Office of Campus Information Security

• About OCIS
• Awareness & Training
• Campus Initiatives
• Downloads
• Report an Incident
• Contact Us
• 
• Individual Computing
• Secure Your Computer
• Protect Your Identity
• Copyright Infringement
• Handling University Data
• 
• Departmental Computing
• Risk Assessment
• Standards & Practices
• Tools & Forms
• IT Security Principles
• More Security Resources

Managing Passwords

Why do I need a complex password?

Hackers have dozens of tools at their disposal for cracking passwords. Simple passwords, such as those based on words in the dictionary, can be cracked in matter of seconds. When someone gains access to one of your passwords, he or she essentially has the same level of authority to do what you can do on your computer, both personally and professionally. If you are in a work position that manages human resource data, a hacker now has access to that data. If your NetID password is compromised and you are a student, someone has the ability to drop your classes and alter your financial records.

More importantly, once someone has access to one of your passwords or systems, he or she can use that to get even deeper access into your computer, potentially using it to redirect spam or viruses.

Having a complex password helps ensure that your data and information remains your own. It's just one more important tool in the set of security measures you should use.

How many passwords do I need?

There is no agreed upon standard for the number of passwords you need. Generally speaking, however, you should consider having a minimum of at least three distinct passwords that represent the different types of transactions you typically perform. See the examples below for ideas.

If you are only responsible for your own personal information:

1. Use a password that is only used in conjunction with your NetID (e.g., My UW-Madison)
2. Use a unique password for work- or school-related functions (e.g., local area network (LAN) or facebook.com)
3. Use a unique password for personal/home use (which may be further segmented as follows):
   • A password for highly sensitive personal/financial web sites such as bank accounts, stock accounts or social security information (e.g., Fidelity)
   • A password for routine e-commerce sites (e.g., Amazon, eBay)
   • A password for lower-risk web sites such as those only requiring registration with no financial obligations (e.g., New York Times)

If you are responsible for and/ or have access to others' information or systems, then you should also:

4. Use a unique password for each the various "zones of trust" or domains of risk with which you work. For example: 
   • Use a unique password for the ISIS application vs your NetID password
   • Use a unique password for production servers vs development servers
   • Use a unique password for routine access vs administrator/developer access

With all these passwords, what's a good way to keep track of or remember them?

There are many tricks and strategies for memorizing passwords, one of which may be more suitable for you than another. Here are some practical ways of memorizing multiple passwords:

• Create a "vanity plate" password phrase. This is a good option if you don't have a lot of passwords to remember. Choose a favorite song, book or short phrase, and translate it into something that is easily memorized.
  
  "Eight Days a Week" becomes "8Dys@Wk!"
  "Let's Stay Together" becomes "Lts$A2Gtr."
  The phrase "Hard to Crack" becomes "Hrd2Cr@k!"

• Use mnemonics. Somewhat similar to a vanity plate password phrase, mnemonics are memory aids used to remember items. In high school, you may have used the mnemonic "My Very Easy Memory Jingle Seems Useful Naming Planets" to remember the planets: Mecury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, Neptune and Pluto.
  
  For your password, you may want to choose a phrase or verse and translate it into a password. You could also create a password phrase that expresses an opinion or relates to the site itself. The key is to make it simple enough that you don't have to think too much about where you abbreviated a word or inserted a symbol. This is a good option if you don't have a lot of passwords to remember.
  
  "I like to eat at Red Lobster" becomes "Ilik2e@RL"
  "This is my Amazon password" becomes "Th$My@mz0n"

• Choose a series of rules sets (i.e., an algorithm) for all of your passwords. Think of the rule set as a password recipe for which only you know the ingredients. When you memorize the basic recipe, you simply change one or two ingredients for the different types of passwords you need. While this may seem complicated, it's actually an effective way to memorize multiple passwords.
  
  For example, if the rule set is:
  
  [Movie in Caps] + [Last Digit of Current Year] + [Special Character] + [Site Type in Small Case]
  
  then
  
  [Gone with the Wind] + [2008] + [Asterisk] + [E-commerce Site]
  
  becomes
  
  GWTW8*es
  
  and
  
  [Gone with the Wind] + [2008] + [Asterisk] + [School Site]
  
  becomes
  
  GWTW8*ss

One of the nice things about this system is that when it comes time to change your passwords, you can change one or two sections of the rule set (e.g., the movie name, the current year or the special character) without having to create an entirely new algorithm. For the last segment of the example above, you can pre-define a limited set of password types in advance (e.g., personal site = ps, work site = ws, school site = ss, development site = ds, etc.).

Are there other ways of securing my passwords in case I can't memorize them?

Whenever possible, it's best to try to keep your passwords in your head where they are not accessible to others. Failing that, you have several options:

• Install password security software. Software such as Password Safe or Mac OS X Keychain keep your passwords in an encrypted environment that is accessible only by you. Currently, no password security software is being offered or supported by UW-Madison, however there are ones available for free download on the Web. NOTE: These are generally machine-based tools. If you work with multiple computers, you will need to make the encrypted data portable (e.g., by using a flash drive or My WebSpace) to access passwords for different computers. Also, losing your encrypted data is equivalent to losing your wallet, so you may want to back it up.
  


• Warning: This an option of last resort. Write them down, if you must, but do not keep them on or near your computer. You can keep them in your wallet or purse, but don't include any other identifying information such as what the password is for. You may even choose to put hints on the piece of paper to remind you of the passwords, rather than writing down the actual passwords. Odds are, you are more likely to guard your wallet because of the credit cards it contains, and therefore your passwords are relatively safe.

• Store your written passwords in a safe, safe deposit box or locked file cabinet. This may seem extreme, but considering your financial and professional well-being are on the line, it may be worth it.
  
  
• What not to do.
  • Don't write your passwords down on post-it notes on or near your computer.
  • Don't store your passwords on your computer unless they're encrypted.
  • Don't keep a hard copy file folder of your passwords.
  • Don't give your passwords to others; not anyone. Recent news stories have highlighted how easily people will reveal their passwords, even to complete strangers. Some would do it for as little as a candy bar! Human error continues to be the number one reason that sites are cracked, so be smart and don't share your passwords with anyone.

How can I check to see if I'm using a strong enough password?

Double check that you followed the guidelines in the Password Policy, (i.e., at least eight characters, etc.)

Use a password checker, such as the one hosted by Microsoft at http://www.microsoft.com/athome/security/privacy/password_checker.mspx

or SecurityStats.com
http://www.securitystats.com/tools/password.php

Warning: Never put your password into a checking site unless you're sure you can trust the site.

Why is it important to close my browser or log out?
When you're done using an application, be sure to logout completely and close, quit or exit your browser (depending on your platform and browser, the terminology and process is slightly different). Logging out and closing your browser will prevent others from accessing your password from a computer you just logged into, for example, at a campus kiosk. Closing the browser typically deletes information needed to continue using current login information, forcing a new login. This is especially important when using applications from shared computers such as lab and library computers.

What does phishing have to do with passwords?
Hackers try to trick people into giving away their passwords and other personal information by sending fake emails that appear to be from familiar Web sites such as eBay or a local bank. Because the emails look official, some people respond to requests for their login name and password. The UW will never ask you to reveal your password.

How often should I change my passwords?
A strong password is one you change every few months. Just as you may regularly scan for viruses, update your patches, or do backups, you should also regularly change passwords. Using the semi-annual changing of the clocks is a good time to consider changing passwords.

What should I do if I think someone has gotten my password?
If you suspect an account or password has been compromised, report the incident to DoIT Security and change all your passwords.

My department uses passwords that are even more complex than the campus password policy. What should I do?
That's terrific. The Password Policy is considered a minimal standard that ensures a higher level of security for campus computer users. If your department's guidelines are more stringent, you should follow them.

What if a Web site or application won't accept the password policy format?
Many sites have their own login name and password policies and restrictions. Sometimes the login you want has been chosen by another user. Sometimes sites (e.g., government sites) require some formatting of your social security number. Others require an email address, have character limits, or even generate a login and password for you. In these scenarios, you have no choice but to follow the format of the site, but you should still try to make it as complex as you can and rely on other security tools such as your firewall to help protect you.

What does the Password Policy mean when it says the UW may "periodically audit passwords for compliance?"
You will never be asked by a UW-Madison employee or entity to reveal your password. In fact, if you ever receive such a request from any entity, UW-Madison or otherwise, be very cautious. This is likely to be a phishing attempt aimed at tricking you into providing personal information.

Rather, DoIT Security will periodically run standard security audits using tools that attempt to identify or "break" passwords that are in UW systems and applications. Typically, these are passwords based on dictionary words or other combinations that are considered weak and thus subject to easy cracking by hackers. If your password(s) is identified as weak, you will be contacted and asked to strengthen it using the password policy guidelines. If, after a period of time, you have not changed the password, it will either be changed for you to a new default password or your access to the system may be denied until you do change it.

For what logins does the password policy apply?
Any system or application that gives you access to UW-Madison resources falls under the password policy. In general, the policy provides a good standard for use on any and all systems that require a password. You are encouraged, but not required, to use this password policy at other personal sites such as Yahoo, Hotmail, etc. You are also encouraged, but still not required, to choose a different password at such sites in order to reduce exposure of your UW-Madison password.