Passwords: Making Better Passwords
Overview
You should have a different password for each online account, but maybe you don't. To make this easier and keep your data more secure, do this:
- Use a different, strong, 15+ character password for each website, preferably in the form of a passphrase.
- Use a recommended password manager to generate and store your passwords. They're secure, and some are free!
- Do NOT reuse your Pepperdine NetworkID password/passphrase, or anything similar to it, on any site that doesn't use Pepperdine single sign-on.
Tips For Creating And Maintaining Strong Passwords
-
Make an easy-to-remember password.
-
Keep your password secure.
-
Makes a password strong.
-
Pepperdine technical requirements for passwords.
-
How to change your password.
-
PIN requirements for mobile devices containing University information.
How can I make an easy-to-remember, secure password?
Creativity and fun help you make a strong password that you can more easily remember. Before committing to a password, make sure it's one that isn't too hard to type!
Use a "passphrase" instead of just a "password"
A passphrase is the best password available. Its length makes it very hard to guess when coupled with capitalization, numbers, and symbols. In addition, it may be easier for touch typists to enter a passphrase rather than a password. A SPACE " " counts as a valid character.
One method for creating a passphrase:
- Choose a phrase you can remember, but not one you say or write frequently, and not
the ones in this example, for instance:
- All for one, and one for all!
- Buy low, sell high.
- Add or change characters so that it's not a verbatim proverb (and add capitalization,
numbers, and/or special characters:):
- all for One 1 for all
- Buy low & sell 2 high.
Do NOT use these examples as your passphrase! Keep it secret to keep it safe.
Keep your password secure
Three absolute rules to follow to keep your password secure (per CNRUP Security and Privacy section):
- Do not use your University passwords, or anything like them, on other systems.
- Do not share your password with anyone, including your supervisor, co-workers, or friends.
- Change your password immediately if you suspect it has been compromised or disclosed.
Storing your password(s)
It is best to memorize your password, but you may write your password down while you're learning it. This may seem counter to security, but it is sound security advice and this is the way to do it:
- Lock it away in a desk or file where you have the key.
- Do not label it or otherwise indicate it is your password.
- Destroy it when you no longer need it.
Password Managers
If you have many different passwords to remember, consider a password manager that uses real encryption. A password manager is software that stores all your passwords under a single password. The Information Security Office has evaluated several free products with proper encryption and are recommended, but not supported by Pepperdine IT.
What makes a password strong?
Not all passwords that meet our technical requirements are strong!
Generally speaking, you can consider that if a word is in the dictionary, it's in the hacker's toolbox as well. You can also assume that anyone targeting you will use any publicly available information about you, be it words, names, or numbers, to hack your password. Have a look at the 50 Most Common Passwords discovered during an Internet compromise in 2011. Never use these passwords because hackers and opportunists will try them first!
DON'T use common passwords and password components
Avoid passwords based on well-known passwords or similar passwords. These examples have been found on dozens to thousands of accounts at Pepperdine — don't use anything like them!
- Waves123
- Password!
- Autumn09, Spring2012 and similar
DO use a long password with special characters
Use a long password. When it comes to strong passwords, longer is better. Therefore, a passphrase is generally stronger than a password. Even adding a few characters makes a big difference. A 12-character password is potentially 30 million times stronger than an 8-character one.
Use special characters in your password. Many passwords have upper and lower case letters and numbers. That's good! Adding special characters makes a larger 'password alphabet' and makes your password even stronger. The term 'special characters' as used by IT includes the following:
- ! @ # $ % & ^ ~ _ * - = + ` ' " , . ; : ? | / \ ( ) [ ] { } < > space
Technical requirements for a strong password
Information Technology has put in place some technical controls to enforce strong password basics. Network ID passwords have different requirements than PGP system passwords.
Password Requirements for your Network ID
The University requires every holder of a Network ID to compose a unique network password for that ID according to standards set by Information Technology (see Computer and Network Responsible Use Policy). The current IT standards for password composition (August 2009) are that every password meets the following complexity criteria as to length, characters, and source.
-
Length: A password must have a minimum of fifteen characters (as of October 4, 2021).
-
Characters: A password must contain the following four types of characters:
- Upper case letter
- Lower case letter
- Numeral
- Punctuation or symbol or space.
-
Source: Passwords must not:
- Include your Network ID name
- Match one of your five previous passwords
Attention Pepperdine third-party web app managers
If your Pepperdine third-party web application allows login, but does not participate in Pepperdine CAS/SSO login, you or your vendor should configure password technical requirements to match those detailed above in "Password Requirements for your Network ID". Also, direct your clients/students/colleagues using that web app to "Avoid using your Pepperdine NetworkID password/passphrase or anything similar to it on this site," as they engage the password creation step in your third-party web app. If you have any questions about this, please call the Information Security Office and speak to a security operations anlalyst.
Passphrase for your PGP encrypted disks
For persons storing restricted information on their computers, the Information Classification and Protection Policy requires disk encryption. IT supports enterprise PGP Whole Disk Encryption (WDE) for this policy-mandated requirement. Technical requirements for PGP WDE passphrase are:
-
Length: 20 or more characters.
-
Complexity: Meets the PGP calculated complexity of 60% or more.
(The PGP software will calculate this complexity percentage for you and give real-time feedback as you type). -
Composition: Must not resemble or be based on your Network ID password.
Expiration and Lock-out Technical Requirements
Passwords for your Network ID will automatically expire four years after your last password change. A user may change his or her Network ID password at any time and does not need to wait for the automatic expiration. If a user believes their password may have been compromised, they should immediately change their password at myid.pepperdine.edu and notify the University's Information Security Office (310.506.4040) or Tech Central (310.506.4357).
Change or RESET Your Network ID Password
NOTE: If you have entered your password into mobile devices or email programs that periodically log in with that password, you may be locked out of your account if you don't disable your automatic logins before changing or resetting your password. Typical places where this happens are smartphones and non-outlook desktop emails, running in IMAP or POP modes.
To change your password, follow these steps:
- Access the MyID Password Management page at: myid.pepperdine.edu
- Select CHANGE KNOWN PASSWORD
- Follow the instructions on the screen.
In case you forget your password, follow these steps:
- Access the MyID Password Management page at: myid.pepperdine.edu
- Select SET/RESET PASSWORD
- Follow the instructions on the screen.
Why is there a PIN requirement for mobiles?
Faculty and staff are required to set a 15-minute timeout and PIN on any electronic device used to access confidential University information. This includes setting a timeout and PIN on mobile devices with access to University email.
By University policy, access to confidential information, such as email or student/business records, must be secured by passwords that meet current IT standards. The current IT standard for mobiles is a PIN (6-digit numeric code). A person with physical access to your phone can decrypt PIN-protected contents in minutes; therefore a password or passphrase is much better security. However, a PIN is effective to hinder someone who is casually accessing a lost/stolen phone from browsing the information on it.
Biometric authentication such as fingerprint or face scans is acceptable once you set a PIN and lockout. It is recommended that you turn on your device's feature that allows you to find it or wipe it if lost.
Have a look at the top 10 phone PINs. Never use these PINs, because hackers and opportunists will try them first.
Six-digit PINs are possible to guess by hand and certain to be guessed by a machine.
- Don't use 6 consecutive or 6 of the same digits.
- Turn on the feature that locks or wipes your device after 10 guesses.
For extra security, use an alphanumeric passcode
- Turn off the "simple passcode" option and enable the alphanumeric passcode.
- Combine digits and letters for your passcode.