Take It Up a Notch or Two!
A strong password is one of the most important precautions you can take in protecting you and your information. Weak passwords are easily cracked by dictionary attacks 1 or brute-force2, leaving you vulnerable to hackers and the damage they can cause, such as stealing your identity to break into your bank account, compromising your computer and enlisting it in a botnet that sends spam with your name, or committing a data breach of Brown's information, leaving you to deal with all the legal and financial repercussions.
Since you are accountable for activity originating from your Brown account, it is essential that you choose a strong and uncrackable password -- one that is long with a good mix of letters, numbers, case and special characters -- and then protect that password. This means not sharing it willingly or accidentally giving it to someone through a phishing attack.
Because of increasing threats, with business applications like Workday and Banner providing greater access to personal information than ever before plus the need to meet higher industry standards for authentication to systems and services, Brown has implemented more stringent password requirements with the move to its new identity management/directory system. The password requirements are:
- Cannot contain your first name, last name, or username
- Cannot match your last three passwords
- Must be at least 10 characters in length
- Must contain at least one lowercase character
- Must contain at least one number
- Must contain at least one special character
- Must contain at least one uppercase character
Note: Though the minimum requirement for passwords is now 10 characters, ISG recommends having one with at least 12 random characters. They also encourage different passwords for your Google and Brown access, so that if someone obtains access to your Google mail, for example, they will not also be able to access your Workday record.
In addition, though you will not be required to change your password again after doing so to activate it in the new system, ISG also recommends that you make it a habit to change your password at least annually, more often depending on the the nature of what the password protects (the more sensitive or critical the information is, the greater the frequency).
Your rule of thumb for your new password should be: easy to remember but hard for others to guess. How can you balance both? Here are some tips on building a strong AND memorable password.
- Start with a word or short phrase and spell it backwards. Example: Turn Lake Placid into dicalpekal
- Use "l33t speak", substituting numbers for certain letters. Example: Turn dicalpekal into d1calp3kal
- Randomly throw in some capital letters. Example: Turn d1calp3kal into D1calp3Kal
- Don't forget the special character. Example: Turn D1calp3Kal into *D1calp3Kal!
Since you should use different passwords for different accounts, consider appending an identifier on the end of your new password for your different accounts. For example, using the new password created above as a base, you could create *D1calp3Kal!bro to use for the Brown network, *D1calp3Kal!goo for Google,*D1calp3Kal!twi for Twitter, etc. Then when you change your password you only need to remember the one base word.
Another method is to use a variation on a pass-phrase that is meaningful to you so it's easier to remember.
For sports fans, you might pick the the sentence The New England Patriots will win the Super Bowl this year", use the first characters of each word -- tnepwwtsbty -- then capitalize the letters for "New England Patriots" and "Super Bowl" and append extra characters to the beginning and end to arrive at 12=tNEPwwtSBty!
If you like musicals you might construct a password from the first line of the song "My Favorite Things", Raindrops on roses and whiskers on kittens. Here is one way to do this (you may have others): RnDpzoRz&)(Nk10
The above examples demonstrate how you can create an easy-to-remember password that is also hard to crack.
IMPORTANT: Please DO NOT use any of the passwords cited in the examples above.
1. Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. (from SANS.org)
2. Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. (from SANS.org)