Guide 5010 GD.01
Selecting Good Passwords
Revision Date: 6/31/2013
The object when choosing a password is to make it as difficult as possible for someone (or some computer program) to guess what you’ve chosen, yet easy enough for you to remember without writing it down.
Company User ID
Approved Users have been assigned a unique network identification (User ID) as, essentially, an electronic short hand for your name. Your User ID and password act as your passport to the company’s network and accounts. Like your name, your User ID is not secret, but your User ID password is SECRET, It is very important that your User ID password be protected. Your User ID and Password provide access to sensitive information (personal and company) and are used as authentication credentials for network access. The first User ID task you perform is also one of the most important — choosing a good password.
Requirements for your User ID password:
• Password must have 8-14 characters
• Must contain 2 letters
• Must contain 2 non letters (either numbers or legal characters)
• Illegal characters (must not contain these) \ & : < > , ‘ (back slash, ampersand, colon, less than, greater than, comma and apostrophe)
Best Practice for all passwords
• Use a password that is easy to remember, so you do not have to write it down.
• Use a password with mixed-case alphabetic characters.
• Use a password that has at least eight characters.
• Use at least one punctuation symbol.
• Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
• Use your User ID and associated password only with company User ID authenticated systems.
• Choose different IDs and, especially, different passwords with any other systems (i.e. personal use).
What NOT to Use
- Do not use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
- Do not use proper names (especially not your own nor that of your significant other, mother or child). This includes all first and last names as well as geographical locations.
- Do not use your initials or those of anyone close to you.
- Do not use other information easily obtained about you. This includes your phone, social security, your birth date, the brand of your automobile, the name of the street you live on, etc.
- Do not use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
- Do not attempt to be clever and make your password a derivation (reversed, as-is, shifted by a few characters, a simple substitution code, doubled, etc.) of your account name or your first or last name.
- Do not use a password that is so difficult for you to remember that you will forget it if you do not write it down.
- Do not reuse any passwords that you have used previously.
- Use different passwords on different systems
Guidance on keeping your User ID and other passwords safe
- Do not give out your password to anyone including IT staff or your supervisor. Do not share your account with anyone or let anyone else use your account.
- Do not write down your password on paper nor store it on a computing device. (It can be a help to write down your password for a few days when you have just changed it – keep any such copy in your wallet or purse and discard it as soon as you have memorized your new password).
- Do not use your User ID password as a password for another computer system, such as your ATM card PIN number or as your password to a website on the Internet.
- Do not let anyone see you type in your password. Stop typing if you notice someone watching you. Make sure your password is not being displayed on your screen as you type.
- Be wary of any program or web page that asks you for your User ID password. Secure web pages that ask you for your User ID password will have URLs that begin with “https://”. Your browser (e.g., IE, Firefox, Mozilla) should visually indicate (icon of a closed padlock) that you are on a secure page. If you are being prompted for your User ID password from a particular web page that you do not recognize or if the page appears different from the screen you are familiar with, contact ITS to verify the authenticity of the page.
- Do not enter your passwords when using insecure protocols (e.g. programs that transmit user account and password information unencrypted) over unsafe networks.
- If your User ID password has been compromised, contact the HelpDesk. The first security measure the Help Desk will usually recommend will be to change your password, but ITS Department will also want to determine how the account and password was compromised, the impact of the exposure and whether to investigate further.