Information Technology

Passwords

Tips for Better Passwords

Passwords are the keys to the kingdom. Once someone knows your password, they can potentially access all of your personal information and use it to steal your identity. Passwords are a common form of authentication and are often the only thing protecting your personal information. There are several programs attackers can use to help guess or "crack" passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

Your UMass Boston password gives you access to numerous services, including email, WISER, HR Direct (for employees), Blackboard, blogs, and the university's Wi-Fi network. For this reason, you should take the required steps to create strong passwords and protect your password (CONFIDENTIALITY is the key).

Tips for good passwords

  • Make your passwords hard to guess.
  • Do NOT share your password. Keep it confidential. (See our Phishing page for more on this.)
  • Don't use passwords that are based on personal information like date of birth, name, name of your pet etc. that can be easily accessed or guessed. (This is true for your password reset questions, too!)
  • Don't use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords (or use a secure password manager like LastPass or 1Password).
  • Do not use the same password. Keep it confidential. (See our Phishing page for more on this.)

For a lot more information on passwords, visit the World Password Day website, where you can learn what makes a good password  and play a game where you destroy incoming invaders by typing their passwords.

How to create a strong password?

  • Make it long. The longer the better.
  • Mix UPPER and lower case letters.
  • Add a symbol and punctuation to keep things interesting (things like *?](#@&^%$)
  • Add an obfuscated key word like your last name or the name of the site. Some examples:
    • F@ceb00kJ()n44s
    • B@nkAm3ric@J()n62s
    • W@iSer33as1aGe()34
    • $ch00LrU135 = school rules
  • Don't just substitute numbers or symbols for letters, as hackers know this technique and account for it. Try typing "Pas$w0rd" into the Microsoft Telepathword tool for proof of this.
  • Have a passphrase: Choose a line or two from a song or poem or a sentence and use the first letter of each word, combine it with numbers and special characters. For example, “I have miles to go before I sleep'' becomes “!IhmTgbiS@AK26$
  • Did we mention making it long? The longer the better.

How to create a BAD password

There are bad passwords (like "DrWhoFan1") and really terrible passwords, like password or 123456, which large numbers of people have actually used. Here are some rules not to follow:

  • Use a simple, short password. Sorry, password, and even Password1, won't cut it.
  • Take a word from the dictionary and add a number. (See above.)
  • Take a word from the dictionary and substitute a symbol for one of the letters, like Pas$word1. Hackers are just not deterred at all by this.
  • Use your name or your daughter's, father's, or pet's name or birthday. That's the first thing a hacker will try.

Here are some more, less obvious things to avoid:

  • Begin your password with a capital letter. Of passwords with capital letters, the first character is far and away the most common place for it to be.
  • End your password with an exclamation mark, e.g. Password1!. Not only is the exclamation mark the most common symbol used, the the most common place to find it is at the end. Try beginning your password with a backslash or a comma.
  • Make your password 8 characters long. When a place says you must use a minimum of 8 characters, hackers assume the majority of the passwords will be exactly 8 characters long. Longer is better, even if all you do is add five commas to the end to make it longer.

But no matter how complicated your password is, it doesn't matter if you tell the hacker what the password is (phishing) or get infected with malware. Follow safe computing practices and keep your password to yourself.

And once you've mastered passwords, think about your security questions. Try resetting your password and as you answer the questions, think about how many people could easily guess them. Do any of them use information someone could find on your blog or Facebook page? Maybe it's time to change your security questions and answers as well!

For more information

For more information and tips, contact the IT Service Desk at 617.287.5220 or ITServiceDesk@umb.edu.