University of Wisconsin–Madison
Glyph with hidden password asterisks

How to select, manage & protect your passwords

 2 minutes to read | Last updated Feb 22, 2017

Hackers have dozens of tools at their disposal for cracking passwords. Simple passwords can be cracked in matter of seconds. Learn how to create strong passwords in this guide.

If someone gains access to one of your passwords, he or she essentially has the same level of authority to do what you can do on your computer, both personally and professionally. If you are in a work position that manages human resource data, a hacker now has access to that data. If your NetID password is compromised and you are a student, someone has the ability to drop your classes and alter your financial records.

The campus Password Policy helps you be proactive in selecting a strong passwords and managing them, to protect your identity and University resources. Once you’ve read and understood the password policy, you should change your NetID password and other campus passwords that do not meet the standards.

Note: Many, but not all, campus passwords are used in conjunction with Oracle databases, for which there may be some exceptions to the password guidelines in this document. Those exceptions are noted in parentheses.

In Practice

  • How to create strong passwords

    Use at least 8 alphanumeric characters.

    Use at least 3 of the following 4 categories:

    • Upper case characters (e.g., A-Z)
    • Lower case characters (e.g., a-z) (Note: Oracle does not distinguish between upper and lower case in passwords.)
    • Digits (e.g., 0-9)
    • Special characters ( e.g., !@#$%^&*()_+|~-=`{}[]:”;'<>?,./) (Note: Oracle allows only the special character underscore (_) in a password, unless the password is enclosed in quotes.)

    Do not use a word found in a dictionary (English or foreign) slang, dialect, jargon, etc.

    Do not use common proper name, login ID, email address, initials, first, middle or last name.

    Do not use names of family, pets, friends, computer terms, birthdays or other personal information. Also, no number patterns like aaabbb, dddddd, qwerty, zyxwvuts, 123321, etc.

    Do not use any words spelled backwards.

  • How to create easy-to-remember passwords

    Create a “vanity plate” password phrase. This is a good option if you don’t have a lot of passwords to remember. Choose a favorite song, book or short phrase, and translate it into something that is easily memorized.

    • ”Eight Days a Week” becomes “8Dys@Wk!
    • “Let’s Stay Together” becomes “Lts$A2Gtr.
    • The phrase “Hard to Crack” becomes “Hrd2Cr@k!

    Use mnemonics. Somewhat similar to a vanity plate password phrase, mnemonics are memory aids used to remember items. In high school, you may have used the mnemonic “My Very Easy Memory Jingle Seems Useful Naming Planets” to remember the planets: Mecury, Venus, Earth, Mars, Jupiter, Saturn, Uranus, Neptune and Pluto. For your password, you may want to choose a phrase or verse and translate it into a password. You could also create a password phrase that expresses an opinion or relates to the site itself. The key is to make it simple enough that you don’t have to think too much about where you abbreviated a word or inserted a symbol. This is a good option if you don’t have a lot of passwords to remember.

    • ”I like to eat at Red Lobster” becomes “Ilik2e@RL
    • “This is my Amazon password” becomes “Th$My@mz0n

    Choose a series of rules sets (i.e., an algorithm) for all of your passwords. Think of the rule set as a password recipe for which only you know the ingredients. When you memorize the basic recipe, you simply change one or two ingredients for the different types of passwords you need. While this may seem complicated, it’s actually an effective way to memorize multiple passwords.

    • For example, if the rule set is:[Movie in Caps] + [Last Digit of Current Year] + [Special Character] + [Site Type in Small Case] then [Gone with the Wind] + [2008] + [Asterisk] + [E-commerce Site] = GWTW8*es
    • and [Gone with the Wind] + [2008] + [Asterisk] + [School Site] = GWTW8*ss

    One of the nice things about this system is that when it comes time to change your passwords, you can change one or two sections of the rule set (e.g., the movie name, the current year or the special character) without having to create an entirely new algorithm. For the last segment of the example above, you can pre-define a limited set of password types in advance (e.g., personal site = ps, work site = ws, school site = ss, development site = ds, etc.).

  • How to keep your passwords safe

    Keep your passwords private.

    Install password security software. The preferred software is KeePass, and Mac OS X Keychain, or as an alternative try Password Safe to keep your passwords in an encrypted environment that is accessible only by you.

    Memorize your password, or, as a last resort, if written down, keep in a locked file cabinet or other secure location. Don’t reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.

    Don’t reveal a password in an email message.

    Don’t talk about a password in front of others.

    Don’t hint at the format of a password (e.g., “my family name”).

    Don’t reveal a password on questionnaires or security forms.

    Don’t store passwords unencrypted online.

    Don’t use the “Remember Password” feature of applications (e.g., Outlook, Thunderbird, Evolution).

    Don’t use the default password, if one is provided. Change it immediately to a new, stronger password.

  • How to manage your passwords

    For personal accounts, change passwords twice per year (e.g., when clocks are adjusted in the spring and fall). Use new passwords, do not add a number on the ends of old passwords

    For accounts that are linked to sensitive and/or restricted data, change passwords every 90 days.

    NetID passwords cannot be reused within a 12-month period — and cannot be changed to any of the previous 3 passwords.

Learn more from the KnowledgeBase

Want even more info about creating and changing passwords?

Learn more about passwords

Learn more from the Office of Cybersecurity

The Office of Cybersecurity can answer any questions you may have about passwords.

Email us