Password/Passphrase Guidance - selecting AND remembering strong passphrases

Overview

At New Paltz, we recommend a few guidelines for passwords:

  • Make them easy to remember for you - but hard to guess for others (or brute-force by automated systems).  This can be done by using passphrases, mnemonic devices, or password managers.
  • Consider using passphrases instead of passwords.  A passphrase is a few words or even a sentence.  Most systems (including all New Paltz systems) allow you to have spaces in passwords, which means you can have more complex/secure passwords - without having to have crazy passwords of jumbled letters, numbers, and symbols.
  • Don't share your password (with anyone - including supervisors/subordinates).  The only exception for this is for passwords which are not tied to your account/username but are intended to be shared (for example - encrypted file/VeraCrypt passwords for data that is shared amongst a department or group).
  • If you write your passwords down - keep them in a secure location (a locked drawer for example).  Do not put them in any unlocked location that you think is clever and unguessable, because it has probably been thought of by others (i.e. don't put them under your keyboard).
  • The more important the system or data - the stronger your password should be.  Systems like your New Paltz account (especially if you deal with sensitive data) should be the most secure since you are protecting not only your data but may be entrusted with the data of others.  Passwords for your personal email accounts or financial services accounts should be very strong as well.
  • Don't reuse passwords for different sites.  The problem with this is that all it takes is one site to be breached (and found to have unencrypted or insufficiently encrypted passwords) to lead to a breach of your account on all other sites that the same password is used.

 

Coming up with secure passwords

There are tons of articles, recommendations, etc., about how to come up with the 'best' passwords, but they are all subjective.  The best rely on some form of memory attachment to what you are accessing.  

Some tips which we've found which may be useful:

  1. Find a book, song, poem, etc, that you associate, or can associate, with what your password is for.  Find a person (actor, director, artist, writer, etc.) that is associated with it, and when it was created.  For example, if I were coming up with a password for a sports ticket website, I may think of a favorite sports documentary (Baseball, Ken Burns, from PBS in 1994) and make a password based on that.  A password like that could be: KB Baseball PBS #1994.
  2. Use a phrase that you associate with what you're accessing.  For example, if I were setting up a password for an eCommerce site, my password may be something related to that site (for example, something I bought there).  My password for something like Amazon could be: "I bought <book x> by <author y> here".  
  3. Use a word picture.  Picture something in your mind and associate it with a password.  You can build a passprhase from this using something like [person/animal/thing] + [action] + [place/time/thing].  Here are some examples:
    • With the image below - a password could be: "Atrium glowing at twilight"
      Atrium screenshot
    • For the following - a related passphrase could be: "People skating at Rockeffeller"

Using Password Managers

Password managers - if used correctly - can allow you to create a randomly generated password that is different for each website/service you use.  You just need to be able to copy the password from the password manager, and paste it into the site/service you are using.  In general when using password managers, remember the following:

  • Your password manager contains the keys to everything that you store in it.  Consider using not only a VERY strong password, but multi-factor authentication, to protect your password manager database.  
  • You will still need to remember certain passwords (such as your New Paltz password to log in to the computer and the password manager password themselves).  We recommend you keep the passphrase to your password manager in a secure/locked/hidden location at home - preferably not near your computer.
  • Password managers are somewhat controversial in the security industry.  Some security professionals think they put your passwords at greater risk (since if your computer is compromised, the criminals who compromise it may be able to access the unencrypted password database once you enter your passphrase).  Others (like me) think the benefit of strong passwords which are different for each site is more than worth the other increased risk (since if a criminal compromises your computer, they may have a keylogger on your computer to capture all passwords anyway).

 

Password managers applications/services

New Paltz does not endorse any specific password managers at this time.  There are a few which have been used successfully by New Paltz staff (both within IT and the general campus) which you may want to consider.  They are listed below.  Regardless of which you use - we recommend that you use them to keep unique passwords on a per-system basis (and take the opportunity to change old passwords).

  • 1Password - this is a paid online service
  • Dashlane - another an online service, but this has both free and paid levels
  • KeePass - this runs on your own devices and does not store the data in the cloud.  It is also more complex and you have to worry about keeping your passwords in sync across devices though there are no fees to it.

 

 

Print Article

Related Articles (1)

How to protect sensitive data (at-rest, and in-transit).