University of Wisconsin–Madison
Icon of a lock with four asterisks

How to select, manage & protect your passwords

 2 minutes to read | Last updated Feb 22, 2017

Hackers have dozens of tools at their disposal for cracking passwords. Simple passwords can be cracked in matter of seconds. Learn how to create strong passwords in this guide.

If someone gains access to one of your passwords, he or she essentially has the same level of authority to do what you can do on your computer, both personally and professionally. If you are in a work position that manages human resource data, a hacker now has access to that data. If your NetID password is compromised and you are a student, someone has the ability to drop your classes and alter your financial records.

In Practice

  • How to create strong, memorable passwords

    The traditional advice for creating strong passwords no longer applies:

    • “Use irregular capitalization, special characters, and at least one numeral.”

    According the the National Institute of Science and Technology (NIST) this advice has often resulted in less secure passwords. Accordingly, NIST updated their password guidelines in 2017.  They no longer suggest using special characters and a mix of lower and uppercase letters.

    Instead, NIST now suggests creating simple passwords that are long, memorable phrases composed of typical English words. Creating passwords as phrases of common words in uncommon combinations, such as “speedy hot broccoli anteater”  make your password much harder to crack. And if the phrase produces an vivid image, or has meaning for you, it will be that much easier to remember.

    Cartoonist and scientist Randall Munroe created this cartoon which illustrates the new password guidelines:

    cartoon contrasting the strength of passwords using traditional advice versus passwords created following new NIST guidelines
    Author: Randall Munroe. Reused in accordance Creative Commons Attribution-NonCommercial 2.5 License
  • How to keep your passwords safe

    Keep your passwords private.

    Install password security software. The preferred software is KeePass, and Mac OS X Keychain, or as an alternative try Password Safe to keep your passwords in an encrypted environment that is accessible only by you.

    Memorize your password, or, as a last resort, if written down, keep in a locked file cabinet or other secure location. Don’t reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.

    Don’t reveal a password in an email message.

    Don’t talk about a password in front of others.

    Don’t hint at the format of a password (e.g., “my family name”).

    Don’t reveal a password on questionnaires or security forms.

    Don’t store passwords unencrypted online.

    Don’t use the “Remember Password” feature of applications (e.g., Outlook, Thunderbird, Evolution).

    Don’t use the default password, if one is provided. Change it immediately to a new, stronger password.

  • Changing passwords

    Multiple studies have found that frequent password changes are counterproductive to good password security.  Accordingly, NIST no longer recommends required frequent password changes.

    You should change your password if you suspect that your password has been compromised, or if password screening measures tell you that the password is commonly used or has been compromised. 

     

Learn more from the KnowledgeBase

Want even more info about creating and changing passwords?

Learn more about passwords

Learn more from the Office of Cybersecurity

The Office of Cybersecurity can answer any questions you may have about passwords.

Email us