by Randy Hollowell, IT Services

The first line of defense for a solid cyber security profile is strong passwords for all online accounts. Why is that? Because often that is all that stands between all of your online information and the “bad guys” who spend their days trying to get to that information.

Since the introduction of Duo to University systems, Miami requires that you change your password every 180 days, or five years, depending on how complex a password you choose. All passwords must have at least 8 characters that include both upper and lowercase letters and at least one number. To qualify for the five-year reset, the password must have at least 10 characters and add at least one special character (for example: <, ?, +, %) to the basic requirements.

Even though those are the basic requirements, there are other things you should know about choosing a safe, strong password. We have all seen how those sending phishing email messages are getting smarter and smarter in how they design their messages (see Top 3 Ways to Avoid Phishing Scams) and the same is true of password crackers. Their skills in “breaking” a password have developed, changing what constitutes “strong.” For example, experts used to advise substituting special characters or numbers for letters – like $ for s or 3 for e. Newer cracking techniques can recognize these substitutions – rendering them useless.

So, how does a person choose a good password? The “do” list is short these days and the “don’t” list grows constantly. 

When setting a password, DO:

• Consider using a password manager like LastPass or Dashlane
• Make sure (if you don’t use a password manager) that your password is memorable
• Create a passphrase. Using a phrase like “TheduckFliesatMidnight'' is technically much stronger than “Pa55word!” for instance, even though it's technically less complex.
• Whenever possible set up an additional factor for authentication (i.e., Duo)
• Stay on top of the changing “Don’t List” for strong passwords by Googling “setting a strong password” or going to the Tips page of the Information Security Office website

When setting a password, DON’T:

• Use any word found in any dictionary
• Just add a number before or after a word (jeep4, 32zebra)
• Simply double a word (catcat), spell a word backward (tac), or add an “s” (cats)
• Substitute common numbers/symbols for letters, 3 for E, 0 or O, etc.
• Use common numeric or letter sequences (QWERTY, 911)
• Use personal identifiers like your name, birthday, anniversary, SSN, pet names, phone #
• Just remove vowels and/or spaces from a phrase
• Use popular culture references like names of books, characters, bands, sports team names, etc.
• Use the word “password”. Surprised this is on the Don’t list? Check this list of the Top 200 Passwords of 2020.

And, once you set your password, remember:

• Never use the same password for more than one site or account
• Never share your password
• Don’t physically post your password on or around your monitor
• Don’t use “Remember Me” on ANY computer or mobile device

Remember, the password(s) you choose determine how safe the online information you manage remains. Investing a small amount of time in choosing wisely can mean fewer headaches in the future and maybe even keep Miami out of the headlines!