University of Nebraska - Lincoln Communications and Information Technology

Password Management Best Practices

Passwords are an important aspect of computer security. They are the front line of protection for sensitive data, network access, and e-mail access. Passwords are also used on a lot of websites to merely gain access to news articles and other information.

Passwords need to be strong (not easily guessed) and easily remembered. So, with the need for more and more passwords, how do you create another good password that you will keep secure by never writing it down? If you are curious, read on for practical tips and best practices guidelines.

Create a strong, easy to remember password

Use a minimum of 8 characters.

Use a combination of letters (upper and lower case), numbers, and keyboard characters.

Do not use a dictionary word (in any language) or any commonly used word such as:

  • Name of family member, pet, friend, co-worker, fantasy character, etc.
  • Login user name, computer name, command, site, company, hardware, software.
  • Birthday and other personal information such as address and phone number.
  • Word or number pattern like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., fido2, 3secret).

A good way to create a strong password is to take 2 or 3 words or a phrase that is important to you and turn it into a password that is easy to remember. For example:

  • real good   >>   re@1-G0od
      (Use number and/or other keyboard characters instead of letters)
  • there is no place like Nebraska   >>   tinplNe6r!
      (Use first letter of each word with the addition of a number(s) and other keyboard character)

NOTE: Do not use either of these examples as passwords!

Consider what the password is protecting

Passwords that protect access to sensitive data, e-mail account(s), or network services at work should each be unique and easy to remember.

Do not use any UNL work-related password for home or personal use.

Do not use personal password(s) used for home and personal accounts for work-related resources at UNL.

Where possible, do not use the same password for various UNL and/or IANR systems.

Passwords used for Web services that only give access to the service, such as reading newspaper articles may be reused or based on a similar pattern. The University of Chicago NSIT “Safe Computing” article has an interesting suggestion for creating passwords for these Web service access needs.

Consider your password as multiple parts: a central core of the password and a prefix and/or suffix which is specific to the service that is being protected.
For example, your core might be "gPw4", from "generic Password 4 (for)..."
If this password is to be a password for the New York Times Web Site, you might choose to add "NYt" to the beginning of the password and "n" (for "news") to the end. This would make your password: NYtgPw4n.
Your password for eBay might be eBgPw4A ("A" for "auctions").
(http://nsit.uchicago.edu/services/safecomputing/passwords/; Last updated: 1/9/08; Accessed 1/29/08)

Keep your password safe

For optimum security, do not write down your primary passwords. Make the passwords for your computer network login, Blackboard (LDAP), e-mail, bank account, etc. strong AND easy to remember.

If you must write down passwords, keep them somewhere private such as in a locked drawer or in your wallet or purse. Do not post it on your computer or anywhere around your desk.

If you store passwords in a file on any computer system (including a Blackberry or similar device), that file must be encrypted. NOTE for Lotus Notes full-client software users: You could send yourself an encrypted e-mail message with the passwords.

You may also download or purchase special software for password storage. CIT personnel have no recommendation for a specific program; however, one person has successfully used TopSecret - Password Keeper for many years and another has used Password Safe (open source software). For information on other software, do a Google search on “password management software.”

Protect your password from misuse

All passwords for UNL systems are to be treated as sensitive, confidential information. The only person you should reveal your password to is your CIT support person if needed for troubleshooting user login issues.

You should follow these guidelines to protect your password.

  • Don't reveal a password to the boss, assistant or co-worker.
  • Don't share a password with family members.
  • Don't talk about a password in front of others.
  • Don't hint at the format of a password (e.g., "my family name").
  • Don't reveal a password on questionnaires or security forms.
  • Don't reveal a password in an unencrypted e-mail message.
  • Don't use the “autosave” feature in your browser or other software.

When using public or shared computers, make sure that you do not use the “autosave” feature. Also, make sure that you logoff and close the browser.

If you suspect that an unauthorized person may know one of your UNL passwords or other password protecting sensitive data, change that password immediately. If you need to change a UNL-system password, you may want to contact your CIT support person for assistance.

Return to Tips, Tricks, and Techniques index

Communications & Information Technology |  CIT Computing

Questions or Comments: contact CIT Computing Staff
CIT Computing does not provide personal support to parties outside of UNL.

Institute of Agriculture and Natural Resources  Institute of Agriculture and Natural Resources (IANR)
 University of Nebraska-Lincoln
 Last updated January 29, 2008