Passwords protect your identity, your work, and your privacy.  They prevent unauthorized access to your electronic accounts and devices.  The goal when creating a good password is to make it as difficult as possible for a potential intruder to identify it using everything from an educated guess to brute-force or automated attacks.

Never share any passwords with anyone. If you know that your account or your password has been compromised, change it immediately. If you suspect an account or a password may have been compromised, change the password immediately. Do not use the same password for multiple accounts.  Do not use close variations for different accounts.

Password phrases are a good option. Include alternate characters.  For example, “I hate to use passwords on my accounts” can become “Ihate2usepasswordsonmyaccounts” (30 characters) or “!hat32uzepa$w0rdsonmiactz” (25 characters) or even “iH@t32zpwsM!ktz” (15 characters). Use a pattern match that you will remember (use ‘3’ for ‘e’, ‘!’ for ‘i’ or ‘I’, ‘4’ for ‘for’, ‘@’ for ‘a’ or ‘at’, ‘$’ for an ‘S’, etc.)  Information Security at UVa recommends using a Passphrase.

• Use a strong password. At least 8, but no more than 50 characters.  20-26 is a good length.
• Use both upper-case and lower-case characters.
• Use special characters –  ! # \$ @ _ ‘ + , ? [ ] . – and space.  Remember that an underscore can be difficult to see if you are entering a password in a visible box.
• Do not use your UVa computing ID.
• Do not use your first, middle, last name or nick name.
• Do not use your birth date, phone number, home address, license plate number, zip code, or any number commonly associated with you.
• Do not use dictionary words.
• Do not repeat characters more than twice.
• Do not string 3 or more ascending or descending characters together (1234 or rstuv or ABC).

Use Two-factor (or multi-factor) authentication if it is available. It is an additional layer of security.  ITS has started to implement Enhanced NetBadge for certain UVa resources. Visit the NetBadge FAQs for additional information.

Many browsers will ask if you want them to save a password. They use a fully integrated password manager, are convenient, and know when you are on a website that needs a specific password.  Keep your browser up-to-date, and use a security control on your device, such as a password, PIN, or biometric. If your computer is shared with other users, do not use this feature.  One downside to these tools is that they rarely sync across platforms and browsers.

Strings of random characters or passphrases can be difficult to remember.  Use a password manager.  They may not be perfect, but they are better than not having one.  UVa now provides access to LastPass for both personal and UVa account passwords. Read the LastPass best practices to learn how to keep your account secure, and explore the FAQ’s.

• make it easier to remember long, complex passwords
• can auto-generate unique passwords for you
• can auto-fill most logins (don’t work with some banks and forms)
• can sync across devices and platforms