How to create a secure password
Passwords are our first defense against unauthorized access to our online information. When it comes to passwords, length is more secure than complexity. For example, an 8-character password with upper and lowercase letters, numbers and special characters can be guessed via brute force within five minutes while a 15-character password with just upper and lowercase letters may take centuries to guess.
Let’s cover what practices to avoid and adopt when constructing a password.
Avoid using:
- A password under 15 characters.
- The same password or pattern for all of your accounts.
- Public data that can easily be guessed.
Practices to adopt
- Choosing combinations of letters, numbers, and special characters.
- We suggest using a passphrase; you can use a line from your favorite song or joke. For example: “Jack and Jill went up the hill to fetch a pail of water. Jack fell down!” J&Jwuth2f@pow.Jfd!.
- Using a password manager (more on this below)
Your passwords are the keys to your online life. Protect them as you would if they were the keys to your home. Never give them away, and keep them as secure as possible. Apply multi-factor authentication wherever possible.
What is multi-factor authentication (MFA)?
Multi-factor authentication, or MFA, is a step up in security that, along with your password, adds in a second method of authenticating yourself.
There are three ways of authenticating yourself:
- Something you know – this is your traditional password
- Something you have – this is often a physical token like an access card
- Something you are – this is a biometric such as a fingerprint or facial recognition
The most common form of multi-factor authentication is combining something you know with something you have. You know your password and have a device that can provide a one-time password (OTP). It does this by generating a six-digit token on your mobile device. This token can be received via voice call, text, SMS,, or an authenticator application (Google and Microsoft have free applications). The additional layer of security means that even if the bad guys do have your password, they need to have your token as well (and if you have a passcode on your phone, they’d need that, too).
What is a password manager?
Remembering multiple, long passwords is painful, repetitive, error-prone, and time-consuming. A password manager is a tool to help you organize, create, and autofill your passwords. A password manager securely stores passwords and auto fills your login credentials when accessing your online resources. A password manager application uses a vault password to securely encrypt all of your other saved passwords. All you have to do is remember your vault password or approve requests on a multi-factor registered device. The password manager will securely autofill your username and password for you. A password manager provides a secure password repository, password sharing, and password generator to help create unique and secure passwords for each of your sites while keeping track of what has been used where.
If you want to take your security to the next level, you can also use a password manager to store made up answers to your secret questions so that people cannot find the answers by researching you. In addition, a password monitoring tool can warn users if passwords have been compromised. You can use an app on your phone or a plugin on your browser. Just check with your department IT Professional as they may have an organizationally-approved app you need to use for work purposes.
When will a password manager be available at UD?
Well, great news: the IT Security team is thrilled to announce that we are close to selecting a password management solution for University-wide use. All staff, faculty, and students with an active @udel.edu email address will be eligible for a password manager account. The service is coming soon. Updates will be provided as we get closer to deployment.