The University of Massachusetts Amherst
Categories
Mac OSX Security Windows

Password Security

Daylight Savings Time has just occurred and as we change our clocks we should also change our passwords. Having a strong password is important and it is good practice to change your passwords regularly. By changing your password you can make sure that your accounts are safe and secure.

How To Create A Strong Password

In order to have a strong password you should use a combination of lower-case and upper-case letters, numbers, and special characters. By using many types of characters your password will be harder to guess and much more secure. The password should also be at least 8 characters long, but the longer the password and the more diverse characters the better. It is also good to avoid using dictionary words or your name or username as the password, even if you replace letters with different characters or reverse the order.

laptop securityA common tip to create a password is to think of a phrase and use that phrase to create your password. You should pick a phrase that is not common, but you will remember, such as “When I was little I loved going to Six Flags.” Now you would take this phrase and break it down in to characters for each word. The example phrase would become “wiwlilgt6f”.

Next you can add even more complexity to this password by capitalizing letters and replacing letters with symbols. In the example password I could replace “i” with “!” and capitalize the w’s. The finished password would be “W!Wl!lgt6f”. This will make your password look like a random string of characters, but you will remember the phrase behind it and have no problem remembering it.

Another tip for strong passwords is to make a unique password for each of your accounts. If you have the same password for every account and one account is compromised then everyone of your accounts can become compromised.

How To Remember Your Password

So now you have multiple passwords to remember and have a hard time keeping them all straight. A good way to keep track of your passwords is a password manager. If you are on a Mac you have access to Keychain which keeps track of your usernames and passwords. Keychain uses the iCloud so you can synchronize these usernames and passwords across any of your Apple devices as long as your iCloud is present. If you ever forget a username or password for a website you can log in to Keychain using a 4-digit code and look up what the username and password for that site is.

exclaimation

If you are not on an Apple device or do not want to use Keychain then you may want to look in to KeePass or SplashID Safe. Both are password managers that work across multiple platforms.

KeePass supports Windows officially but there area also unofficial ports for Android phones and tablets, iPhones and iPads, Mac OS, Linux machines, and BlackBerry phones. To find both the official and unofficial versions of KeePass go to http://keepass.info/download.html. While KeePass unofficially supports many operating systems SplashID Safe officially supports Windows, Mac OS, iPhones, iPads, BlackBerrys, and Android phones.  SplashID Safe also synchronizes passwords across these devices wirelessly. To download any of the versions of SplashID Safe go to https://splashid.com/personal/downloads.html. Using either KeePass or SplashID Safe you will need to remember one password in order to access the password manager.

2-Step Verification

Many sites are now requiring 2-Step Verification in order to access your account. 2-Step Verification adds an extra layer of security to your account because it no longer requires just your password.

phishing3web

This means even if someone knows your password they cannot access your account, instead they also need a second form to prove they are the owner of the account.

Google currently uses 2-Step Verification. In order to log in to your Google account from a new device you would need to enter your password and then enter a verification code that would be sent to your phone via text or voice call. This requires physically having the owners device in order to log in to the account, meaning even if another person has your password they do not have enough to log in to your account.

[youtube]http://www.youtube.com/watch?v=sYeJ2RL0mxc[/youtube]

Apps at UMass Amherst: Setup 2-Step Authentication

A lot of sites currently have some form of 2-Step Verification. Some of these sites are Google, Facebook, Dropbox, Xbox Live, Yahoo! Mail, Amazon, and WordPress. For any of your online accounts you should check if 2-Step Verification is available and if so you should enable it. This will make your account more secure and less likely to be compromised.

Resources

KeePass: remember just a single password and encrypt all others

http://splashdata.com/splashid/

http://support.apple.com/kb/HT5813

http://www.oit.umass.edu/support/accounts/safe-password-tips

https://www.oit.umass.edu/policies/oit-policy-complex-passwords

http://www.oit.umass.edu/sites/oit.umass.edu/files/2013/10/29/password.jpg

http://www.oit.umass.edu/support/accounts/account-password-rules

http://www.google.com/landing/2step/

http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now