Passwords Tips and Tricks

Last Updated: 10/04/2013

IdentiKey passwords

IdentiKey passwords must meet the following requirements:

  • Must be at least 10 characters long
  • Must include at least 3 character classes (alpha, numeric, symbols)
  • Cannot contain your CU Login Name
  • Cannot contain your first or last name
  • Cannot contain 3 or more contiguously repeated characters (a password with the string 'aaa' will not be allowed)
  • Cannot contain the following characters: tab, space, double-quote (“), colon (:)
  • Must not be one of your last five passwords

Important DOs and DON'Ts

First, it's good to remember that despite the term, there is no need for passwords to be actual words. Indeed passwords that are not actual words are harder to guess (an extremely desirable property). One of the best ways to keep your computer and your private information protected is to have a strong password.

Some tips for strong passwords...

  • DON'T use your login name in any form; as-is, reversed, capitalized, doubled, etc.
  • DON'T use any names, be it a relative of yours or character in a novel, book, or movie.
  • DON'T use other information easily obtained about you. This includes birthdates, license plate numbers, telephone numbers, your street name, etc.
  • DON'T use a password made up of all digits, or of all the same letter. This significantly decreases the search time for a hacker.
  • DON'T use a word contained in English or foreign language dictionaries, spelling lists, or other words lists.
  • DON'T use a password shorter than 10 characters
  • DON'T share your password with anyone.
  • DON'T use consecutive or adjacent keys.
  • DON'T use "remember my password features."
  • DO use a mixed-case password, such as HYuj4iP or 3rtIdlP.
  • DO include a mix of upper and lower case, numbers, and punctuation
  • DO use a password that you can type quickly without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
  • DO change your password regularly.
  • DO use a long password (at least 10 characters)
  • DO have classes of passwords:
    • Office
    • Financial
    • Personal

How to pick a password you can remember

People rightly complain that it can be hard to remember a strong password. One common mnemonic device for simple recollection consists of an easily remembered word, phrase, or rhyme whose initials or other characteristics are associated with the list items. A way of remembering biological groupings in taxonomy is the phrase "Kings Play Chess Often For Great Sport."  The letters stand for Kingdom, Phylum, Class (biology), Order (biology), Family (biology), Genus, and Species. The idea lends itself well to memorizing hard-to-break passwords as well.

Personal mnemonics, or things that are memorable to you but not to others, are commonly recommended. For example, the password Iw21wIfvP, a difficult to remember string of letters and numbers, derives from, "I was 21 when I first visited Paris," is probably easily remembered by the creator. However, if your first experience in Paris is important to you, it may be possible to guess this password from general knowledge of you, and this would not be a sensible password choice.

Use a trusted password manager

Computer users are generally advised to never write a password down anywhere, no matter what, and to never use the a password for more than one account. This advice has the unintended consequence that many computer users select weak passwords, even for important accounts, and they end up using the same password everywhere.

Rather, use strong, unique passwords for each online service you use and store them in a reputable password manager like:

KeePass
Strip
Roboform
LastPass
1Password

If you absolutely need to write down a password, never store it in obvious places, such as address books, Rolodex files, under drawers or keyboards, or behind pictures. The worst, but all too common location, is a Post-it note near the computer. Better locations are a safety deposit box or a locked file cabinet. Software is available for popular hand-held computers that can store passwords for numerous accounts in encrypted form.

Another approach is to use a few passwords.  For example choose simple password for low security accounts, such as newsletters or web registrations, then select separate, strong passwords for IdentiKey passwords and financial accounts.

Public computers may not always be securely configured pose a threat to your privacy by storing your password or web cookies. Think twice about going to a secure site if you can not verify the security of the computer. When you log out of a computer in an OIT lab or OIT "scarpie" kiosk your privacy is protected.

Don't forget that getting passwords by manipulation of users is an example of social engineering. An attacker might telephone a user and say, "Hi. OIT here. We're doing a security test. Can we have your password so we can proceed?" Know that OIT (and virtually every reputable company you do business with) will not ask for your password,  and rarely, if ever, need to know your password in order to perform the work.

Learn More