How to ... Select a Safe Password
Password Security is Important!
Applying the techniques outlined below make the length of time required to break a password prohibitively long.
Time required to break a password drops significantly as each letter is guessed, or other information is known about a password.
- Trent's IT Department including the IT Service Desk will NEVER ask you to send or update your password in an email link.
- To ensure the speedy recovery of your password, if you have forgotten it, update/complete your profile for the Self-Service Password Reset tool. Instructions on how to update/complete your profile can be found in our Self Service Password Reset User Guide at: https://www.trentu.ca/it/services/user-guides/self-service-password-reset
Password Standards and Complexity
As per the NIST Digital Identity Guidelines: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
- A password should never be reused.
- The longer the password, the harder it is to crack.
- While the new NIST standard does recommend the move away from comprehension rules (special characters, numbers, and upper and lower case letters), the recommendation is that this be done in conjunction with automated screening of new passwords (section 5.1.1.2: Memorized Secret Verifiers). So, new passwords created would run against algorithms that attempt to crack them versus working against a set of comprehension rules. The issue with the implementation of the standard, is the state of technology today. Most username and password systems, including Trent’s, does not function this way yet. So, removing the password comprehension rules would allow a password to be “aaaaaaaa” and in the absence of automated screening, this would pass. This is problematic, but the software vendors will catch up and comprehension rules will be replaced with screening rules in software in time.
Trent’s current standard calls for passwords that are;
- at least eight characters long,
- contain at least one upper case letter, and
- contain at least one number.
How to Select a Good Password?
- Think of a sentence that is memorable, eg. I usually take my daughter to the zoo on Sunday to see the elephants.
- Create a passphrase from this sentence that can be used as your password eg. daughterzooSunday4elephants. Remember that Trent’s current standards still calls for one number and one upper case letter.
- Test your password with a verified password checker eg. The Password Meter: http://www.passwordmeter.com/
| DO | DO NOT |
|---|---|
| Use a password of 8 characters or longer. THE LONGER THE BETTER. | DO NOT choose only the first letter as uppercase. For example, Ont37bo is not as good as OnT37Bo. |
| Use mixed case. | DO NOT simply replace "o" and "O" with "0", and "I", "l" or "L" with 1. |
| Include one number | DO NOT reuse old passwords |
| DO NOT use your user id as your password | |
| DO NOT use any single word from a dictionary (of any language) as most forms of password attack use dictionaries as a basis for password guessing. | |
| DO NOT use birthdays, car registration numbers, room numbers, department names, machine names, locations, wife/husband's names, pet's names, children's names and so on. These may be determined as most of this information is not confidential | |
| DO NOT allow anyone to watch while you type your password. | |
| DO NOT use keyboard patterns (which someone watching could easily spot) such as qwertyuiop, or duplicating characters such as aabbccdd. | |
| DO NOT use words from other guessable word sets, such as famous names, proper names, colloquial terms (in various spheres of life), so on. | |
| DO NOT use the same password on multiple accounts. If one is broken, then all are broken | |
| DO NOT just change one character in the password as this may be easily spotted if one of the passwords is compromised. | |
| DO NOT record your password; either on-line or written down. | |
| DO NOT tell anyone your password. Do not share your password with your co-worker, partner, your children, your friends. | |
| DO NOT communicate your password to a person either verbally, by electronic mail or by any other means. |
You can see that there are a LOT more DO NOT's than DO's, but following these recommendations will keep your data as safe as possible.
Eligibility
- Students
- Staff
- Faculty
- Alumni
- Applicants
- Guests
- Retirees
- Professor Emeriti
Service category
- Security