Overview
Incident Response
- What Is a Security Incident?
- Incident Response Protocol
- Data Breach Notification
- Copyright Complaint
- Harassment
Passwords are the key to many systems and applications. Your password helps to prove who you are, ensure your privacy, and protect the privacy of data you may have access to.
Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but may also have access to your personal information (e.g. benefits, bank information) and may impersonate you to send malicious e-mail.
Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screensaver).
At the University of Minnesota, there are two widely used passwords: Internet and M Key. These passwords allow access to important University systems (e.g. central e-mail, myU, some department Web pages, PeopleSoft , Electronic Grants Management System, Enterprise Document Management System).
It's important to choose a strong password and protect it since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. A strong password makes it reasonably difficult to guess the password in a short period of time either through human guessing or the use of automated password cracking programs.
The following are general recommendations for creating a Strong Password:
A Strong Password should
A Strong Password should not
Use a passphrase or a nonsensical word
A passphrase could be a lyric from a song or a favorite quote. An example of a strong passphrase is “Superman is $uper str0ng!”. A nonsensical word can built using the first letter from each word in a phrase (e.g. C$200wpG., represents "Collect $200 when passing Go."). These typically have additional benefits such as being longer and easier to remember.
Each system or application may have different password restrictions or requirements. See the section, U of M Applications, for information on selecting passwords for commonly used U of M applications.
The following are several recommendations for using passwords.
Passwords should not be shared with anyone. In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored. For example, Google Calendar allows users to delegate control of their calendar to another user without sharing any passwords.
The frequency of password changes is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their password changed more frequently. If any University password has been compromised or you suspect it’s been compromised, change your passwords immediately and contact your local departmental technical staff and e-mail abuse@umn.edu.
As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location (e.g. in your wallet or in a locked file) and properly destroyed when no longer needed. Consider writing down hints, not the password. Never store a password in an unencrypted electronic file or use the "save my password" feature for important passwords.
Using a password manager to store your password is not recommended unless the password manager leverages strong encryption and requires authentication prior to use. Use a strong password/passphrase for your password manager. Maintain a back up copy of your password manager. Password Safe is an example of a password manager that uses strong encryption.
When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared, reusing that password could allow someone unauthorized access to your account.
While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an unauthorized person to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your University Internet account, enterprise account or your online banking account. These passwords should differ from the password you use for online newspapers and other web-based accounts. Avoid using the same password for test and production systems.
Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, they will be able to take control of the system and access all your information.
When vacating your workstation, completely log off the computer or otherwise secure your workstation from unauthorized use (e.g. locked screensaver). When vacating a public computer (kiosk or public lab), completely log out and quit the application before you leave.
Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank. See Phishing Topic on Safe Computing for additional information.
If you terminate your University employment or change departments, contact your technical coordinator to let them know that access is no longer needed.
For information on resetting your Internet password, see Internet passwords.
University of Minnesota has permission from Carnegie Mellon University to use their content on this website.