Passwords are the key to many systems and applications. Your password helps to prove who you are, ensure your privacy, and protect the privacy of data you may have access to.
Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but may also have access to your personal information (e.g. benefits, bank information) and may impersonate you to send malicious e-mail.
Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screensaver).
At the University of Minnesota, there are two widely used passwords: Internet and M Key. These passwords allow access to important University systems (e.g. central e-mail, myU, some department Web pages, PeopleSoft , Electronic Grants Management System, Enterprise Document Management System).
It's important to choose a strong password and protect it since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. A strong password makes it reasonably difficult to guess the password in a short period of time either through human guessing or the use of automated password cracking programs.
Choosing a Strong Password
The following are general recommendations for creating a Strong Password:
A Strong Password should
- Be at least 8 characters in length
- Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
- Have at least one numerical characters (e.g. 0-9)
- Have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)
A Strong Password should not
- Spell a word or series of words that can be found in a standard dictionary
- Spell a word with a number added to the beginning and/or the end
- Be based on any personal information such as user id, family name, pet, birthday, etc.
- Be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)
Use a passphrase or a nonsensical word
A passphrase could be a lyric from a song or a favorite quote. An example of a strong passphrase is “Superman is $uper str0ng!”. A nonsensical word can built using the first letter from each word in a phrase (e.g. C$200wpG., represents "Collect $200 when passing Go."). These typically have additional benefits such as being longer and easier to remember.
Each system or application may have different password restrictions or requirements. See the section, U of M Applications, for information on selecting passwords for commonly used U of M applications.
The following are several recommendations for using passwords.
Do not share your password with anyone for any reason.
Passwords should not be shared with anyone. In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored. For example, Google Calendar allows users to delegate control of their calendar to another user without sharing any passwords.
Change your passwords periodically.
The frequency of password changes is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their password changed more frequently. If any University password has been compromised or you suspect it’s been compromised, change your passwords immediately and contact your local departmental technical staff and e-mail firstname.lastname@example.org.
Do not write your password down or store in an insecure manner.
As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location (e.g. in your wallet or in a locked file) and properly destroyed when no longer needed. Consider writing down hints, not the password. Never store a password in an unencrypted electronic file or use the "save my password" feature for important passwords.
Use a password manager with strong encryption.
Using a password manager to store your password is not recommended unless the password manager leverages strong encryption and requires authentication prior to use. Use a strong password/passphrase for your password manager. Maintain a back up copy of your password manager. Password Safe is an example of a password manager that uses strong encryption.
Avoid reusing a password.
When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared, reusing that password could allow someone unauthorized access to your account.
Avoid using the same password for multiple accounts.
While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an unauthorized person to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your University Internet account, enterprise account or your online banking account. These passwords should differ from the password you use for online newspapers and other web-based accounts. Avoid using the same password for test and production systems.
Do not use automatic logon functionality.
Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, they will be able to take control of the system and access all your information.
Log out and quit applications.
When vacating your workstation, completely log off the computer or otherwise secure your workstation from unauthorized use (e.g. locked screensaver). When vacating a public computer (kiosk or public lab), completely log out and quit the application before you leave.
Be aware of Phishing tricks.
Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank. See Phishing Topic on Safe Computing for additional information.
Notify technical staff if access is no longer needed.
If you terminate your University employment or change departments, contact your technical coordinator to let them know that access is no longer needed.
Additional University of Minnesota Information
- U of M Applications (e.g., central email, Enterprise Document Management System, Electronic Grants Management System, PeopleSoft)
- Internet password must be 8-125 characters, with a mix of numbers, letters and non-alphanumeric characters. Password checking for a strong password is used. Password expires annually.
- M Key (Two-factor authentication) pins must be 4 digits and not use simple combinations (e.g. 1234, 1111, 2222). M Key code changes for each login which is why two-factor authentication is stronger than reusable passwords.
- Data Security (including request forms and how to report terminations, department transfers and leave of absences)
- Securing Private Data, Computers and Other Electronic Devices Policy for authentication requirements
- Information for individuals responsible for supporting user accounts and design/implementation of systems and applications
For information on resetting your Internet password, see Internet passwords.
University of Minnesota has permission from Carnegie Mellon University to use their content on this website.