Do your passwords pass the test? 

Are the passwords you use “good enough” to prevent someone else from accessing your Netflix account, credit card, or bank? Password security (or lack thereof) is still one of the largest causes of data breaches for organizations and individuals, and in many cases, the hassle and hardship could be completely avoided if people widely follow simple password practices. 

While people primarily think of poor passwords as an individual issue, they are also an organizational issue. Passwords are used to secure large amounts of highly confidential data that we’ve been entrusted with by our students, alumni, and donors. Weak passwords are a gift to would-be criminals, making it far easier for them to get what they want. 

Good Password Practices 

You’ve probably read about the basic components of a good password dozens of times: complex, changed regularly, unique, etc. Here’s some specific advice around these components to help you to better protect your accounts. 

The right words, phrases, and strings make passwords harder to break while making them easier to remember. Things like song lyrics, family jokes, or a description of a family member or object with numbers and special characters mixed in make the password extremely difficult to break. Length also adds exponential complexity. Did you know that Drake systems allow passwords up to 30 characters? Add some of these elements and you’ll come closer to that maximum than you expect. 

Avoid overused practices like an exclamation point at the end, family members names, or incrementing numbers. These are all well-known and make attackers jobs easier. 

While raising awareness of these practices is one thing, practical application is another matter entirely. Poor practices aren’t necessarily caused by ignorance or laziness: the reality is we simply have so many online accounts that following this guidance to the letter would be tedious and time-consuming. Enter the password manager. Using a password manager can help you develop a complex password for every account, while only having to remember 2–3 at the most. These tools can also auto-populate password fields securely, alert you to a potential breach, and suggest changes when needed. LastPass, 1Password, and BitWarden represent just a few of the options available, but you’ll want to do your research to find out which is best for you and your family. 

While other components have been introduced for account security, such as 2-factor and bio-metric authentication, the traditional password is still the key component holding all of these new features together. 

ITS will continue campus-wide training on account security practices including passwords and phishing.

If you’d like to discuss any information security issues, please feel free to reach out to me directly, or email informationsecurity@drake.edu. If you believe you’ve been targeted by phishing, see the guide, Reporting a Phishing Message (How-to)

— Peter Lundstedt, ITS