Information Security

Password Tips

Last modified 6/5/2023

Did you know that stolen usernames and passwords are used as the primary method to gain access to a network? Practicing good password hygiene will ensure that you keep your account, and all it has access to, secure. Read the tips below to find out how to become a password pro!

  • Tip 1: Do not use these passwords

Data breaches are so prevalent, that researchers have been able to analysis the most common, and often weakest, password being used.

The following list includes the top 5 most commonly used passwords from 2020. These are the top 5 of 200 reported by a third-party company that conducts data breach research.

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678

If you use any of these passwords for any accounts, you should consider changing them immediately.

  • Tip 2: Check your passwords against known breaches

There is a website that will let you know if a password you use has ever been breached and exposed. The website is called Have I Been Pwned? and is a great resource for technology experts and users alike.

Complete these steps to check if one of your passwords has been exposed:

  1. Visit https://haveibeenpwned.com/Passwords.
  2. Enter a password of your choosing (you can test with a fake one).
  3. Click the "pwned?" button or hit enter.

If the password you enter has been previously exposed, you will be notified and given a count of just how many times it has been seen.

Pro Tip

In addition to having a password checker, the Have I Been Pwned? website can also check if your accounts have been seen in data breaches.

If the email or phone number you used has been found in a breach, you will get a report of all the services (there may be several) where it was seen. It will also provide you with information on the other type of data that was breached.

Just visit the homepage at https://haveibeenpwned.com/ and enter an email address or phone number to start. You can use this to check family member accounts as well.

  • Tip 3: Do not reuse passwords

Threat actors employ a variety of tactics to gain access to accounts, data, and systems. While users have become more aware of social engineering attacks like phishing, few have learned about credential stuffing attacks.

As shared in tips 1 and 2 above, data breaches have led to massive exposure of passwords. In credential stuffing attacks, threat actors use those exposed passwords directly against valuable websites and services. Instead of having to "pick the lock" in a sense with brute force password guessing, they simply have a ring of keys they can try.

If you found that you had been "pwned" by following the guidance in tip 2 above, you should make sure that same account or password is not used anywhere else. It is safe to assume that any such information will be used against bank, email, and social media websites.

Pro Tip

In addition to not reusing passwords across multiple services, considering enabling multi-factor authentication (sometimes called two-factor authentication or 2FA) where possible.

With this extra layer of security, a threat actor would not only need to obtain your password, but they would also need to gain access to your additional factor (e.g. phone). There are certainly ways for them to do that, but it is often reserved for high value targets such as political, corporate, and world leaders.

  • Tip 4: Upgrade passwords to passphrases

When it comes to technology-based attacks against passwords, the length and complexity of the password matters. However, users are often frustrated by trying to come up with such a password and having it be memorable. Our advice is to use a passphrase instead of a password.

For example, a complex and likely difficult to remember password of R3d&i4d$ might seem secure, but can actually be reasonably cracked in a matter of 3 days. Alternatively, a simpler and memorable passphrase of GoYouRedbirds1857! would take about 4 years to crack.

Pro Tip

If you choose to set a passphrase, it is recommended that you do not actually use a phrase that makes sense. The one provided is purely for illustrative purposes and would be considered weak for any member of the Illinois State University community.

Consider visiting a site like https://www.useapassphrase.com/ for examples of randomly worded passphrases. You want to find a phrase that you can easily memorize that no human or machine can reasonably guess.

  • Tip 5: Make it easy with a password manager

For our final tip, we would like to suggest the use of a password manager. Password managers are apps and websites that can securely store all of your passwords in a vault. This is a valuable tool when you start practicing tip 3 and 4 above.

While the University does not make a password manager available for personal use, here is a list of popular choices to check out:

  • Bitwarden
  • 1Password
  • Dashlane
  • LastPass (note: experience a security breach in 2022)
  • KeePass (note: self-managed/not "cloud" based)

We recommend reading reviews to determine which may be best for you. A good starting point would be this The Best Password Managers article from the Wirecutter which is owned by The New York Times Company.

Pro Tip

If you are an employee of the University with departmental or institutional passwords used for official operations or business (e.g. social media accounts, vendor portals, state and federal reporting, etc.), contact the Office of Technology Solutions to learn about a password manager that is available for that use.