Saturday, 22 Jun 2024

Information Security Office

The purpose of this article is to educate users on the importance of maintaining strong passwords and provide guidelines for creating and managing them securely. Whether you are a student, faculty, or staff member at Carnegie Mellon University, this article applies to you if you have a username and password for any University system or application.

The Characteristics of a Strong Password

A strong password is one that is reasonably difficult to guess, either through human guessing or the use of specialized software. To ensure your password meets the strength requirements, follow these guidelines:

  • Be at least 8 characters in length.
  • Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z).
  • Have at least one numerical character (e.g. 0-9).
  • Have at least one special character (e.g. ~!@#$%^&*()_-+=).

Maintaining a Strong Password

To maintain the security of your password, consider the following recommendations:

  • Do not share your password with anyone for any reason. Passwords should not be shared, even with students, faculty, or staff members. If someone requires access to your protected resources, explore delegation of permission options or create a new account with appropriate access levels.

  • Change your password upon indication of compromise. If you suspect that someone has compromised your account, change your password immediately. Reset your password from a computer you do not typically use and report the incident to your departmental administrator or the Information Security Office.

  • Consider using a passphrase instead of a password. A passphrase is a sequence of words with numeric and/or symbolic characters inserted throughout. Passphrases are longer, easier to remember, and more difficult to guess. Ensure the passphrase includes alphabetic, numeric, and special characters, and avoid using multiple words found in a standard dictionary.

  • Do not write your password down or store it in an insecure manner. Avoid writing down your password, but if necessary, store it securely and destroy it when no longer needed. Do not use password managers unless they meet strong encryption and authentication requirements.

  • Avoid reusing a password. When changing an account password, avoid reusing a previous password to prevent unauthorized access. If a password was compromised or shared, using it again can pose a security risk.

  • Avoid using the same password for multiple accounts. While using the same password for multiple accounts may be convenient, it increases the risk of unauthorized access to multiple systems. Use different passwords for sensitive accounts such as your Andrew account or online banking.

  • Do not use automatic logon functionality. Automatic logon negates the purpose of using a password. If an unauthorized user gains physical access to a system with automatic logon configured, they can easily access sensitive information.

Tham Khảo Thêm:  How to Use Multiple Chat Apps Simultaneously on PC or Mac

Guidelines for User Account Provisioning and Support

For individuals responsible for provisioning and supporting user accounts, follow these guidelines:

  • Enforce strong passwords. Leverage functionality in systems and applications to prevent users from setting weak passwords.

  • Require a change of initial or “first-time” passwords. Force users to change their initial passwords to ensure only they know their password and mitigate the risk of the initial password being guessed or intercepted during transmission.

  • Force expiration of initial or “first-time” passwords. To mitigate the risk of guessing or interception, set initial passwords to expire after a period of time, such as 72 hours.

  • Do not use restricted data for initial or “first-time” passwords. Avoid using personal information to formulate initial passwords, as defined in the Guidelines for Data Classification. Refer to Appendix A for a comprehensive list of data types.

  • Always verify a user’s identity before resetting a password. Validate a user’s identity before resetting their password. Use appropriate methods such as photo identification, video conference, or manager confirmation.

  • Never ask for a user’s password. Avoid asking users for their passwords. Instead, explore alternatives such as delegation of permission or impersonation functionality in applications.

Guidelines for System and Application Design and Implementation

For individuals responsible for the design and implementation of systems and applications, consider these guidelines:

  • Change default account passwords. Disable default accounts whenever possible. If they cannot be disabled, change their default passwords immediately upon installation and configuration.

  • Implement strict controls for system-level and shared service account passwords. System-level and shared service accounts provide elevated access levels and are highly susceptible to malicious activity. Implement more complex passwords and limit the use of these accounts.

  • Do not use the same password for multiple administrator accounts. To prevent unauthorized access to multiple systems, avoid using the same password for multiple administrator accounts.

  • Do not allow passwords to be transmitted in plain-text. Transmitted passwords in plain-text can be easily intercepted. Use secure protocols or encryption methods to protect passwords during transmission.

  • Do not store passwords in easily reversible form. Weak encryption or hashing algorithms should not be used to store or transmit passwords. Implement strong encryption and hashing algorithms to ensure password protection.

  • Implement automated notification of password changes or resets. Send automatic email notifications to users when their passwords are changed or reset to confirm successful changes and alert them to any unauthorized changes.

  • Guidance for Service Accounts: Service accounts should be randomly generated, long (over 15 characters), and follow the same complexity requirements for strong passwords. Microsoft Active Directory service accounts with a Service Principal Name (SPN) should be even longer (over 28 characters) to mitigate weak encryption ciphers.

Tham Khảo Thêm:  How to Prevent Ransomware Attacks: Top Best Practices

Frequently Asked Questions

Q: How can I create a strong, memorable password?
A: Consider using passphrases, which are sequences of words with additional characters throughout. Passphrases are longer, easier to remember, and more secure than traditional passwords.

Q: Should I write down my password?
A: It is generally recommended not to write down your password. However, if you need to, store it securely and destroy it when no longer needed.

Q: Can I reuse my old password?
A: It is best to avoid reusing old passwords, especially if they have been compromised or shared. Using a new password ensures better security.

Q: Is it safe to use automatic logon functionality?
A: Automatic logon functionality undermines the purpose of having a password. Avoid using it, as unauthorized users can easily gain access to your system.

Q: How can I verify a user’s identity before resetting their password?
A: Request photo identification for in-person requests. For phone requests, consider video conferencing, manager confirmation, or self-service password reset solutions.


In today’s digital world, strong passwords are crucial for protecting your personal and sensitive information. By following the guidelines and recommendations outlined in this article, you can create and maintain strong passwords that are difficult for others to guess or crack. Remember to regularly change your passwords and never share them with anyone. Stay vigilant and keep your accounts secure.

For more information about information security and best practices, visit the Eireview website.

Revision History:

  • Version 1.0 (12/01/2007) – Doug Markiewicz: Original publication.
  • Version 1.1 (05/14/2008) – Doug Markiewicz: Updated broken link in Additional Information.
  • Version 1.2 (09/12/2012) – Doug Markiewicz: Updated out-of-date references to supplemental resources.
  • Version 1.3 (03/24/2014) – Wiam Younes: Updated information on password compromise procedure and example to verify user’s identity.
  • Version 1.4 (09/14/2017) – Laura Raderman: Updated links to new Computing Services’ site and formatted for new CMS templates.
  • Version 1.5 (02/18/2022) – Laura Raderman: Added Guidance for service accounts.
  • Version 1.6 (09/13/2023) – Matthew Nicolai: Fixed links.
Tham Khảo Thêm:  Three Reasons to Outsource Your Penetration Testing