Using Passwords Effectively
It is your responsibility as a computer user to try to create strong passwords. Intruders may attempt to gain access to shared computer systems through the accounts of others. At particular risk are your privacy, reputation, and files and computing resources. Take extra precautions to make your password as difficult as possible to crack.
At Indiana University, your password must be a passphrase. A passphrase is typically longer than a password and consists of an phrase, i.e. "I have lived in Bloomington, IN for the passed 15 years." Passphrases are typically easier to remember than passwords. Notice in our example that we misspelled the word passed and included some non-alphabetical characters. This makes the passphrase even more secure. Passphrases are becoming more popular because the natural complexity of language and length of the passphrase make it stronger than a shorter password.
Indiana University network passphrases must contain at least:
- 15 - 127 characters
- 4 unique characters
- 4 or more words (two or more distinct letters separated by one or more spaces or other non-letters)
Passphrases and passwords are case sensitive. The lowercase “s” is different from the uppercase “S." Make sure that the Caps Lock is not on, unless you intend to enter all uppercase letters.
While the University requires that you use a passphrase to access your accounts, you can still use a password for local user and administrator accounts on your personal computer, if you choose.
For more help on creating a strong passphrase, see the Knowledge Base document at:
Your password is the key to your data and should be nearly impossible for someone to try to figure out. Choosing a secure password is important for keeping your data secure.
Note: Do not confuse the local administrator account with your IU network or domain account (usually first initial and last name). Your local administrator account and your IU domain account should have different account names and passwords!
Some strategies for creating a good password are:
- Create a password that is easy to remember.
- Create a password that you don’t have to write down.
- Make the password at least 8 characters long.
- Create a password that you can type quickly.
- Create a password that is a random mix of letters, digits, and punctuation.
Things to Avoid when Choosing a Password
There are specific things you should avoid when choosing a password, including the following:
- Names of any kind. These include your login name, your first or last name in any form, or your spouse's or child's name.
- Any kind of easily obtained information. This includes your phone number (may be listed in a directory), your address (again, easily obtained from a directory), birthdays, license plate numbers, telephone numbers, etc.
- Sensitive information. This includes your ATM PIN, your student ID if you are a student, your Social Security number, or your credit card number.
- Words contained in English or foreign language dictionaries. These include obvious words such as “secret” or “password” or “abc123," etc.
Remember that it is part of your responsibility as a computer user to create a strong password. For maximum security, always take extra precautions when creating a password so that sophisticated crackers can’t acquire your personal information.
Do NOT let software remember a password because the password will be stored on the computer, and many machines are used by other users. When you go to a site on the Internet and enter your user ID and password, you may see a checkbox or another dialog box asking you if you want the browser to remember the password and if you want to be asked this again. Depending upon your browser and its settings, the browser may not remember your password information again.Another safe password technique is to create a new, strong password for every Web site or login that requests one. You might consider creating a few strong passwords and use those at sites you want to keep most secure, such as your bank, brokerage, or bill-paying company. Then create another small set of passwords that are easier to remember that you can use everywhere else.
About Sharing Passwords
Do NOT share your password with others. Don’t give your password to anyone, including your friends, your boss, a computer repair person, etc., and don’t write them down and keep them at your desk or in an unprotected file on your computer.
A social engineer is a person who will try to manipulate a computer user by using trust rather than exploiting computer security holes. Be aware of anyone who wants to log on to your machine to send a quick email or anyone who claims to be an administrator and requests a password for various purposes.
Never send your password through email. A new trick that hackers use is to try to get people to give away their passwords and other personal information through email. Reputable companies will never ask you to send a password through email. If you receive such a request, verify the conpany's real phone number or email address and notify them immediately by phone or through their Web site.
Many websites will email your password to you as a convenience. However, if someone manages to break into your email account, they then have access to many of your passwords. If you receive an email like this, be sure to delete it immediately. Any reputable site will have a password recovery process that you can use to retrieve or reset your password.
Changing Passwords Frequently
A strong password is one that you change on a regular basis. A good practice is to change your password at least every three to six months. Always log out of Microsoft Outlook and other applications or other computers before changing your password.
Your ADS Domain account password should be the same as your other UITS computing account passwords. If you are unable to log into the ADS domain, your passwords need to be synchronized. You can change or reset your IU passwords simultaneously on almost all of UITS shared central systems at IU by using the Password Maintenance utility. To set a completely new password or to resynchronize your password so that it is the same on all systems, go to the Web page at:
You may have to wait up to 30 minutes for all systems to recognize the new password.