May 2017: Step Up to Stronger Passwords

Campus Security Awareness Campaign 2017
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting www.educause.edu/securityawareness.

Weak and reused passwords continue to be a common entry point for account or identity takeover and network intrusions. Simple steps and tools exist to help your end users achieve unique, strong passwords for their dozens of accounts. Help your community members improve their individual and collective security by sharing the following tips.

Get the Word Out

Newsletter or Website Content

A password is often all that stands between you and sensitive data. It’s also often all that stands between a cybercriminal and your account. Below are tips to help you create stronger passwords, manage them more easily, and take one further step to protect against account theft.

  • Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
  • Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
  • Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
  • Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
  • Step it up! When you use two-step verification (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.
Long and Strong Passwords poster graphic

Source: STOP. THINK. CONNECT. Long and Strong Passwords poster

Figure 1. Use this image to support your message.

 

Social Posts

Note: These are Twitter-ready, meeting the 140-character length restriction.

  • Step up your #password protection with two-step verification! http://www.lockdownyourlogin.com/ #LockDownURlogin #StrongPasswords #CyberAware
  • Create long and strong #passphrases by choosing 4 or more words & mixing in numbers or symbols. #StrongPasswords #CyberAware
  • Let the manager handle it. Use a #password manager to create & store online passwords securely. http://www.educause.edu/library/resources/password-managers #StrongPasswords
  • Coffee and #passwords — both should be strong and complex. #StrongPasswords #CyberAware
  • Are you protecting your social media accounts with two-step verification? #LockDownURlogin #StrongPasswords #CyberAware
  • Size matters with #passwords! #StrongPasswords #CyberAware

E-Mail Signature

Ask staff members to add a tip to their e-mail signature block and a link to your institution’s information security page.

Example:

Jane Doe
Chief Information Security Office
XYZ College

Create strong passwords or passphrases for each online account. Learn more. [Link "Learn more" to your institution's password tips or link to NCSA's advice about Passwords & Securing Your Accounts.]

Embed or Share Videos

Edward Snowden talks to John Oliver about why passwords matter (2:57 min)

How to pick a strong password (2:43 min)

Keep your login safe with strong authentication (0:30 sec)

How to use two-step authentication (1:03 min)

Resources

Share these resources with end users or use them to inform your awareness strategy.


Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).

© 2017 EDUCAUSE. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.