Safe Computing


Passwords – Six biggest mistakes we make

Passwords are the most common means to verify our identity to access online accounts.  They are crucial to safeguarding our information or the information that has been entrusted to us by others.   We need to protect passwords as securely as the information that they protect.  In this article, we will examine the biggest mistakes that people make and examine ways to avoid those.

 Biggest Password Mistakes:

  1. Creating weak passwords
  2. Reusing passwords for different accounts
  3. Improperly protecting or sharing passwords
  4. Sharing secret questions
  5. Entering passwords without knowing where they go
  6. Not using multi-factor authentication when available

 Password Strength

 Cyber criminals can try every combination of short passwords.  When you use four numeric digits there are only 1,000 options.  However, when you add letters and characters and make the password longer there can be trillions or more possibilities. Such brute force attacks make passwords a numbers game, where length is better.  However, attackers first try everyday words, names, and commonly used passwords.

 Avoid using:

  Words from any dictionary including foreign dictionaries or profanity, even if substituting 0 for O, @ for A, 3 for E, $ for S or adding numbers to words,

  Celebrity names, sports figures, sports teams, games titles, pet names

  Number sequences such as 123…, 111…, etc.

  Keyboard patterns such as qwerty, asdfgh, qwer1234, etc., or line patterns on smartphones

  Searchable information about yourself or family – especially elements of your username

 We recommend: 

  Although 8 characters are often minimum, we recommend using 12-15 characters

  Using phrases (“passphrases”) can be helpful but avoid common sayings

  Replacing letters with numbers and special characters

  Using a randomly generated password from a password vault system

 Unique Passwords.

 Passwords are not easy to remember, especially when we are faced with scores of accounts.  Criminals know that too.   When one password is compromised, such as through phishing, or past compromised credentials are posted online, criminals try that username/password combination with other popular sites including your banks. If they need to, they can make some minor alterations such as changing a few numbers at the end. 

 We recommend:

  Use unique passwords for all sites that don’t relate to each other in any way

 Password Protection. 

 Think about how someone would discover your passwords.  Looking around your office or house.  Gaining access to your computer.  Someone else?


  Writing passwords down where they are accessible such as on a sticky on your monitor, under your keyboard or in your top drawer, or in a “Passwords” book

  Writing username and password combinations anywhere

  Recording passwords in a file on your computer (unless it is in a bona fide password vault program)

  Using autologin with programs.  If your computer is compromised, you don’t want your accounts compromised too!

  Sharing passwords with others

 We recommend:

  Use a password vault program such as LastPass to store passwords.

 Secret Question Protection. 

 When you lose your password, many services use alternate means to verify your identity.  Secret questions that you answer when signing up for an account are alternate means often used to verify your identity.   If a service requires secret questions, then losing those secret questions is as important as the password.  Criminals use social media platforms to discover those.  “Who remembers their first-grade teacher?” or “What was your first car, mine was a Toyota Corolla?” When one person answers, it inspires others to share. 

 We recommend:

  Using the most obscure question that no one would know

  Choosing to add a question if that is an option

  Answering questions with fake or wrong answers (this only works if you remember those)

 Enter passwords only to proper accounts.

 One of the easiest ways for cyber criminals to steal passwords is through “credential harvesting.”   This usually occurs when you are asked to enter your credentials because the site seems legitimate.  This can occur due to links in emails, in wifi hotspots, or phony websites. Always know what the account is that you are logging into including the “https” part.


  Opening a secure attachment to an email without first verifying with the sender through an alternate means.  By entering your credentials, you could be just giving those to a criminal

  Entering credentials through links in emails without verifying with the sender through alternate means

  Logging in to accounts from web searches or when using a wifi hotspot.

 We recommend:

  Only go to trusted websites using URLs you know, or bookmarks you have saved.

  Check that links where you enter your credentials are preceded with “https” or have a lock symbol in the browser

  Questioning links to accounts that are sent from anyone.

 Multi-factor authentication

 Many accounts give you the option to use more than one means to verify that you are the valid holder of the account. The second means of authentication after a password is often something like a code sent to your smartphone.  This adds an extra layer of security to your account.  The University is planning to provide this capability in the coming months

 We recommend:

  Use multifactor authentication when available


The Information Security Office has new information resources available, including a page on remote work and COVID-19 cybersecurity available from the Information Security portal.

Questions? Comments? Contact UMS Information Security at

(Content for this page was provided by Lynne Woods, Information Security Analyst II)