Tech Tip Tuesday: Tips for a Secure Password

Today’s tips are courtesy of Public Services Technician Sue Gum:

Tips for a Secure Password

  • Use a password manager that will create strong passwords for you.
  • Use a long password–8 is a great way to start, but the longer the better.
  • Do not use the same password for multiple sites.
  • Use two-factor authentication (2FA) when possible.
  • Avoid common words and character combinations – thequickbrownfox or thisismypassword.  Also avoid using personal information like your name, nickname, the name of your pet, your birthday or anniversary, your street name or anything associated with you that someone could find out from social media.
  • Avoid passwords known to be stolen – Click this link and type in the password you want to use to see if it was stolen.
  • Try to include letters (both upper and lower case), numbers, and symbols.
  • Remember to update your Allegheny password once a year, as soon as you get the email reminder.
  • For other accounts, no need to periodically change your password unless you suspect it has been exposed. Microsoft now recommends that unless you suspect your passwords have been exposed, you don’t need to periodically change them. The reason? Many of us, by being forced to change our passwords every few months, would fall into bad habits of creating easy-to-remember passwords or writing them down where others can find them.
  • Go to password generator sites like this or this where you can choose the length of the password and if you want or all of the categories; upper or lower case letters, numbers, and symbols.

Find out if your passwords have been stolen

Mozilla’s Firefox Monitor and Google’s Password Checkup can show you which of your email addresses and passwords have been compromised in a data breach so you can take action. 

Have I Been Pwned can also show you if your emails and passwords have been exposed. If you do discover you’ve been hacked, see our guide for how to protect yourself.

Use two-factor authentication (2FA),  but try to avoid text message codes

If thieves do steal your password, you can still keep them from gaining access to your account with two-factor authentication (also called two-step verification or 2FA), a security safeguard that requires you enter a second piece of information that only you have  (usually a one-time code) before the app or service logs you in.

While it’s common and convenient to receive these codes in a text message to your mobile phone or in a call to your landline phone, it’s simple enough for a hacker to steal your phone number through SIM swap fraud and then intercept your verification code. 

A much safer way to receive verification codes is for you to generate and fetch them yourself using an authentication app like Google Authenticator or Microsoft Authenticator. And once you’re set up, you can choose to register your device or browser so you don’t need to keep verifying it each time you sign in.

The revised passphrase method

This is the multiple word phrase method with a twist — choose bizarre and uncommon words. Use proper nouns, the names of local businesses, historical figures, any words you know in another language, etc. A hacker might guess Weldons, but he or she would find it ridiculously challenging to try to guess a good password example like this: WeldonsLincolnSi

To crank it up another notch in complexity, you can add random characters in the middle of your words or between the words. Just avoid underscores between words.

The sentence method

This method is also described as the “Bruce Schneier Method.” The idea is to think of a random sentence and transform it into a password using a rule. For example using the sentence Roff School Tavern has the best pizza  I can take the first 2 letters in every word and it would give me: rosctahatebepi but then I can take it a step further and capitalize some of the letters like RoScTahathbepi and it makes it even more secure.

To anyone else, it’s gobbledygook, but to you it makes perfect sense. Make sure the sentence you choose is as personal and unguessable as possible.

 How to set up backup email & phone number in Self Service

  1. Log into Self-Service
  2. On the left click on the user options and then user profile
  3. Scroll down to add a personal email address and your cell phone number

These can be used to reset your password from https://accounts.allegheny.edu/