Best practices around password and passphrase management are evolving. New Digital Identity Guidelines from the National Institute of Standards & Technology (NIST) focus on longer passphrases to ensure password security.
Improving Password Security
Georgetown University has implemented Duo two-factor authentication for all NetID Single Sign On applications. Two-factor authentication provides added password security by requiring a unique code in addition to your password before successful authentication to an application. This unique code is usable only once and can be pushed to your mobile or desk phone. If your password credentials become hacked, the chances that someone will be able to use them maliciously is reduced when using two-factor authentication.
The University Information Security Offices urges everyone to enroll in Duo, the University’s solution for two-factor authentication. It’s a great way to protect your NetID password and to ensure the security of University data and your own information.
NetID Password Requirements
A strong password is one that’s hard to crack. Unfortunately, the strongest passwords are very hard to remember. How likely are you to recall this one when you need to check your email? 3KMrXZaaJ7~FY%>9Z4
Research has shown that length is a stronger factor than complexity when using passwords. As part of Georgetown’s ongoing effort to protect the University’s members and its data, UIS has shifted to the use of multi-word passphrases rather than passwords.
The Georgetown Password Management System (Password Station) has been updated with new requirements:
- NetID passwords will be required to contain more than eight (8) characters
- NetID passwords will be generated randomly by the Password Station password generator tool
It’s a good practice to use this guideline for your personal online accounts as well. Using sentences, phrases or multi-random-word selections and a secure password manager will help keep your personal accounts and data much more safe.
- Never tell your password to anyone—You are responsible for your own password!
- Never write down your password.
- Make your password hard to guess—do not use the name of your pet (or your children).
- Avoid using words found in a dictionary.
- Change your password at least 2x per year (enroll in password.georgetown.edu).
- The more random your password, the better.
- Be sure that you don’t use personal identifiers in your password (like your name or NetID).
- Never reuse passwords on different websites or across accounts
- Use a Password Manager to help manage all your accounts.
- Enroll in two-factor authentication through Duo
- Avoid using the “Remember Password” feature: These features, typically used to access secure applications (i.e. email, calendar, financial systems) and Web browsers (i.e. Mozilla Firefox, Chrome, Internet Explorer, etc.), do not adequately protect passwords. It may be possible for a computer virus or unauthorized user to gain access to this stored information.
- Report compromises immediately: If you suspect your account or password has been compromised, report the incident to the University Information Security Office and change the password immediately.
A compromised password not only puts your own information at risk—it may also expose sensitive University data and systems.
Remember: University representatives will never ask for your password: It is against University policy for a technology service provider to request a user’s password.
Overwhelmed by the number of passwords, online accounts and codes you need to remember? Since you should not use the same password for your University and personal accounts, consider using a valid, notable password manager. Georgetown does not endorse any one product, but you can learn more about password manager options to see how they might fit your needs. Password manager information.