Passwords & Passphrases
Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.
Create Strong Passwords and Passphrases
Here are a few simple things you can do to improve the overall strength of your passwords and passphrases (memorized secrets).
Make Them Hard To Guess
- Hackers use content from social websites, compromised password lists, movie scripts, songs, etc., so avoid nicknames, pet names, birthdays, anniversaries, stuff that can be found about you on social websites, famous quotations, and predictable keyboard sequences.
- Don’t just add numbers or substitute special characters for letters – hacking tools check for these combinations.
Make Sure They Are Long and Complex
- The more characters your password contains the better. LBCC’s current standard is 16 characters with one upper case and one number.
- Passphrases are typically a better choice than passwords. In addition to being long and complex, they have the added benefit of being more memorable and easier to type than something like !a$5_Yx2. Just make sure it’s hard to guess.
Safeguard Your Account
- Use different memorized secrets on different systems and accounts.
- Use a password manager to assist with generating and retrieving strong passwords.
- Use 2 factor authentication (2FA) where available: Google, Facebook, Instagram, Twitter, and Amazon all support 2FA.
- Make sure your connection is secure so it doesn’t send your passwords or personal information unencrypted.
Password Managers
Since you really should be using unique passphrases for each site, password managers are an excellent means for keeping all of your passphrases safe. A small caveat: You must not forget your master passphrase to the password manger or you will have to reset all of your passphrases again.
As a general rule, you shouldn’t write down passwords or passphrases because it encourages bad behavior such as posting them on your computer screen or leaving them under your keyboard; however, if you must write one down (e.g., for your password manager), make sure that you:
- Store the paper in a safe place like a home safe, or your wallet.
- Destroy the paper as soon as using the passphrase becomes second nature.
- Refrain from storing passphrases on digital devices such as your phone, computer, tablet, etc. Once compromised, hackers scour devices for accounts and passwords.
Resources
Check for Breached Accounts and Exposed Passwords
Unfortunately, compromised accounts and password lists exposed by data breaches are freely available on the internet. In addition to identity theft, some phishing attempts, such as sextortion scams, utilize these resources to lure people into responding.
Firefox
In response, Firefox launched Firefox Monitor — a free service based upon data and services provided by haveibeenpwned. By signing up for this service, you can:
- Check if your personal data has been compromised by a data breach.
- Register to receive notifications if your account is exposed by future breaches.
- Get advice on how to protect yourself and what to do if your information is exposed.
Google Password Services
Google offers the following password checkup services as part if it’s password management website:
- Compromised Password Scan
- Password Reuse Warning
- Weak Password Finder
If you are interested, feel free to read more about each specific password checkup service.
Video: What to Do After a Data Breach (1:02)
Video courtesy of the Federal Trade Commission
Test the Strength of Your Memorized Secret
LastPass, a leading password manager vendor, provides a secure utility to test the strength of your memorized secret as well as suggestions for improving its strength.
Note: Strength meters have limitations since they do not account for user behavior or check against password lists, dictionaries, etc.
To maximize the utility of a meter, one must follow password creation best practices.
If You See Something, Say Something
Cybersecurity is a shared responsibility. Please report all suspicious activity and unauthorized access to computers, software, and websites to the Office of Information Security.
If you are looking to report a potential crime or similar non-emergency situation, please refer to the Police & Campus Safety website.
Protect your password
Administrative Procedure 3720 specifically prohibits the sharing of login credentials. Never provide your password to anyone: not your coworker, not your boss, not even ITS.
Don’t be a victim of phishing!
Forward all suspicious emails to Report a Phish. No one, not even ITS, should ask for your password or send emails or texts soliciting you to log in with your account. If someone does, they are phishing. If you do give your password to someone, immediately change it in the Viking Portal.