Connecticut State Colleges & Universities
IT Support Center

Information Security Education and Awareness

Password Security


Overview

Password Security is an important part in protecting the data of our organization. Current Policy (CCC, 2004) requires a password to have a minimum of 8 characters and be strong. Changes in technology and the speed with which passwords can be cracked, has led to changes in minimum password strength recommendations.

The strength of a password is measured in how effective it is at resisting guesses and brute-force attacks. Password complexity is one method of creating a strong passwords.
 
We recommend using the 10-4 Rule

Passwords should contain a minimum of 10 characters that are composed of characters from each of these four groups:

  • Uppercase letters (e.g., A, B, C, Y, Z, etc.)
  • Lowercase letters (e.g., a, b, c, y, z, etc.)
  • Special characters (e.g., ! @, #, $, %, ^, &, etc.)
  • Numbers (e.g., 1, 2, 3, 4, 5, etc.)
For example this is a strong password:  "Ird@7HPbk$

A frequent complaint of users is the inability to remember passwords. Often users will write them down or store them in a way that would be considered a security risk. One method to overcome this challenge is to use a memory technique such as a passphrase.

Using the example,  "Ird@7HPbk$
Try remembering:   "I read all 7 Harry Potter books."

Weak Passwords Contain:

  • Dictionary words (e.g., computer, work) or common names (e.g., Betty, Fred, Rover).
  • Portions of associated account names (e.g., user ID, login name).
  • Consecutive character strings (e.g., abcdef, 12345).
  • Simple keyboard patterns (e.g., QWERTY, asdfgh).
  • Generic passwords (i.e., password consisting of a variation of the word “password” [eg., P@ssw0rd1]).
Important Dos and Don'ts

  • Do not share your passwords
  • Avoid writing passwords down
  • Change your password if you think it has been compromised
  • Use different passwords for all your accounts
  • Use a Password Manager