Password Tips

Passwords are the key to many systems and applications. Your password helps to prove who you are, ensure your privacy, and protect the privacy of data you may have access to.

Compromised passwords are one of the means by which unauthorized people gain access to a system. Someone logging on under your name has access not only to your computer files, but may also have access to your personal information (e.g. benefits, bank information) and may impersonate you to send malicious e-mail.

Many times you are requested to choose and maintain a password for various purposes (e.g. sign on to a file server, access your e-mail, use a password protected screensaver).

At Azusa Pacific University, these passwords allow access to important University systems (e.g. e-mail, home.apu.edu, AllAccess, PeopleSoft, Enterprise Document Management System, and more).

It's important to choose a strong password and protect it since there are many password-cracking programs readily available on the Internet and passwords are the key to access many computer systems or applications. A strong password makes it reasonably difficult to guess the password in a short period of time either through human guessing or the use of automated password cracking programs.

Password Managers

The IMT Security Office does not officially recommend or endorse these tools, however, they are useful and secure.  The tools listed here employ Trust No One (TNO) encryption.  Meaning, the company cannot access your data--ever.

Passwords and Passphrases

Passwords and passphrases perform the same functions as described above, but achieve them in different ways. Described below are best practices for developing either a strong password or a strong passphrase.

While both will work for your access to APU resources, we encourage the use of passphrases because they are (when done correctly) even more secure than a strong password while being easy to remember.

Passwords

The following are general recommendations for creating a strong password:

A Strong Password should
  • Be at least 8 characters in length
  • Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
  • Have at least one numerical characters (e.g. 0-9)
  • Have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)
A Strong Password should not
  • Spell a word or series of words that can be found in a standard dictionary
  • Spell a word with a number added to the beginning and/or the end
  • Be based on any personal information such as user id, family name, pet, birthday, etc.
  • Be based on a keyboard pattern (e.g. qwerty) or duplicate characters (e.g. aabbccdd)

Passphrase

A passphrase could be a lyric from a song, a Bible verse, or a favorite quote. An example of a strong passphrase is “Superman is $uper str0ng!”. A nonsensical word can built using the first letter from each word in a phrase (e.g. C$200wpG., represents "Collect $200 when passing Go."). These typically have additional benefits such as being longer and easier to remember.

Using Passwords and Passphrases

The following are several recommendations for using passwords.

Do not share your password with anyone for any reason.

Passwords should not be shared with anyone. In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored. For example, Google Calendar allows users to delegate control of their calendar to another user without sharing any passwords.

Change your passwords periodically.

The frequency of password changes is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their password changed more frequently. If any University password has been compromised or you suspect it’s been compromised, change your passwords immediately and contact the IMT Support Desk.

Do not write your password down or store in an insecure manner.

As a general rule, you should avoid writing down your password. In cases where it is necessary to write down a password, that password should be stored in a secure location (e.g. in your wallet or in a locked file) and properly destroyed when no longer needed. Consider writing down hints, not the password. Never store a password in an unencrypted electronic file or use the "save my password" feature.

Use a password manager with strong encryption.

Using a password manager to store your password is not recommended unless the password manager leverages strong encryption and requires authentication prior to use. Use a strong password/passphrase for your password manager. Maintain a back up copy of your password manager. LastPass and KeePass are examples of password managers that use strong encryption.

Avoid reusing a password.

When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, either knowingly or unknowingly, reusing a password could allow that user account to, once again, become compromised. Similarly, if a password was shared, reusing that password could allow someone unauthorized access to your account.

At APU, a password history is kept of all passwords used to help users avoid reusing passwords. This history never expires, so you will only be able to use a given password once.

Avoid using the same password for multiple accounts.

While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an unauthorized person to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your APU NetID or your personal online banking account.

These passwords should differ from the password you use for online newspapers and other web-based accounts. Avoid using the same password for test and production systems.

Do not use automatic logon functionality.

Using automatic logon functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic logon configured, they will be able to take control of the system and access all your information.

Log out and quit applications.

When vacating your workstation, completely log off the computer or otherwise secure your workstation from unauthorized use (e.g. locked screensaver). When vacating a public computer (kiosk or public lab), completely log out and quit the application before you leave.

Be aware of Phishing tricks.

Never provide your password over e-mail or based on an e-mail request. Hackers try to trick people into giving away their passwords and other personal information by sending fake e-mails that appear to come from common Web sites such as the University, eBay, PayPal, or a local bank. See Spam and Phishing Defense for additional information.

Notify technical staff if access is no longer needed.

If you terminate your University employment or change departments, contact your technical coordinator to let them know that access is no longer needed.