”TigerStrong Passwords

Guidelines

CCIT Strong Password Guidelines

 

Tips to Develop a Strong Password

Passwords should be different for every website or computer login and should be sourced randomly. Passwords for a particular system should never be shared with different websites or systems or with other people. The tips below can help you create secure passwords that follow the Clemson password policy.

 

Memorable Passwords

Strong passwords should be sourced randomly but that does not mean they cannot be something that is easy to remember. Longer but simpler passwords are in general better than short passwords that have difficult to remember substitutions or special characters. This means that a password such as “experimental techno involvement ground” are harder for an attacker to guess than passwords such as “inT3rfEre$#”. A good way to create a long password is to take between 4 and 6 random words that are at least 4 letters long and combine them.

 

Password Managers

Password managers can greatly simplify the process to generate, store, and retrieve different, secure passwords for every website. Your passwords are protected by a master password that is the only one that you need to remember and that is the most important to keep safe. Most password managers have smartphone apps in addition to desktop addons to retrieve or automatically fill in saved passwords on websites.

Recent Security Awareness Training recommends the use of a password keeper or password management software.

 

Password Strategies to Avoid

Some patterns are very common in passwords and are easy to guess by criminals and hackers. To avoid weak, easy-to-guess passwords:

  • Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not help make secure passwords.
  • Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ‘1’ or an ‘a’ with ‘@’ as in “C1em$0n” or “P@ssw0rd”. But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
  • Avoid your login name or any personally identifiable information. Any part of your name, birthday, social security number, or similar information about your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
  • Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
  • Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems. It is also highly recommended not to use your Clemson password on 3rd party web sites as Clemson cannot vouch for the security of that web site and any compromise of that site could expose Clemson’s resources.
  • Avoid using online or local storage of passwords. If malicious users find these passwords stored online, on a networked computer, or on a USB key, they have access to all your information.

 

Mobile Devices
If a mobile device is used to access University resources, it should meet the following requirements:

  • Mobile devices must have a password, PIN, or biometric login enabled
  • Mobile device PINs should be at least 6 characters long
  • Mobile devices should use disk encryption. Newer Android devices are encrypted by default when a lock screen is set up. For older Android devices, you can enable encryption in the device’s settings. You can check if your device is encrypted by going to Security in your settings. For iPhone devices, encryption is enabled automatically when you set up a passcode.

 

Responsible Division

CCIT

Reviewed Date

October 30, 2024