Passwords

Passwords are an important aspect of computer security. They are the defensive frontline that provides protection for your user account. A poorly chosen password equates to a weak frontline, and may result in the theft of your user account. A stolen user account could then be utilized to expose other network resources within the University. Therefore, all UWO faculty, students, and employees (including contractors and vendors with access to UWO systems) are responsible for ensuring their accounts are protected by secure passwords.

Video Transcript


Why Should I Care about Password Security?

Your unique name, or user ID, allows you to access the resources and services associated with the Western University's network. Every time you connect you are challenged for a string of characters known as your password for validation purposes. If someone else determines your password, they can effectively assume your electronic identity. This means that individual then has full access to your files, your email, personal information, and more. This intruder could modify or destroy your files, send threats via email in your name, or subscribe to unwanted services for which you'd have to pay. In short, an insecure password can easily wreak havoc in your life.

Password Guidelines

Follow Western's guidelines for passwords.  These guidelines can be found at: Western's Password Policy and should be used for all your accounts.

Remember to:

  • Use Safe and Secure Passwords
    • Make use of passwords that lock your system before the Operating System can start (BIOS passwords)
    • Enable the password locking feature of the screensaver
    • Passwords alone should not be your only defense. Always try to use as amnay security methods as possible including encryption of data (see: Encryption)
  • Do Not Reuse Passwords
    • Do not use the same password for everything you need a password for
    • Do not use your work password for your personal banking password, etc.

Characteristics of a Strong Password

  • Strong passwords are required for all accounts and should be at least 8 characters long, contain a mixture of upper and lower case letters, punctuation, and numeric characters
  • Where allowed, use passwords longer than 14 characters
  • Passwords should be changed every 3-6 months
  • Passwords should remain confidential and original
  • Passwords should be used just once

Password Caveats (Should Not)

Passwords should not be shared, emailed, written down.
Passwords should not be a word found in the dictionary (even foreign).
Passwords should not contain any form of your name or user ID.
Do not use obvious passwords like "password", "guest", "user" or "admin".
Do not use personal information such as names of your family members or pets, your date of birth, social insurance number, or other similar information as part of a password, even in combination with other characters.
Do not use common words or acronyms, whether spelled forward or backwards.
Do not re-use the same password across different services or accounts.

Protecting Yourself Against Password Loss

  • DO NOT record your password on a post-it note stuck to your monitor or slid under your keyboard
  • If you have a secure location such as a safe or a safety deposit box, you may want to store a written copy of your passwords there. Do not record your User ID in the same location
  • Log off your computer at the end of the day
  • Avoid using password-saving features such as Microsoft's Auto Complete feature
  • Use a password-protected screen saver if you leave your computer, even for a few minutes
  • If you think your password has been compromised, change it immediately
  • Remind everyone in your work area to change their passwords if someone in the group is suddenly put on disciplinary leave or is fired

Writing Down Your Passwords

There is a rule of thumb in the security community that one should never write down a password - writing down a password increases the risk of it falling into the wrong hands. However, the policy we enforce is such that it is often difficult to remember a password. The requirement for remembering more than one password further complicates the situation. If this is the case, then you could record them, but make sure that they are stored in a secure place - white boards, sticky notes on your monitor, and under your keyboard are not considered secure. Passwords should never be recorded with your user ID as you would never record your pin number on your bankcard.  

Changing Your Password

You can change your Western Identity Password at: https://wts.uwo.ca/identity/passwords/password_management_tools/changepw.html

Password Management

Security starts with you, the user. Keeping written lists of passwords on scraps of paper, or in a text document on your desktop is unsafe and is easily viewed by prying eyes (both cyber-based and human). Using the same password over and over again across a wide spectrum of systems and web sites creates the nightmare scenario where once someone has figured out one password, they have figured out all your passwords and now have access to every part of your life (system, e-mail, retail, financial, work).

Use a password manager to remember your various passwords for you.  This allows you to use different passwords for every online service without having to remember every one.

Recommendations

Manage your passwords by using "Password Safe" (https://pwsafe.org/). It allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe all you have to do is create and remember a single "Master Password" of your choice in order to unlock and access your entire user name/password list.

For the Mac User, manage your passwords using "1Password" (https://agilebits.com/onepassword). 1Password can create strong, unique passwords for you, remember them, and restore them, all directly in your web browser.

Creating a "Pass-Phrase"

Using a pass-phrase is an easy way to create hard-to-crack passwords that are easy to remember. Using a sentence or simply combining unrelated words makes the password very long, thus computationally difficult to brute force.

Published on  and maintained in Cascade.