Cybersecurity

How to select, manage & protect your passwords

Last updated April 15, 2021

Hackers have dozens of tools at their disposal for cracking passwords. Simple passwords can be cracked in matter of seconds. Learn how to create strong passwords in this guide.

Weak passwords are easier to compromise than strong ones. If someone does compromise one of your passwords, and has access to the computer, application or website you used that password on, they can do whatever you can do there. For example:
If you work with human resources data, and the password you used for HR applications or websites is compromised, an unauthorized user may gain access to that data.
If your NetID password is compromised and you are a student, someone else now has the ability to drop your classes and alter your financial records.

In practice

This is an accordion element with a series of buttons that open and close related content panels.

Our password policy and standards

Read the UW–‍Madison password policy.

Read the UW–‍Madison password standard.

Password standard

To prevent unauthorized access, passwords must:

  • Be at least 8 characters long when paired with multi-factor authentication (MFA) or at least 16 characters (i.e., a passphrase) when not paired with MFA.
  • Not occur in a list of commonly used or recently compromised passwords; contain a proper name, login ID, email address, initials, first name, middle name, or last name; or have the same character repeated more than four times in a row.
  • Be changed immediately if there is a reason to believe the account has been compromised.
  • Be kept private.
  • Be entered on a system at most thirty minutes after it has been unattended.

Additionally, it is recommended that passwords:

  • Be unique for each account. To help with this, it is recommended you use a password manager.
  • Contain a mix of character types (i.e., uppercase, lowercase, numbers, and special characters).
  • Be changed periodically.
  • Be given to more than one individual for shared accounts only when it is necessary to share information resources and there is no practical way to provide each person or system a unique account to access those resources.
  • Be entered on laptops, mobile devices, and other systems located or used in public spaces after a minute or less.

How to keep your passwords safe

  • Keep your passwords private.
  • Install password security software. LastPass, KeePass, and Mac OS X Keychain are all good options.
  • Memorize your password, or, as a last resort, if written down, keep in a locked file cabinet or other secure location. Don’t reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.
  • Don’t reveal a password in an email message.
  • Dont reuse your password on multiple sites.
  • Don’t talk about a password in front of others.
  • Don’t hint at the format of a password (e.g., “my family name”).
  • Don’t reveal a password on questionnaires or security forms.
  • Don’t store passwords unencrypted online.
  • Don’t use the “Remember Password” feature of applications (e.g., Outlook, Thunderbird, Evolution).
  • Don’t use the default password, if one is provided. Change it immediately to a new, stronger password.

Learn more from the KnowledgeBase

Want even more info about creating and changing passwords?

Learn more about passwords

Learn more from the Office of Cybersecurity

The Office of Cybersecurity can answer any questions you may have about passwords.

Email us

Related pages

How to securely connect to the UW network

Last updated March 11, 2020

Use the following free resources to help you protect your data while on the UW network.

Line art image of a shield in a cloud with a down arrow

Stay virus-free

Windows users should active Windows Defender (Antivirus), macOS users should use their built-in protection to guard against and remove existing viruses and malware.

Recommended antivirus solutions

Line art image of a magnifying glass, x, and shield

Safeguard valuable information

Find it. Delete it. Protect it. Use Spirion (Identity Finder) to locate and protect your restricted data.

Get Spirion

Line art image of a cloud with a shield and network cables

Protect yourself on open networks with WiscVPN

VPN stands for Virtual Private Network and enables you to send and receive data across public networks securely.

WiscVPN is highly recommended when accessing UW–Madison resources and required when accessing restricted campus resources when you are using a remote connection such as private DSL or Cable Modem service, a hotel or airport connection, etc. WiscVPN service is free. You will need to download a client (Windows and Macintosh versions available) and install it.
More info about WiscVPN

Get WiscVPN

More resources

DoIT also offers a variety of remote connection methods for workgroups and departments including a LAN-to-LAN VPN and a Dedicated Circuits service. If you have questions about group remote access, contact the Help Desk at 608-264-HELP or visit us online.

Still have questions?

View the Cybersecurity page

Handling sensitive university data

Your responsibility

Last updated February 11, 2017

While performing your UW–‍Madison job, you will likely come into contact with many types of information or data, some of which may be considered sensitive (e.g., student grades, enrollment status) or restricted (e.g., social security numbers). It is important to understand your responsibilities for identifying, transmitting, redistributing, storing or disposing of this kind of sensitive information.

To handle data properly, you need to know what kind of data it is and what laws or standards, if any, might govern its use (or misuse). Some data must be kept private under laws such as FERPA (which protects many kinds of student data), HIPAA (which protects personal health information), Section 895.507 of the Wisconsin Statutes (which requires notification if a data breach occurs). Some data is governed by industry standards such as PCI (which protects credit card holder information). Some data is legally public, under laws such as the Wisconsin Open Records law. (Be careful though… just because data is subject to open records request doesn’t mean it doesn’t need to be protected!)

For further information about your responsibilities, see the UW System policy.

Data classifications

UW–‍Madison has classified its institutional data assets into risk based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access and use.

Restricted

Data should be classified as restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects.  Data should be classified as restricted if:

  • protection of the data is required by law or regulation or
  • UW–‍Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed

Sensitive

Data should be classified as sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects.  Data should be classified as sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Internal

Data should be classified as internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects.  By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as internal data.

Public

Data should be classified as public prior to display on web-sites or once published without access restrictions; and when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates.

Best practices

  • If you work with data that has not been classified, it should be considered internal until the data owner assigns the classification.
  • Questions about classifying or handling the information should be directed to the data owner, your supervisor or IT Security. The data security triage form (.doc) can help you identity restricted data. IT Security can assist you in developing appropriate controls and processes to protect sensitive or restricted data.
  • Report the misuse or compromise of systems that handle, store or propagate restricted or internal data to the Office of Cybersecurity.
  • Question any business requirements that require the use, storage or propagation of restricted or internal data.

Data-type definitions

Restricted: Restricted information are data elements associated with a specific individual that are identified and protected by federal, state, local laws, regulations or adopted standards. Restricted information includes (but may not be limited to) the following kinds of information that can be linked to an individual:

  • Social security numbers
  • Driver’s license number or state identification number
  • Financial account number (including credit/debit card) or any security code, access code or password that would permit access to an individual’s financial account
  • Deoxyribonucleic acid profile, as defined in S. 939.74(2d)(a)
  • Unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
  • Protected health information (any information about the health status, provision of health care, or payment for health care)

Risk impact: An assessment of the impact to the organization if the information is mishandled leading to the compromise of the information’s confidentiality, integrity or availability.

  • High: A high risk impact is an event that would cause severe and long-term interference with the mission of the University or a business unit, or would result in major financial loss, or would result in severe harm to an individual’s life or livelihood.
  • Moderate: A moderate risk impact is an event that would cause significant interference with the mission of the University or business unit, result in significant financial loss; or result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
  • Low: A low risk impact is an event that would cause some interference with the mission of the University or business unit or result in minor harm to an individuals well being.

Securing your computer

Last updated January 12, 2023

UW–Madison’s Endpoint Management and Security policy (Source: policy.wisc.edu) requires devices that connect with UW–Madison online data to be actively managed and secured.

Follow the best practices in this guide to protect yourself — and to contribute to a safer computing environment for everyone.

Important!

If you work on a computer owned by UW–Madison, check with your department IT administrator before installing software or reconfiguring it.

If you are a student or you access UW resources from a home or other computer, please follow the steps below.

Follow these steps for your personal devices

This is an accordion element with a series of buttons that open and close related content panels.

Keep your devices' operating system (OS) and versions up to date

Why? Developers or others often discover vulnerabilities, or weaknesses, in a computer’s operating system (OS) or applications. These vulnerabilities provide hackers an opportunity to create malicious software (e.g., viruses, ransomware, bots, adware, worms, Trojans, etc.) that can infect your computer and steal your personal information. To counteract this, a security update (also called a “patch”) is created to fix these vulnerabilities in computer software code. So, it’s important to keep your OS and security patches up to date. Simply running an antivirus program is not enough.

How do I keep my computer updated?

It’s easy to configure your computer to automatically download and install security updates so that you don’t have to remember to do it manually. In most cases, the updates will install in the background, and you will not be asked to download and install anything. Once set up, it should be easy to ignore those fake updates or pop-up notifications generated by hackers.

How to update Windows security patches (Source: kb.wisc.edu)

How to update Mac security patches (Source: kb.wisc.edu)

Install and run free antivirus software

Faculty or staff:

  • For personal Windows devices: UW–Madison recommends you use Windows Defender (Source: kb.wisc.edu). Windows Defender is a built-in antivirus app which is automatically installed on Windows devices.
  • For personal macOS devices: Use Trend Micro (Source: kb.wisc.edu).

Students or emeritus:

  • For personal Windows devices: UW–Madison recommends you use Windows Defender (Source: kb.wisc.edu). Windows Defender is a built-in antivirus app which is automatically installed on Windows devices.
  • For personal macOS devices: Use freely available antivirus software (Source: kb.wisc.edu).

What do I need to do?

Use a firewall

A firewall is software that runs directly on a computer and protects it against attack from the network by controlling incoming and/or outgoing network traffic. Most operating systems have built-in firewalls, but you need to make sure they are turned on.

Instructions for enabling your firewall (Source: kb.wisc.edu)

Protect your NetID & password and multi-factor authentication credentials

Passwords are like passports or a blank check; if lost or stolen, they give hackers a world of opportunity by providing access to your personal, financial or work data. The campus Password policy (Source: policy.wisc.edu) helps you select strong passwords and manage them so you can protect your identity and University resources. Once you’ve read and understood the password policy, update any campus passwords that do not meet the standards. If needed, go to change your NetID password  (Source: mynetid.wisc.edu).

To help manage your passwords securely, consider using a password manager. Learn more about a free one available to campus members at Password Manager – LastPass Enterprise (Source: it.wisc.edu)

A few don’ts

  • Never share your password or multi-factor authentication credentials with anyone, not your boss, not your family, not your co-workers. Doing so is against UW System acceptable use of Information Technology resources policy (Source: wisconsin.edu) and violating it could result in suspension or criminal prosecution.
  • Never use your NetID password on any other website. If you have done so, immediately change your NetID password (Source: mynetid.wisc.edu).
  • Don’t reveal a password in an email message.
  • Don’t talk about a password in front of others.
  • Don’t hint at the format of a password (e.g., “my family name”).
  • Don’t reveal a password on questionnaires or security forms.
  • Avoid writing passwords down, but if you must, store them in a secure place (e.g., a locked file cabinet).
  • Passwords should never be stored unencrypted online.
  • Do not use the “Remember Password” feature of applications (e.g., Chrome, Safari, etc.).
  • Don’t use the default password if one is provided (hackers can locate a default password easily). Change it immediately to a new, stronger password.
  • Don’t reuse old passwords. NetID passwords cannot be reused within a 12-month period, and passwords cannot be changed to any of the previous three passwords.

Use multi-factor authentication on all personal accounts which offer it

Many personal accounts (such as financial institutions, credit cards, social media, shopping sites, etc.) offer the option of using multi-factor authentication (MFA) to help prevent hackers from getting into your account. MFA-Duo, which is required to use on campus, can also be used for adding your personal accounts. Installing MFA on your accounts helps by adding another unique layer of protection. A person trying to break into your account would need to have access to your user name, password, AND have one of your devices in their possession.

Install FREE WiscVPN to secure your wireless connection

WiscVPN software encrypts internet traffic between a home/remote personal or work computer and the campus network, allowing you to use the internet securely on open networks. It’s offered free to UW–Madison faculty, staff, and students. Learn about WiscVPN – How to install, connect, uninstall, and disconnect WiscVPN Palo Alto GlobalProtect (Source: kb.wisc.edu).

Be wary of web browser extensions

If you download a dangerous extension, you could inadvertently download malware, adware, and viruses.

What should you look for before downloading an extension?

  1. Check out the developers website to see if it’s a legitimate extension and not a different version offered by an unvetted source.
  2. Read the description of the extension. Watch for things that may be questionable, like tracking or data sharing.
  3. Read the reviews. Look for complaints of unusual glitches, or folks speculating that their data is being taken, or for any thing that strikes you as odd.
  4. Be picky and only download extensions that come from a trusted source and offer useful benefits.

 

Check to see what extensions are already installed on your device(s)

Google Chrome users: click the three dots to the right of the address bar, selecting “More tools”, then “Extensions.”

Firefox users: click the three horizontal bars next to the address bar, then “Add-ons,” then “Extensions.”

Safari users: click Preferences, then on the Extensions tab. All extensions enabled will have a checkmark in the box to the left of the icon in the sidebar.

Internet Explorer users: click the gear menu at the top-right corner and select Manage add-ons. Browser plug-ins are displayed under the Toolbars and Extensions category, along with any browser toolbars and other types of ActiveX add-ons installed.

Use notifications to help keep your accounts secure

Many personal accounts (such as financial institutions, credit cards, social media, shopping sites, etc.) offer notifications to help track the actions on your accounts. For example, you can set up notifications for actions such as purchases made with your credit card, account balance, minimum payment due, payment posted, password updated, user ID updated, etc. These notifications alert you to activities on your account and help to alert you to fraudulent activities.

You can also use computer notifications for account protection here’s how:

Mac: Change notifications preferences on Mac (Source: support.apple.com)

Windows: How to manage notifications for Windows Security features on Windows 10 (Source: windowscentral.com)

Backup your computer regularly

Computer backup is a process that copies all your files, data, and information to create another version. Backups protect against human errors, hardware failure, virus attacks, power failure, and natural disasters. Backups can help save time and money if these failures occur.

Find out how at Computing at UW – backing up your personal data (Souce: kb.wisc.edu).

 

 

Get help!

The DoIT Help Desk (Source: kb.wisc.edu) can answer your questions or connect you with the right group.

 

Report phishing and other abuse

If you encounter a suspicious email that claims to be from UW–Madison and requests any personal information, do not respond to it or click any links! Instead, click on the “Report Spam” or “Report Phish” located on the top right-hand corner of your O365 email account and in the “… ” at the top of the page in the most recent version of O365.

 

Related Docs

More guides on cybersecurity topics (Source: it.wisc.edu)

Email icon and fishing hook

How to report phishing

Line art image of globe with a lock

Tips for safe web browsing

Need help?

Contact the Help Desk