Creating Strong Passwords or Passphrases
Strong passwords are essential for your online safety. ITS has the following password guidelines for NetID passwords, and we recommend that you follow these best practices when creating passwords for other services.
Password Guidelines
Complexity rules help you create passwords strong enough to protect your account. The following are the NetID password requirements on all newly created or changed passwords.
Minimum password length is 12 characters.
The password must contain characters from three of the following four categories:
Upper Case: A B C ...
Lower Case: a b c ...
Numbers: 1 2 3 ...
Symbols: ! @ ? ...
Reusing any of the last 10 passwords is not allowed.
Creating a password that ITS systems identify as being exposed in a data breach is not allowed.
The password must not contain 3 consecutive characters contained in your name or NetID. For example, Jonathan wouldn’t be able to use a password that contained “Jon”, “nat”, or “han”.
Don’t re-use passwords! They should be unique for each service. If one of your passwords is stolen, the compromise is contained to that one service and cannot be leveraged to exploit others.
Passphrase Overview
Passwords can be difficult to remember, especially when you have many unique ones to match different password requirements. Instead of a password, you may consider using a passphrase.
A passphrase consists of four or more random words that create a password over 12 characters in length. It can even be a sentence, so long as it is somewhat random. Below are examples of a strong passphrase:
Ethel eats fresh fish
This passphrase is 20 characters long and contains uppercase, lowercase and special characters. Using current technology, this passphrase would take 2.4 x 1024 years to crack. If your password is stolen or compromised, you can simply modify a word(s) in the existing passphrase, as shown below, or create a new passphrase.
Ethel hates fresh fish
Tom watches fresh fish
Alex likes fresh vegetables
The permutations in using a passphrase are virtually endless and easier for most people to remember.
Best Practices
You should still keep in mind the following best practices:
Do not reuse passwords for important websites.
Do not use children or pet names.
Do not use music lyrics or other well-known phrases.
Do not reuse passwords that have been compromised.
Do not simply add or increase a number at the end of a password.
You should use a password manager for your passwords. UConn offers a LastPass service to all faculty, staff, and students.
You should use two-factor or multi-factor authentication on any account that offers it. This is the best way to prevent your accounts from being misused, and it is increasingly available across wesbites including financial websites, social apps, and even gaming sites like Steam.