Skip to content

Passwords best practices

Jump to bottom
Vitalina_Zubko edited this page Nov 3, 2017 · 13 revisions

Understand What Password Policies

First you need to walk before you run. Understanding what a password policy is the first step in being able to build a strong one. These are a set of rules covering how you design the combinations of words, numbers and/or symbols that grant access to an otherwise restricted online area. Passwords can protect your website, software programs and small business networks. They keep them safe from unauthorized entry from ex-employees, curious intruders and of course hackers.

Create a strong password

  • Use two numbers in the first eight characters.
  • Pick long passwords, at least 8 characters in length if the system allows it.
  • Don't use a common dictionary word, a name, a string of numbers, or your User ID.
  • One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
  • personal phrase: "Four score and seven years ago our fathers brought…" password: 4scanse... method: Chose first two letters from each word until a total of eight characters resulted.
  • personal phrase: "It was a dark and stormy night...". password : iWadasn7 method: Chose first letter from each word, followed by the age of nephew.
  • personal phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3) password : mbbi4tt19s3 method: Chose the first letter from most words, and substituted numbers for letters.
  • Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:

$ . , ! % ^ *

  • Note that some special characters should not be used; see disallowed special characters. Also, if you use dial-up service to connect, you cannot have any special characters in your password.

Protect your password from misuse

  • Do not let anyone else know or use your password; this is a violation of University policy.
  • For optimum security, don't write your password down. If you must write it down, keep it somewhere private such as in a locked drawer or in your wallet. Don’t post it on your computer or anywhere around your desk. Don’t include the name of the system or the associated User ID with the password.
  • Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The "s" in "https" means that the Web site is encrypted and cannot easily be read by other people. If the URL does not begin with "https" then you should not use your Penn State Access Account password.
  • If you suspect that someone else may know your current password, change your password immediately.
  • Change your password periodically, even if it hasn't been compromised.
  • Don't type your password while anyone is watching.

How to pick a password

Basic rules

  • Don't re-use passwords. One ultra-secure one won't be any good if someone finds it
  • While combining upper and lower case passwords with numbers to alter a memorable word - M4raD0na - is often advised, these are more easily cracked than you might think
  • Good advice is to make a long but memorable "passphrase". String a few words together that you can remember with a visual. "puffineatingbanana" is easy to remember but would take millions of years for a computer to crack
  • Alternatively, you can use a password manager such as 1Password, which can generate secure passwords and store them online
  • The best way to protect yourself is to use two-factor authentication, which will send a text with a code or use an app to verify your log-in

Online third-party services

There are several online third-party services that can help users safeguard sensitive passwords, including LastPass, DashLane, and 1Password that store passwords in the cloud and secure them all with a master password. If entrusting all your passwords to the cloud gives you the creeps, consider using a local password storage program on your computer, such as Roboform, PasswordSafe or Keepass. Again, take care to pick a strong master password, but one that you can remember; just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.

Sources:

  1. https://smallbiztrends.com/2017/08/password-policy-best-practices.html
  2. https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
  3. http://pennstateit.psu.edu/legacy/be-safe/password-best-practices.html

v0.1.0

Clone this wiki locally