How to select, manage & protect your passwords

Last updated April 2, 2024

Hackers have dozens of tools at their disposal for cracking passwords. Simple passwords can be cracked in a matter of seconds. Learn how to create strong passwords in this guide.

Weak passwords are easier to compromise than strong ones. If someone does compromise one of your passwords, and has access to the computer, application or website you used that password on, they can do whatever you can do there. For example:
If you work with human resources data, and the password you used for HR applications or websites is compromised, an unauthorized user may gain access to that data.
If your NetID password is compromised and you are a student, someone else now has the ability to drop your classes and alter your financial records.

In practice

This is an accordion element with a series of buttons that open and close related content panels.

Our password policy and standards

Read the UW–‍Madison password policy.

Read the UW–‍Madison password standard.

Password standard

To prevent unauthorized access, passwords must:

  • Be at least 8 characters long when paired with multi-factor authentication (MFA) or at least 16 characters (i.e., a passphrase) when not paired with MFA.
  • Not occur in a list of commonly used or recently compromised passwords; contain a proper name, login ID, email address, initials, first name, middle name, or last name; or have the same character repeated more than four times in a row.
  • Be changed immediately if there is a reason to believe the account has been compromised.
  • Be kept private.
  • Be entered on a system at most thirty minutes after it has been unattended.

Additionally, it is recommended that passwords:

  • Be unique for each account. To help with this, it is recommended you use a password manager.
  • Contain a mix of character types (i.e., uppercase, lowercase, numbers, and special characters).
  • Be changed periodically.
  • Be given to more than one individual for shared accounts only when it is necessary to share information resources and there is no practical way to provide each person or system a unique account to access those resources.
  • Be entered on laptops, mobile devices, and other systems located or used in public spaces after a minute or less.

How to keep your passwords safe

  • Keep your passwords private.
  • Install password security software. LastPass, KeePass, and Mac OS X Keychain are all good options.
  • Memorize your password, or, as a last resort, if written down, keep in a locked file cabinet or other secure location. Don’t reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.
  • Don’t reveal a password in an email message.
  • Dont reuse your password on multiple sites.
  • Don’t talk about a password in front of others.
  • Don’t hint at the format of a password (e.g., “my family name”).
  • Don’t reveal a password on questionnaires or security forms.
  • Don’t store passwords unencrypted online.
  • Don’t use the “Remember Password” feature of applications (e.g., Outlook, Thunderbird, Evolution).
  • Don’t use the default password, if one is provided. Change it immediately to a new, stronger password.

Learn more from the KnowledgeBase

Want even more info about creating and changing passwords?

Learn more about passwords

Learn more from the Office of Cybersecurity

The Office of Cybersecurity can answer any questions you may have about passwords.

Email us