Passwords protect your identity, your work, and your privacy. They prevent unauthorized access to your electronic accounts and devices. The goal when creating a good password is to make it as difficult as possible for a potential intruder to identify it using everything from an educated guess to brute-force or automated attacks.
Never share any passwords with anyone. If you know that your account or your password has been compromised, change it immediately. If you suspect an account or a password may have been compromised, change the password immediately. Do not use the same password for multiple accounts. Do not use close variations for different accounts.
Password phrases are a good option. Include alternate characters. For example, "I hate to use passwords on my accounts" can become "Ihate2usepasswordsonmyaccounts" (30 characters) or "!hat32uzepa$w0rdsonmiactz" (25 characters) or even "iH@t32zpwsM!ktz" (15 characters). Use a pattern match that you will remember (use '3' for 'e', '!' for 'i' or 'I', '4' for 'for', '@' for 'a' or 'at', '$' for an 'S', etc.) Information Security at UVa recommends using a Passphrase.
Use Two-factor - 2FA - (or multi-factor) authentication if it is available. It is an additional layer of security. If your password and email address are compromised, it will stop anyone from accessing that account. It is usually an SMS code sent to your phone, or a code generated by a dedicated authenticator app, or even a code sent to your email account. You won't see 2FA every time you log in. But you will see it if you are logging in from a different device or browser than you normally use.
Many browsers will ask if you want them to save a password. They use a fully integrated password manager, are convenient, and know when you are on a website that needs a specific password. Keep your browser up-to-date, and use a security control on your device, such as a password, PIN, or biometric. If your computer is shared with other users, do not use this feature. One downside to these tools is that they rarely sync across platforms and browsers.
Strings of random characters or passphrases can be difficult to remember. Use a password manager. They may not be perfect, but they are better than not having one. UVa now provides access to LastPass for both personal and UVa account passwords. Read the LastPass best practices to learn how to keep your account secure, and explore the FAQ's.
Other password manager products that are available are KeePassXC, KeePass, RoboForm, Password Safe, 1Password, bitwarden, Dashlane, and Sticky. They all offer programs that will work on many, if not all, platforms. There are usually free versions and paid versions available. Compare cost, features, platform compatibility and what you need from the product. You WILL have to remember the master password for your account. Lose it and you lose access to your passwords. Choose a password that is very strong and that you can remember. An alternative, low-tech option is to use an analog password manager, such as the Personal Internet Address & Password Log Book, or an address book. Keep it locked up.
Advantages to using a password manager:
Disadvantages to using a password manager:
Looking for a password manager for a different platform? Password Safe provides a list of "related projects" based on their code.
Interested in learning more about password security? The United States Computer Emergency Readiness Team (US-CERT) provides Security Tip (ST04-002) Choosing and Protecting Passwords.