Your password can be the weakest link in the security of your computer, UCLA confidential data, and your own financial information. Weak passwords are a hacker’s best friend, and hackers have become increasingly sophisticated at cracking passwords. A weak password subverts many security controls in place such as encryption, perimeter firewalls, secure remote access etc.
A strong password is something that is not easy to guess or a standard dictionary word. With increase in computing power, what may have been considered a strong password a year in the past may now be an open door to your computer and accounts.
There are many ways to create strong passwords; the key is to find the right combination of complexity and familiarity. Take a look at the some suggestions and examples below.
Use passwords that are at least 8 characters in length with numbers and mixed upper and lower case. Use special characters ($%&@#, etc.) when possible. Note, the password policy for some applications may still have an 8-character maximum and not allow special characters. If your preferred password is too long, just use the first 8 characters.
An easy way to create a password is to think of a phrase and use the first letter of each word. Mix upper and lower case and add numbers. Examples:
I can eat 32 wontons with Hot Sauce - Ice32wwHS
My 2 parents and 9 kids drive me nuts – M2pa9kdmn
The Lakers will win every game this season - TLwwegts
It is strongly recommended that you use different passwords for different accounts. If your password for one account is ever compromised, hackers may try that same password with your other accounts. Here’s an example on how to create unique passwords for different accounts:
Start with your strong password. For example, Ice32wwHS.
Pick a reminder system that will work for all sites. For example, your reminder can be the second and third letter of the website.
Add the reminder at the end of your password.
If you are logging into Facebook, your reminder will be ‘ac’. Your password for Facebook would then be Ice32wwHSac.
If you are logging into Chase Bank, your reminder will be ‘ha’. Your password for Chase Bank would then be Ice32wwHSha.
It’s better if you pick a reminder that is not obvious. If you choose ‘fb’ for Facebook and ‘cb’ for Chase Bank, it’s not hard for a hacker to figure this out once he/she knows one of your passwords.
It is not recommended. Passwords that are written down can easily be stolen. While you receive a new password, you may wish to write down your password until you have the chance to memorize it. But if you do this, you should take extreme care not to lose the paper you have written it on. You should store the paper in a secured locked location, and destroy the paper (e.g. shred it) once you have learned the password.
There are automated programs designed to guess a user<fontface="times new="" roman"="" color="black">’s password based on information found online about the user. They can even search for a word spelled backwards. Don<fontface="times new="" roman"="" color="black">’t use your name, nicknames, birth dates, name of significant others or children, pet names, or license plate numbers as a base for your password.
Automated programs exist that will run every word in a dictionary or word list against a user name. These programs include words in different languages, slang, and common passwords. Don<fontface="times new="" roman"="" color="black">’t use a dictionary word as a base for your password, or if you do, add one or more random characters in the middle.
Automated programs exist that will try every possible combination of key strokes or passwords until it succeeds. The best way to beat a brute force attack is to have a long (8 characters or more) and complex password, using upper and lower case letters, numbers and special characters.
This is a common scam where a hacker will send out an urgent email designed to alarm users into responding. These emails can appear to be from a legitimate source such as UCLA IT groups, a colleague, or your bank. These emails often contain links to phony Web sites designed to trick users into providing their personal information, including their usernames and passwords.
If you receive an email that seems to be a phishing attempt or has or suspicious attachment(s), forward it to DangerousEmail@mednet.ucla.edu ) for the email team to review.