Powered by the KU IT Security Office

Passwords

Choosing and using unique and strong passwords is an essential part of technology security. Follow these password best practices to help keep your information safe and secure.

Create and Use Unique and Strong Passwords

No matter the requirements of a given site or service, always create and use unique and strong passwords. Creating unique and strong passwords is critical for security, but it doesn’t have to be difficult. Here are two recommended methods for creating unique and strong passwords that are easy to remember.

Strategies for Creating Strong Passwords

Method One:
One method suggested by many security professionals is to start with a memorable sentence or phrase. Some people use a line from a song or poem they remember. Then use a few steps of substitution, misspellings, and other tricks that are meaningful to you to arrive at a strong password that is easy for you to remember.

  1. Memorable phrase: “I like ham and cheese sandwiches”
  2. Remove spaces: “ilikehamandcheesesandwiches”
  3. Use shorthand, and misspell words: “ilykhamandchzsammies”
  4. Use some characters, numbers and mix cases: “1lYkh4m&chZsa2mies”
  5. It would take a desktop PC about 71 quadrillion years to crack this password

Method Two:
Another method suggests combining four random common words to create a strong password (e.g., cattreetireeagle). Add a number or special character between the words for increased difficulty (e.g., cat5tree$tire2eagle9)


Test the Strength of Your Password Strategy

Don't enter any of your actual passwords, but use How Secure is My Password? » to see how hard your password strategy is to crack.

Don't Re-Use Passwords

Never re-use passwords across service providers and accounts. Using a unique password for each account is far more important than the complexity of any individual password.

Criminals who steal your usernames and passwords from one online service can use them to gain access to other services. Massive data breaches at major service providers are all too common these days. If you use the same password for more than one account, and one of your service providers is breached, you've jeopardized your other accounts and the personal information they contain.

Use a Password Manager

Password managers are tools and programs you can use to manage all of your passwords. Both cloud-based services and desktop application password managers use a single “master” password to control access to your other passwords.

We recommend using these services and products, with the following cautions: Cloud-based services are subject to the limitations and potential security problems of all cloud services. Desktop applications can be more secure, but less convenient to use. In both cases, your master password must be a unique, very strong and complex passphrase.

Web-Based:

  • Need UNIQUE and VERY STRONG master password
  • Subject to cloud security problems
  • Can be used on different types of devices, including mobile
  • Examples: Dashlane, Last Pass

Desktop Applications:

  • Need UNIQUE and VERY STRONG master password
  • Cross platform
  • Mobile versions
  • Less accessible/convenient than cloud-based services
  • Examples: KeePass Password Safe

Don't Share or Email Passwords

Sharing Passwords - Never share passwords, period.

  • If multiple people need to access a single device, set up separate profiles with unique log in and password for each person.
  • Always keep your passwords private and secure.
  • Consider using a password manager to help you organize your passwords. See "Password Managers" above.

Emailing Passwords - Never send passwords via email. Even when encrypted, emailing passwords is not a good practice.

Don't Store Passwords in a Browser

Even when given the option, never save passwords in your browser. If someone gets access to your computer, they could easily access all of the services where you saved passwords.

Avoid Variations on Old Passwords

Make sure your new passwords are strong and unrelated to your previous password. A common password mistake is to use a variation on the previous password. This "transformation" strategy gives criminals a huge advantage because they already have most of what they need, and only have to discover what has changed.

Use Two-Factor Authentication

Turn on Two-Factor Authentication for all your accounts that offer it. Two-factor, or "multi-factor," authentication combines your password and username with a notification sent to your phone or another device.


Additional Resources

At KU, information security is a shared responsibility. Choosing unique and strong passwords and using them wisely is a big step in helping keep your information safe and secure.

The KU Password Policy » spells out the password requirements for accessing KU systems and information. Your KU password must be changed every 210 days, and must meet these complexity requirements:

  • 8 to 32 characters long
  • At least one special character (&,#,-,_, etc.)
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number

KU Passwords - Tips and Best Practices

  • KU and other legitimate organizations will never ask you to provide sensitive personal information (password, Social Security Number, etc.) in an email or in an unsolicited phone call.
  • Do not share your password with anyone, including your boss, co-workers, or technology support staff.
  • Avoid using dictionary words (except when combining with at least three other unrelated words) and personal details such as the name of a child or pet.
  • Take advantage of KU's password reminder service so your next required change isn't a surprise. And remember, you must change your password every 210 days, but you can voluntarily change it more often.
  • In addition to KU's password requirements, be sure to follow the password best practices described on the "Intro" tab.

KU IT on Twitter  KU IT on Facebook  KU IT on Instagram  KU Information Technology Home

Report a Security Incident

Security Awareness Tip of the Day (SANS)
Technology Help

Call KU IT Customer Support

785-864-8080
Phone support

Email KU IT Customer Support

itcsc@ku.edu
Support via Email

Faculty/Staff Support

Faculty/Staff Support
Technology Support Centers

KU IT Knowledge Base

Knowledge Base
FAQs & More

Virtual Service Desk

Submit Help Ticket
Online Help

Call KU IT Customer Support

913-626-9619
Phone support

Email KU IT Customer Support

kuec_support@ku.edu
Support via Email

KU IT Knowledge Base

Knowledge Base
FAQs & More

Request Edwards IT Support

Request Edwards IT Support
Online Help

Comments or ideas on how we can serve you better? Send us your feedback!

KU Today