Skip Navigation
Division of IT Home
University of Missouri System
University of Missouri-Columbia
Division of IT

Make IT Safe: Password Safety

More info

In many ways a password equals a signature, or in information technology terms required credentials. Logging in to a MU resource with a PawPrint and password certifies the identity and authorization to view or use the information or system being accessed. While this may seem trivial, many people don't consider the consequences of having a password fall into the wrong hands.

In addition to stealing or discrediting an identity, there are much easier things an attacker (or maybe even a friend) could do with a password:

  • send threatening e-mail on your behalf (that appears to come from you)
  • access Web sites and, if you've enabled one-click ordering, purchase items with your credit card
  • access, modify, or delete documents stored on your computer, in your Bengal space, or on any other central file server that you have permission to access
  • use your Print Smart quota and/or charge printing jobs to your student account
  • use your credentials to connect to the MU e-mail servers and spam thousands of people
  • gain access to the MU network and attack other entities on your behalf
To help protect personal and MU resources, practice secure behavior and treat a password like a personal signature.

Password Requirements

Change passwords regularly using the Password Manager.

To ensure complexity, all passwords must have eight to 26 characters and include at least one character from at least three of the following:

  • Lowercase letters: a - z
  • Uppercase letters: A - Z
  • Digits: 0 - 9
  • Special characters: ? . , _ - ~ + = $ !

A password cannot:

  • Be a word found in the dictionary
  • Be the same as your PawPrint
  • Contain MU-related terms (tiger, Truman, Jesse, etc.)
  • Contain spaces or symbols other than the special characters above
  • Contain personal or directory information (Social Security number, employee ID, etc.)

Helpful Tips

Here are a few easy steps to help ensure the safety of a password:
  • Never share a password or personal identification number (e-mail, voice mail or otherwise). There are almost always other ways of granting access to data and systems if there is a legitimate need to do so. If you need to grant access to others but are unsure of how to do so, check with the Division of IT Help Desk or your Departmental IT Professional.

  • Choose secure passwords. People trying to crack a password will try a PawPrint, room number, telephone number and student number. Passwords that mix random letters, digits and punctuation are harder for people and programs to crack.

    Some characteristics of a strong password are:

    1. It's easy to remember. Don't pick a password that you will have difficulty remembering.

    2. You don't have to write it down. Again, if you need to write it down because you have trouble remembering it then you need to choose a different password.

    3. You can type it quickly, and without having to look at the keyboard.

    4. It's a mix of apparently random letters, digits and punctuation.

    An easy way to form a secure password that you can remember is to think of a phrase, song, poem, or sentence and use the first letter from each word. For example:

    "Christmas is on the 25th of December." = "Xms25thoD."
    "I have owned my dog for 5 years!" = "Ihomdf5y!"

    There are also specific things you should avoid when choosing a password, including the following:

    1. Words from a dictionary (including foreign language dictionaries) or a word from a dictionary preceded or followed by a single character. For example, "Firecracker2" is not a secure password.

    2. Names of any kind, including your login name, your first or last name in any form, or your spouse or child's name. Pets name are a bad choice also, as are names of fictional characters.

    3. Any kind of easily obtained information. This includes your phone number (may be listed in a directory), your address (again, easily obtained from a directory), or your Social Security number.

    4. Information that is sensitive by nature. This includes your ATM PIN, or your credit card number.

    5. Simple keyboard patterns such as "qwerty" or "12345678". These generic patterns are easily guessed.

    6. University or state team names are a bad idea also - how many people at the University do you think have some form of "Tigers" in their password? Using a well-known team name in your password gives a hacker a head start on cracking your password.

    7. Well-known phrase mnemonics such as "ROYGBIV" (colors of the rainbow) or "WYSIWYG" (what you see is what you get) are easily guessed.

    8. "Password" or "Secret". This may seem like something that no one would ever do, however, during a password scan in 2003 the Division of Information Technology identified approximately 300 users on campus with one of these as their passwords.

  • Don't record passwords any place they would be vulnerable. This includes cellular phones and Palm devices. It also includes a sticky note taped to your monitor pasted under your keyboard. These are common places where people keep their passwords written down and also common places where people would look to find yours. It is also a bad idea to choose the option to save your password when visiting Web sites or setting up an e-mail client--it is much more secure to enter the password again each time you visit. A forgotten password can be reset using the Three Questions Password Manager (myZou for students).

  • Watch for signs of misuse, such as:

    • A sent e-mail you did not create

      If you notice an e-mail in your "Sent Items" folder that you do not remember writing or sending, it could be a sign that someone else has accessed your account.

    • Unexplained logins

      If you subscribe to TigerLink and notice on your billing statement that you were charged for times when you were not logged in, it could mean someone has your password and is using your account to authenticate to the TigerLink modem pool.

    • New icons, programs, files, or start menu items you did not create or install

      Sometimes this can mean that you are a victim of "spyware", which we will discuss in a later lesson. However, this can also mean that someone has accessed your computer and made changes to it's settings.

    • Noticeable performance degradation

      This is a possible sign of a password compromise because a hacker could access your machine and cause some program or file to be running in the background, thus taking up computing capacity.

    These can also be signs of various other problems, such as a worm/virus infection or a hardware issue. However, it's best to check everything out to make sure that you can identify what is causing the symptom. The Division of Information Technology Help Desk can assist you with any questions you may have.

If a password has been compromised or suspicious activity is occurring, change the password immediately and report the incident.
University of Missouri
Division of Information Technology
615 Locust Street, Columbia, MO 65211
(573)882-2000
Copyright ©2007 Curators of the University of Missouri.
DMCA and other copyright information.
An equal opportunity/affirmative action institution.
Revised June 24, 2008