Skip to Main Content

Research Data Management

This guide provides best practices and resources for managing your research data for any discipline.


Passwords protect your identity, your work, and your privacy.  They prevent unauthorized access to your electronic accounts and devices.  The goal when creating a good password is to make it as difficult as possible for a potential intruder to identify it using everything from an educated guess to brute-force or automated attacks.

Never share any passwords with anyone. If you know that your account or your password has been compromised, change it immediately. If you suspect an account or a password may have been compromised, change the password immediately. Do not use the same password for multiple accounts.  Do not use close variations for different accounts.

Password phrases are a good option. Include alternate characters.  For example, "I hate to use passwords on my accounts" can become "Ihate2usepasswordsonmyaccounts" (30 characters) or "!hat32uzepa$w0rdsonmiactz" (25 characters) or even "iH@t32zpwsM!ktz" (15 characters).  Use a pattern match that you will remember (use '3' for 'e', '!' for 'i' or 'I', '4' for 'for', '@' for 'a' or 'at', '$' for an 'S', etc.)  Information Security at UVa recommends using a Passphrase.

  • Use a strong password. At least 8, but no more than 50 characters.  20-26 is a good length.
  • Use both upper-case and lower-case characters.
  • Use special characters -  ! # $ @ _ ' + , ? [ ] . - and space.  Remember that an underscore can be difficult to see if you are entering a password in a visible box.
  • Do not use your UVa computing ID.
  • Do not use your first, middle, last name or nick name.
  • Do not use your birth date, phone number, home address, license plate number, zip code, or any number commonly associated with you.
  • Do not use dictionary words.
  • Do not repeat characters more than twice.
  • Do not string 3 or more ascending or descending characters together (1234 or rstuv or ABC).

Use Two-factor - 2FA - (or multi-factor) authentication if it is available. It is an additional layer of security. If your password and email address are compromised, it will stop anyone from accessing that account. It is usually an SMS code sent to your phone, or a code generated by a dedicated authenticator app, or even a code sent to your email account. You won't see 2FA every time you log in. But you will see it if you are logging in from a different device or browser than you normally use.

ITS has started to implement Enhanced NetBadge for certain UVa resources. Visit the NetBadge FAQs for additional information.

Many browsers will ask if you want them to save a password. They use a fully integrated password manager, are convenient, and know when you are on a website that needs a specific password.  Keep your browser up-to-date, and use a security control on your device, such as a password, PIN, or biometric. If your computer is shared with other users, do not use this feature.  One downside to these tools is that they rarely sync across platforms and browsers.

Strings of random characters or passphrases can be difficult to remember.  Use a password manager.  They may not be perfect, but they are better than not having one.  UVa now provides access to LastPass for both personal and UVa account passwords. Read the LastPass best practices to learn how to keep your account secure, and explore the FAQ's.

Other password manager products that are available are KeePassXCKeePassRoboFormPassword Safe, 1Password, bitwarden, Dashlane, and Sticky. They all offer programs that will work on many, if not all, platforms. There are usually free versions and paid versions available.  Compare cost, features, platform compatibility and what you need from the product.  You WILL have to remember the master password for your account. Lose it and you lose access to your passwords.  Choose a password that is very strong and that you can remember.  An alternative, low-tech option is to use an analog password manager, such as the Personal Internet Address & Password Log Book, or an address book.  Keep it locked up.

Advantages to using a password manager:

  • make it easier to remember long, complex passwords
  • can auto-generate unique passwords for you
  • can auto-fill most logins (don't work with some banks and forms)
  • can sync across devices and platforms
  • can flag weak passwords
  • can flag compromised websites
  • can use multi-factor authentication

Disadvantages to using a password manager:

  • all your passwords are in one location
  • require you to create a very strong master password. Lose it and you cannot access your passwords, and will have to revisit all websites to set new passwords.

Looking for a password manager for a different platform?  Password Safe provides a list of "related projects" based on their code.

Interested in learning more about password security? The United States Computer Emergency Readiness Team (US-CERT) provides Security Tip (ST04-002) Choosing and Protecting Passwords.