Password Best Practices
Tips for securely managing your Access Account password
Know the Rules
Read and comply with the provisions of the ITS Password Policy and Guidelines.
Create a strong password
Use strong passwords to protect your computing resources. Follow these rules to create strong passwords:
- Use two numbers in the first eight characters.
- Pick long passwords, at least 8 characters in length if the system allows it.
- Don't use a common dictionary word, a name, a string of numbers, or your User ID.
- One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.
- personal phrase: "Four score and seven years ago our fathers brought…"
method: Chose first two letters from each word until a total of eight characters resulted.
- personal phrase: "It was a dark and stormy night...".
password : iWadasn7
method: Chose first letter from each word, followed by the age of nephew.
- personal phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3)
password : mbbi4tt19s3
method: Chose the first letter from most words, and substituted numbers for letters.
- Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:
$ . , ! % ^ *
Note that some special characters should not be used; see disallowed special characters. Also, if you use dial-up service to connect, you cannot have any special characters in your password.
Avoid a weak password
When creating passwords, avoid the following:
- Easy to guess passwords such as a blank or "password"
- Your name, spouse’s name, or partner’s name
- Your pet’s name or your child’s name
- Names of close friends or coworkers
- Names of your favorite fantasy characters
- Your boss’s name
- Anybody’s name
- The name of the operating system you’re using
- String of numbers or letters, like 1234, abcd
- The hostname of your computer
- Your phone number or your license plate number
- Any part of your social security number or Penn State ID
- Anybody’s birth date
- Other information easily obtained about you (e.g., address, town, alma mater)
- Words such as wizard, guru, password, gandalf, and so on
- A username in any form (as is, capitalized, doubled, etc.)
- A word in the English dictionary or in a foreign dictionary
- Place names or any proper nouns
- Passwords of all the same letter
- Simple patterns of letters on the keyboard, like asdfg
- Any of the above spelled backwards
- Any of the above followed or preceded by a single digit
Protect your password from misuse
- Do not let anyone else know or use your password; this is a violation of University policy.
- For optimum security, don't write your password down. If you must write it down, keep it somewhere private such as in a locked drawer or in your wallet. Don’t post it on your computer or anywhere around your desk. Don’t include the name of the system or the associated User ID with the password.
- Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The "s" in "https" means that the Web site is encrypted and cannot easily be read by other people. If the URL does not begin with "https" then you should not use your Penn State Access Account password.
- If you suspect that someone else may know your current password, change your password immediately.
- Change your password periodically, even if it hasn't been compromised.
- Don't type your password while anyone is watching.
Enable Security Questions
Setting personal security questions greatly enhances the protection of an Access Account. The security measure enables a forgotten or expired password to be reset remotely by the user and without assistance from the ITS Accounts Office.
The answer creation process to security questions should follow similar procedures to that of generating a password:
- Information not easily obtainable
- Notable answer, yet hard for others to guess
- Do not print answers to the questions
- Store answers in a secure location if necessary to have printed
- Change questions periodically to ensure protection
*If opting-out of enabling security questions, a forgotten or expired password may only then be reset at a signature station or with the assistance of the Accounts Office.
Disallowed special characters
At this time, the following characters are excluded from the special character list because they are known to be incompatible with some systems.
- Double Quote: "
- Single Quote: '
- Backtick: `
- Ampersand: &
- Left Paren: (
- Right Paren: )
- Bar: |
- Less Than: <
- Greater Than: >