Passwords - Good Password "Hygiene" and Frequently Asked Questions
1. Don't use your UNID or email address as an account name on non-U of U / HCI systems. (There are some notable exceptions, such as logging into MS Office or Adobe, where you're redirected to a U of U security login page.)
The reason we discourage using your UNID or email address as the account name on non-U of U / HCI systems is it's inevitable that some of them will be hacked, which sets off alarms as U of U IT Security monitors which accounts / U of U email addresses appear on hacker "markets".
2. Don't use the same password for work and personal accounts. "Password reuse" is a major IT Security issue.
3. Use a long password. The old advice of substitutuing non-alpha characters is out - the longer your password is, the harder it is to "crack".
Better advice - use a unique password for each of the external sites you access, outside of U of U / HCI accounts.
Creatie a memorable password "system" - use some kind of familiar story or theme to remember your passwords.
For example, for social media systems you might use a family vacation phrase, like DisneyCryingKids, which has 3 elements, three different words, making it tougher for hackers to crack. So, for your Facebook account you could use “DisneyCryingKidsRain”, and for Linked In you could use “DisneyCryingKidsBlue”, etc.
For bank accounts or online brokerage accounts, you could use another theme, maybe a goal, eg, GetN3wC@r, with GetN3wC@rBlue for one bank that has a blue logo, GetN3wC@rRed for your bank that has a red logo, etc
Frequently Asked Questions:
1. Does HCI support use of password managers? If so, is there one that HCI formally makes accessible to HCI employees? We have not purchased a password manager for use on HCI systems. If you use a password manager like OnePass or LastPass, please be aware these systems are not invicible, and some have been compromised (which defeats the whole purporse and peace-of-mind they're intending to provide).
2. Since we have DUO, do we still have to change passwords? Unfortunately, the prevalence of use of HCI / U of U passwords on external (but often work-related) systems increases the chances that a password will be hacked on a vendor / external system. Periodically changing passwords is a good way to lower the risk of your actual password becoming "known" and traded on hacker market sites.