Passwords

Modified on Tue, Dec 5, 2023 at 1:21 PM

TABLE OF CONTENTS

Overview

Passwords are a necessary evil, and the rules about what makes a "good password" change frequently.


Simple passwords are easy for automated programs to figure out, which led to complex password requirements.  Including things like capital letters, numbers, and symbols increases the time it would take for a brute force attack to be successful, but remembering complex passwords is difficult for most people.


NOTE: A "brute force attack" is where a system tries every possible combination of passwords in rapid succession to gain access.  You may have seen in the movies where people have tried to defeat electronic locks with a device that figures out the code in seconds.


In the following graphic, it is apparent that a password should be both long and complex in order to make a password effectively "hack-proof" as far as brute force attacks are concerned.



Many systems can prevent brute force attacks by limiting the number of incorrect logon attempts within a specific period of time.  If you have ever had your account "locked out" because you entered in your password incorrectly 3 or more times in a row, this is an example of this kind of system.


Password Management

It is recommended to use a password generator when creating and resetting passwords, and to never use the same password twice.  This means don't use the same password for several different systems.


NOTE: Do not re-use your passwords EVER.  Do not use them on more than one site.  Do not use systems like petname00, petname01, petname02... as they are very easy to guess.


You can use password keepers like Dashlane or LastPass to manage your passwords.  Both of these products connect to your web browser and can fill in the username and password for you.  This lets you generate long, complex passwords that you do not have to remember or type in.


However, some systems - like logging in to your IUPAT-issued laptop - require you to type in that password every time you access it.  You will want to use a long, complex password that you can easily remember as you will be typing it in nearly every day.


NOTE: A decent site for generating easy to remember long passwords that meet most complexity requirements can be found at https://www.correcthorsebatterystaple.net/index.html

Is my email address or password in a breach?

The reality is that the longer you have and use your email address to sign up for services, newsletters, systems, etc., the more likely it is that it will be involved in a data breach.


Password managers like LastPass can identify passwords you've stored that have been reused in multiple sites or have appeared in data breaches.



It is recommended that you check any email address you have - both personal and professional - on a regular basis to see if it has appeared in a known data breach.  


One site we recommend is https://haveibeenpwned.com/


MultiFactor Authentication

Another way that is used to protect systems from access is using MultiFactor Authentication (MFA).  MFA (also known as two-factor authentication, or 2FA) combines a password along with something else - like a code you have in your possession, or a biometric like your fingerprint, to prove your identity so that you can access the system.


You may already be familiar with, in addition to your password, having to supply a code that you've received via text.  You may have an authenticator app on your phone that can generate codes or can receive a "push" that you respond to.  


There are now more secure versions of the "push" where in addition to responding to the push, you might have to enter in a code or choose a specific number from a list of numbers to further proove your right to access the system.


MFA adoption will become increasingly common as an additional layer of defense to protect sensitive data.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article