IT - Password Management Guidance

It is critical to maintain your password appropriately. Remember, in computer security, passwords are always the weakest link! If your password is compromised, you jeopardize:

Privacy, security, and reputation: By intruders gaining access to your email, bank account, and other sensitive information, you risk damaging not only your privacy and reputation but the university's and other accessed data. Your identity may be stolen. Your email can be used to send defamatory messages or email scams in your name, and your account can be used to host illegal materials. They could also use your account to gain further access to university resources.
Compliance/legal issues: You also may put the university at risk of being out of compliance with its legal and regulatory obligations, resulting in fines and penalties.

Use the tips below to safely manage your passwords. Your department may have more restrictive security policies to be followed.

Keep your password private

The university has assigned the account to you, and only to you. You have the responsibility to keep your password private to prevent unauthorized use.

Use different passwords on different services.
Do not use your IT Account password for other services (e.g., your bank account, your non-UMass email address, online streaming, online gaming, online shopping).
Do not share the password to your primary account.
Your password belongs to only you. Sharing your password, including with co-workers, undermines the security of university systems and violates the university’s acceptable use policy. By making passwords available to others, your personal information is at risk and more vulnerable to misuse. Do not send your password via email even if the message asking for your password appears official. Note that the UMass Amherst IT Service Desk will never ask for your account information via email.

Don’t leave your account exposed

Protect your account on computers

While remaining logged on to a computer doesn’t expose your password, it allows someone else access to your account.

Log out of any IT service when using a shared computer, such as IT Computer Classrooms when finished.

Lock your computer screen when you step away from it.

Avoid writing down your password

If you do write your password down, you risk someone else reading it and using it to gain access to your account and data. If you absolutely must write down your passwords:

Write down password hints, not the actual password.
Keep your username and passwords separate, not in the same document.
Use a protected password management solution as described below.

When to change your password

If you suspect that your password has been stolen or compromised, change it immediately. Some examples of a possible compromised password, include:

When notified by IT. If you are notified via email or text message, don’t click on the links, as it may be phishing. Instead, follow the steps to change your IT password.
If someone saw you type your password.
If someone saw your password displayed.
If your unencrypted device was lost or stolen. Encrypt your devices, so should they be lost or stolen you don’t need to worry about passwords stored on them. Note: This is already a requirement for university devices.
If any computer you used your account on becomes infected with malware. Malware and other viruses are known for stealing passwords. If you suspect your computer has a virus, do not access any service that requires you to enter a password (e.g., your UMass account, or online banking).
If you see strange activity on your account.
If you become aware that your account was phished.

Strategies for remembering your password

Password managers

Best practices include password managers such as KeePass, SplashID, 1Password, LastPass, the Keychain feature for Mac OS X, and modern browser storage in Edge, Firefox, and Chrome can provide a central, secure location for all your passwords. Note: UMass Amherst IT does not offer direct support for password storage software at this time.

Warnings: If your NetID and password are needed to unlock your computer, do not rely on a password manager that is only available once you log in.

Make sure to work with a reputable password manager or browser and not a substandard site. Reputable functions include encrypting the data before storing in the cloud.

Use the password reminder in Spire

Don’t make it obvious what the password is. It should be a hint, and not tell the answer.
Directions for the password reminder in Spire can be found here.

Password construction strategies

Longer and more randomized passwords are more effective. Below are methods to help you create strong passwords.

Create memorable passphrases. Refer to the following for an example: https://xkcd.com/936/?correct=horse&battery=staple
Use the password manager to generate a password for you.
Use Password card or other similar tools.

Use themes and rules

Choose a theme for all your passwords (e.g., your passwords are always based on your favorite songs or movies). Decide on a few rules that you'll use to construct your passwords. For example:

Select a song: Romewasn'tbuiltinadaybyMorcheeba.
Theme: music. Rule: Use song name and artist.

Note: Please do not use this example. Hackers often try passwords available in reference materials.