store your passwords in an unencrypted format (e.g., document, wordpad, notepad, or email).
- DO NOT use “save my password” or “remember my password” features.
- DO NOT reuse a password or passphrase or change only one character.
- DO NOT use the same password or passphrase for multiple accounts (e.g., your email and bank accounts).
Remind yourself and others about these best practices by posting our Choose Strong Passwords (PDF) handout.