UW-Madison - Password Best Practices
The Password Best Practices recommend measures users can take to effectively protect accounts using passwords.
Surrounding text in italics is not part of the official document.
Recommendations
- Each account should have its own unique password. Having unique passwords for each account prevents an attacker who gains access to one account from accessing other accounts that use the same password.
- Per NIST (National Institute of Science and Technology) recommendations, create a simple, but long passphrase. A passphrase is a string of typical English words linked together, similar to a sentence. One way of creating a strong passphrase is to use common words in uncommon combinations, such as speedy hot broccoli anteater. See “LastPass - How to create a strong and memorable password” for more guidance.
- Never email your password.
- Shared accounts should only be used when it is necessary to share information resources and there is no practical way to provide each person or system with a unique account to access those resources.
- UW-Madison owned devices, such as kiosks, that are located in public places, such as libraries, should have very short time limits, as defined by policies.
Contact
Please address questions or comments to itpolicy@cio.wisc.edu.
References
- UW-Madison IT Credentials Policy – https://policy.wisc.edu/library/UW-528
- LastPass Password Manager at UW-Madison - https://kb.wisc.edu/94884
- How to Create a Strong and Memorable Password - https://kb.wisc.edu/95032
- Authentication and Lifecycle Management (2017) Digital Identity Guidelines. (National Institute of Standards and Technology), NIST Special Publication (SP) 800-63B, Section 5.2.3, Use of Biometrics. https://pages.nist.gov/800-63-3/sp800-63b.html