Tips to Create a Strong and Secure Password

The days of using simple words, a single character, or a blank password are gone. Today, easy passwords can be cracked or guessed within hours or even minutes. Since the information on your computer is precious and potentially confidential, you need to protect it as much as you can. This guide is to help you create strong and solid passwords that will serve as a roadblock for intruders who are trying to break-in to your computer or online accounts.

  • Length – The number of characters for your password is very important. The recommended number of characters are at least eight characters (a UH Username password is required to be 8-32 characters). A three character password such as fgy can easily be guessed by an intruder (or a password cracking program) much more quickly  than an eight character password such as 10RvR09$.
     
  • Strength – The strength of a password refers to the complexity of the password. In other words, can anyone guess what your password is? For example, if your computer account is janedoe and your password is janedoe or JaneDoe, an intruder can easily try and succeed in logging into your computer. You should not use words that can be traced to you such as your address, pet name, spouse name, surname, nickname, and should not use any words contained in dictionaries in any languages.

    To strengthen your password, the recommendation is to use a mix of special characters, numbers, and the alphabet (a UH Username password requires one upper case character, one lower case character, one number, and one special character). Special characters are !@#$%^&*()_+{}. Here are a few examples of stronger passwords: uRkn2T@ or R24Real? or Yc@nU95.
     
  • Keywords – Most people are familiar with creating simple temporary passwords for new employees or for other trusted people with the intent on allowing them to change the password at a later time. Passwords like abc123 and 567fgh were commonly used. If you use or ever used this method, you should break this habit. These passwords are almost like not having a password because intruders have programmed these words into their software to guess your password. The recommended practice is to assign a strong password from the beginning so that the new employee or trusted colleague will also follow your lead.
     
  • Historical – It is not a good practice to create four or five passwords and switch between them every time the computer reminds you to change your password. It would defeat the purpose of having a life span for the passwords. For example:

    start – my password is Tr*2catchmE!
    45 days later– I change my password to U#can’tGetIN%
    45 days later – I change my password to Wht$Up23&
    45 days later – I change my password back to the starting password Tr*2catchmE!

    Do not just add on more characters to your existing password such as Tr*2catchmE!456. If the intruder guessed the first part of the password, they would just need to guess the last three characters.

    Be creative. You should not recycle passwords! This is one resource that you are allowed to waste.
     
  • One for All – Avoid re-using passwords across multiple accounts/services. Keeping track of passwords for different accounts can be difficult. It is very convenient to create a strong password and use it for all your accounts for your credit card company website, your home Internet service provider, your work computer, or your personal email accounts like Hotmail or Yahoo. However, this is a bad habit and you should never do this. Let’s say that you have 14 accounts with a variety of Web sites or email sites. An intruder breaks into one of those companies who offer these services. The intruder now has your password for all 14 accounts and will have an easy time gaining access to those accounts. The recommended practice is to have unique passwords for each account. This means that you will have 14 different passwords if we use the previous example. This way the intruder will not be able to take over all of your accounts.
     
  • Previously Exposed – When attempting to gain access to online accounts via brute force, malicious actors use a "dictionary" of compromised passwords that they know have been previously or commonly used. Whenever a data breach occurs for any service, the number of entries in their "dictionary" grows. It is recommended to never use a password that has been previously exposed in a data breach - even if it the password was never associated with your email address or one of your accounts. The website https://haveibeenpwned.com/Passwords provides an easy way to check whether or not a given password has been previously exposed.

Other password-related security tips are:

  • Do NOT share your passwords with anyone!  They *could* easily misuse your account or give your password to someone else.

     

  • If you do login to your account using a public, shared computer (like in a net cafe or public library) change your password later using a safe,secure computer.  The public computer may be infected with a keystroke logger that can record your account and password that can be used by spammers and hackers.

     

  • Do NOT post your password on your computer monitor, any where on your desk, under your keyboard, or in other commonly accessible areas.

This guide was created to make you aware of the consequences of using weak or blank passwords and not to make cause undue concern or anxiety. Remember that your password is your key into unlocking your computer and it is comparable to a car key unlocking your car door. Creating strong password is one of the easiest security tools to keep your accounts and information safe.

Multi-Factor Authentication (MFA)

For added security, consider enrolling in UH's Multi-Factor Authentication service, Duo. Multi-Factor Authentication (MFA) is an extra layer of protection on top of your UH Username and password. When MFA is enabled, UH Login requires two factors for a successful login. The first factor is what we commonly do today, sign-in with the UH Username and password. The second factor requires authentication through a device (e.g. smartphone or landline) to login. Using these multiple factors provides increased security to your UH account information.

MFA can decrease the risk of an account compromise since UH Login would require more than just the UH Username and password for authentication. To enable MFA, simply register a device; you will be prompted for the second factor using the registered device when logging into any service or application using UH Login authentication.

MFA is offered, free of charge, to all students, faculty, and staff at the University of Hawai'i. Mobile device service charges may apply.

For more information or to register your device, visit https://www.hawaii.edu/its/uhlogin/.

For MFA FAQs, visit https://www.hawaii.edu/its/faq-topics/mfa-faq/

Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 705
Created: Tue, 13 Feb 2007 3:35pm
Modified: Fri, 20 May 2022 10:51am