In many ways a password equals a signature, or in information technology terms, required credentials. Logging in to an electronic resource with a userID and password certifies the identity and authorization to view or use the information or system being accessed. While this may seem trivial, many people don't consider the consequences of having a password fall into the wrong hands.
In addition to stealing or discrediting an identity, there are much easier things an attacker (or maybe even a friend) could do with a password:
- Send threatening e-mail on your behalf (that appears to come from you)
- Access Web sites and, if you've enabled one-click ordering, purchase items with your credit card
- Access, modify, or delete documents stored on your computer, in your Bengal space, or on any other central file server that you have permission to access
- Use your Print Smart quota and/or charge printing jobs to your account
Be aware of these and other methods used to trick you into handing out your password. There have even been cases where individuals pretend to be IT staff and ask for your password. As a rule, do not enter your password in suspicious websites and never provide your password to anyone. Your password protects your information and no one else should ever need it. Report suspicious requests that you receive to firstname.lastname@example.org. If you think you’ve fallen victim to one of these scams, please reset your password immediately.
Password Types and Requirements
All MU and UM System employees must change their password annually. Employees of the University Hospital and Clinics and the Schools of Health Professions and Medicine must reset their password every 180 days. This mandatory password change will ensure all user passwords meet current security requirements as well as comply with best practices for password duration.
There are three types of passwords that can be used; Traditional Passwords, Passphrases, Paraphrases. Passphrases are the preferred method due to their ease of use and increased security.
Traditional passwords are one string of characters that meets the following requirements:
Must have eight to 26 characters and include at least one character from at least three of the following:
- Lowercase letters: a - z
- Uppercase letters: A - Z
- Digits: 0 - 9
- Special characters: ? . , _ - ~ + = $ !
A password cannot:
- Be a word found in the dictionary
- Be the same as your PawPrint
- Contain MU-related terms (tiger, Truman, Jesse, etc.)
- Contain spaces or symbols other than the special characters above
- Contain personal or directory information (Social Security number, employee ID, etc.)
An alternative to using a “password” is to use a “passphrase”. A passphrase is a sequence of words strung together to create a "password". To do this, you need to erase your traditional thoughts of building a password. Instead of worrying about how many characters your password needs to have, consider multiple words that can be combined to make a phrase. A passphrase is made up of four or five short words, put together in a way that makes sense to you. While your “password” may be longer (which makes it more secure), it will be easier for you to remember. Here are some examples:
"My dog just turned eight." = "MyDogJustTurn-D8"
"Look at all the snow today!" = "LookatAlltheSnow2day!"
"I love to go fast in my car!" = "Ilove2goFastInMyCar!"
Passphrases must meet all of the requirements of Traditional Passwords. One final tip, you should choose a phrase that you can easily remember; however to increase security avoid common phrases, lyrics, titles, and quotations. Your passphrase should be words that you put together and have meaning to you.
Another easy way to form a secure password that you can easily remember, it is to think of a phrase, song, poem, or sentence and use the first letter from each word. For example:
"I have owned my dog for 5 years!" = "Ihomdf5y!"
Paraphrases must meet all of the requirements of Traditional Passwords. There are also specific things you should avoid when choosing a password, including the following:
- Simple keyboard patterns such as "qwerty" or "12345678". These generic patterns are easily guessed.
- Well-known phrase mnemonics such as "ROYGBIV" (colors of the rainbow) or "WYSIWYG" (what you see is what you get) are easily guessed.
- "Password" or "Secret". This may seem like something that no one would ever do, however, during a password scan in 2003 the Division of Information Technology identified approximately 300 users on campus with one of these as their passwords.
Don't record passwords any place they would be vulnerable.
This includes cellular phones and other electronic devices. It also includes a sticky note taped to your monitor pasted under your keyboard. These are common places where people keep their passwords written down and also common places where people would look to find yours. It is also a bad idea to choose the option to save your password when visiting Web sites or setting up an e-mail client — it is much more secure to enter the password again each time you visit.
Watch for signs of misuse, such as:
o A sent e-mail you did not create. If you notice an e-mail in your "Sent Items" folder that you do not remember writing or sending, it could be a sign that someone else has accessed your account.
o New icons, programs, files, or start menu items you did not create or install. Sometimes this can mean that you are a victim of spyware. However, this can also mean that someone has accessed your computer and made changes to its settings.
o Noticeable performance degradation. This is a possible sign of a password compromise, because a hacker could access your machine and cause some program or file to be running in the background, thus taking up computing capacity.
These can also be signs of various other problems, such as a worm/virus infection or a hardware issue. However, it's best to check everything out to make sure that you can identify what is causing the symptom. IT Tech Support can assist you with any questions you may have.
If a password has been compromised or suspicious activity is occurring, change the password immediately and report the incident.
Last updated: August 24, 2016