Passwords

As more services become available online, good password hygiene and practices are more necessary than ever. Where passwords are used, they should be strong and unique, while keeping user experience in mind, to help keep your services safe.

Strong Passwords

Passwords prevent unauthorized access. Passwords limit access to systems and information, ensuring that the right users have access to the right resources at the right time.

With single sign-on (SSO) becoming the norm, one password provides access to multiple services.

How to create and manage strong and effective passwords

Person using different types of passwords

Your passwords or passphrases should be easy to remember but difficult to guess. A passphrase is the same as a password but consists of a sequence of words or other text that a user can more easily memorize. A passphrase is typically longer than a password, for added security. The terms "password" and “passphrase" are often used interchangeably.

Strong passwords and passphrases should always be balanced with user experience to avoid forcing users to write down their password/passphrase or pick an overly simple one that is easy to memorize.

Do use complex passwords or passphrases. Complexity helps thwart password crackers or brute force attacks that attempt to guess your password.

  • Use upper and lower-case letters, numbers and special characters
  • Do not include words that can be found in the dictionary – instead, use random characters
  • Avoid using proper names or popular slang – these often appear in custom attacker dictionaries
  • If using a passphrase, pick a phrase that you can remember but replace some of the letters with numbers or special characters. For example, “the quick brown fox” becomes “Th3Qu!ckBrnFX#”
  • Do use a unique password/passphrase for each system, device or platform
  • Do not reuse passwords/passphrases for multiple accounts. If one website gets hacked and you’ve used the same password for other sites, a threat actor can use the breached password to gain access to your other accounts
  • Do not update your password/passphrases according to an easy-to-detect pattern (e.g., the practice of incrementing one portion in a password in succession). If an older password/passphrase is ever compromised, using patterns will make it easier for someone malicious to guess your new one

Do not share your password/passphrase with friends, colleagues, or even your manager. Your organization may also have rules against this.

Do not write down your passwords/passphrases.

Do not use ‘remember password’ or ‘remember me’ functions for systems, services, or software.

Do make sure your security questions for password resets are difficult to answer.

Do not create security questions that rely on information easily found on social media, such as a pet’s name or your date of birth.