Securing Your Password

Your password is the primary thing that prevents someone else from accessing your email, your grades, your paycheck, and potentially your other accounts.  The following are tips on creating and securing your password, not just at Georgia Tech, but anywhere you have an account.

Keeping your password secure

Though it’s important you pick a good password, most passwords are not compromised by guessing.  If you create a password so strong it would take a million years to break and then give it to that prince who is looking to transfer large sums of money, your account is still going to be hacked.  The following are a few other examples of ways passwords are commonly hacked without guessing:

Phishing

By far the most common cause of account compromise is Phishing.  Cyber Security has an entire page dedicated to detecting and avoiding phishing attacks.

Giving Your Password Away

Another common, and related, way accounts become compromised is by the user simply giving the password to someone else.  This may seem obvious, but sometimes people don’t think about it when their parents need to see their grades or someone in their lab can’t get on wireless.  You also shouldn’t write a password down, which may let someone else see it.  It is against Georgia Tech policy to share your password with anyone else, and you are responsible for any actions taken by your account when it is logged in.

Password Reuse

Password reuse involves a user creating a, possibly very strong, password and then reusing the passwords on multiple sites, one of which gets hacked.   This also includes creating one password and slightly changing a number at the end or something similar.  If you go to the trouble of making a great password for your email account, don’t reuse it on your bulldog owners forum.

Man-in-the-middle attacks

Man-in-the-middle attacks happen when you enter your password on an untrusted network and someone intercepts your traffic and grabs your password.  This isn’t nearly as common as the other two, but it does happen.  Never enter your password on a site that doesn’t have “https” at the beginning or that required you to accept an unknown or unverified certificate.  This is especially true on public WiFi.

Password “hints”

Some services, notably not Georgia Tech, offer “hints” to remind you what your password is if you forgot it.  Never enter anything in one of these that could substantially help someone else guess your password.  So if your password is “4hajgF”, don’t make your hint “for he’s a jolly good fellow” or even “that nobody can deny”.  For tips regarding other reset methods, see the section at the bottom of this document.

Choosing a Password

The easiest way to remember a good password is to let a computer program do it for you.  Several password managers are available for free that can securely store your passwords.  One such password manager is LastPass, which will fill out passwords in your browser for you and generate new ones when you change your password.  Anyone can create a free LastPass account, but Georgia Tech has a limited number of  enterprise licenses for faculty and staff.  For more information on LastPass, see article Everything You Need to Know About LastPass.

If you’re using a password manager to store your password, you primarily intend to enter it using the password manager, and the password manager provides the ability to randomly generate a password (most do), your best option by far is to let it generate it for you.  If you are going to do this, generate one that is the maximum length and set of characters allowed by the service. For your GT Account password this would be 23 characters, upper and lower case letters, numbers, and special characters.

For passwords not in a password manager, including the password to the password manager, it is important that you create a password that is hard for a computer to guess.  Modern password cracking programs can guess hundreds of millions of passwords per second by trying alterations of word lists with billions of entries, so anything based on a word or name, even an uncommon one in a uncommonly used language, is likely to be guessed by a password cracker.  A good method for creating a strong password is to take a phrase you can remember and take the first letters mixed with some numbers and special characters.  So, for instance, “I spent too much at the fair last night” becomes I$2matfln.

For more information on password policy at Georgia Tech, see https://policylibrary.gatech.edu/information-technology/password-policy.

Setting reset options

Most web services, including Georgia Tech, offer a self-service way to reset your password if you forgot it.  Unfortunately, the security implications of this are often overlooked.  A password that takes a million years to guess isn’t going to help you if someone can reset it based on the answer to “Who is Luke Skywalker’s father?”  The following are tips on picking good reset questions:

  1. Don’t use something that is a public knowledge, even if it’s not common knowledge.  (e.g. Who was the second doctor to leave the show ER?)
  2. Don’t use something someone with passing knowledge of you would know or that you might reasonably post to social media.  (e.g. What is your birthday?  What is your favorite car?)
  3. If the service only asks one question on reset (Georgia Tech asks several), try to pick questions with extremely wide varieties of answers.  A good strategy for this, if you can pick your own question, is to ask questions with multiple parts.  “Where did your mother attend High School?” is a pretty good question, but “Where did your mother attend High School and what city was your father born in?” is much harder to guess.

Multifactor

While not directly related to passwords, an important account security step is to enable two-factor wherever possible.  Many online services now have the option of requiring both a password and an integration that requires access to your phone to verify who you are before logging you in.  This ensures that even if someone manages to compromise your password they must also either steal your phone or trick you into authorizing their connection before they get into your sensitive data.