Carnegie Mellon University

Passwords are the most common way to prove we are who we say we are when it comes to using websites, social media accounts, email, and even the computer itself. Passwords also give us and others access into mobile phones, bank applications, work log-ins, and confidential files. For many online systems, a password is the only thing keeping a hacker from stealing our personal data. With all of the research and software programs available to help protect passwords, computer users are still making the same errors such as reusing passwords for multiple accounts, using personal information in a password, using commonly known passwords, and creating passwords with minimum characters. These common user errors make it easy for a cyber criminal to crack a password and compromise an account in a matter of minutes.

The following information will provide specifics on how users can create strong, secure, memorable passwords for each of their accounts.

How to Create Strong Passwords

Be Unpredictable

  • Avoid the Obvious: Don't use any personal information in your password that can be found on a publicly accessible space such as an Internet search engine or social media. This includes pet names, birthdays, child names, street address, etc. Additionally, don't use easy to guess passwords such as "123456", "qwertyuiop" or "p@$$w0rd". cc
  • Never Share Your Password: When you share your password, you are sharing all of your account details with that person as well. Each person that has access to your account is another avenue for you to be attacked. Others who have access to your account could change the password and prevent you from accessing your account information. 
  • Don't use Dictionary Words or Common Substitutions: A combination of words, especially if they grammatically go together is not a strong password. Additionally, many password crackers are familiar with common substitutions such as "@" for "a" and "0" for "o". 

Be Creative

  • Stretch it Out: CMU passwords should be a minimum of 8-characters long, however the longer the password the more secure it becomes. 
  • Mix it Up: Add a combination of uppercase and lowercase letters, numbers, and symbols to add variety to your passwords. 
  • Add Emoticons: Use symbols tht resemble smiley faces to add complexity to your passwords :) 

Be Unforgettable

  • Make it Memorable: Create a passphrase of something that means something to you or that is completely made up and shorten it with acronyms or shortcuts.
    • Example: (To be or not to be that is the question) 2BorNot2B_ThatisThe? 
  • Use Random Words that Don't Belong Together: This method does not follow the traditional password advice of not using dictionary words. Instead, use four random words and string them together to create a passphrase that involves multiple words. The most important thing to remember is that the words need to be random and grammatically don't go togehter. Add in numbers and symbols to make it more secure.
    • Example: mollusk2-conspire0-subtract1-needy9

Be Smart

  • One Password for Each Account: Use a different password for each account. This means that a compromise in one account will not adversely affect all of your accounts. 
  • Secure Your Security: Hacking password reset questions is far easier than cracking the passwords themselves. Honest answers to these questions are often publicly discoverable facts that a determined adversary can easily find and use to bypass your password entirely. Instead, give fictional answers that no one knows but you.
  • Use Two-Factor Authentication: Two-factor authentication adds another layer of defense for your information. 2FA requires that someone provide multiple pieces of information as authentication besides just your password in order to log in to the account. CMU has a two-factor authentication solution through DUO Security.
  • Install a Password Manager: Using the automatic logon by checking "Remember Me" is not a password manager. If your system is physically accessed by someone else, he or she would have easy access to your accounts. Password managers generate strong, unique passwords for each of your accounts and store them in an encrypted vault. You only need to remember one strong, unique master password to access all of your passwords.