A Few Password Best Practices

John Knights —  October 19, 2013

The theme for this year’s National Cyber Security Awareness Month is “Our Shared Responsibility,” which aims to inform everyone of their role in making sure we are all using the Internet in a safer and more secure manner. One area that security professionals tend to focus on is how we authenticate to all the services and accounts we utilize through the Internet. To authenticate to these services, we typically use two components, a username and password. Whether it is a site that simply offers more information to those that subscribe or banking sites, we need to follow best practices when creating and maintaining these passwords. The following is a list of the top suggested best practices.


  1. Use complex passwords. It is key to make passwords hard to guess and hard to crack. To make sure that your password is strong and hard to break, make sure they are:
  • At least 8 characters long
  • Does not match any of your previous 6 passwords
  • Does not contain your username, first, or last name
  • Contain a character from 3 of the following 4 groups
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Non-alphabetic characters ($ % ^ &)
  1. Never give anyone your password. Remember, DTS will never ask you for your password nor would most service providers that usually do so as part of their policy and practice.
  2. Use a different password for every service or site you use one. The main reason to do this is to minimize the potential impact if one of your accounts is compromised. For example, if you use the same password for Amazon, Outlook, and Twitter, an attacker can compromise all three by only compromising one. If you are compromised on one site, you just need to address the concerns of that site.
  3. Store your passwords securely. So you’re using different, complex passwords for each site. Now you need to manage them and writing them down is not a good practice as a simple search on your computer for an unencrypted file or a search on your desk for passwords written on Post-It notes can compromise all accounts. You can use an Excel spreadsheet that is password protected, which will encrypt the file, but it is not convenient. A simple and convenient approach is best to make sure you stick with these best practices. A few that always are on the top of the lists are LastPass, 1Password, and KeePass. Some are free, others are not. The price usually determines ease and flexibility more than security. Just make sure whichever you decide to use is from a reputable company or organization and works across all devices you use to access your accounts over the internet.

If you have any questions or comments about what was covered today or in any of the previous posts, please contact us at infosecurity@wit.edu.

John Knights