Choosing and using unique and strong passwords is an essential part of technology security both at KU and in your personal life.
The KU Password Policy spells out the password requirements for accessing KU systems and information. Your KU password must be changed every 210 days, and must meet these complexity requirements:
- 8 to 32 characters long.
- At least one special character (&,#,-,_, etc.).
- At least one uppercase letter.
- At least one lowercase letter.
- At least one number.
Protect your KU password:
- KU and other legitimate organizations will never ask you to provide sensitive personal information (e.g., password, Social Security Number, etc.) in an email or in an unsolicited phone call.
- Do not share your password with anyone, including your boss, co-workers, or technology support staff.
- Avoid using dictionary words (except when combining with at least three other unrelated words) and personal details such as the name of a child or pet.
- Take advantage of KU's password reminder service so your next required change isn't a surprise.
- And remember, you must change your password every 210 days, but you can voluntarily change it more often.
Password Tips and Best Practices
Follow these password best practices to help keep your information safe and secure.
No matter the requirements of a given site or service, always create and use unique and strong passwords. Creating unique and strong passwords is critical for security, but it doesn’t have to be difficult. Here are two recommended methods for creating unique and strong passwords that are easy to remember.
Start with a memorable sentence or phrase. Some people use a line from a song or poem they remember. Then use a few steps of substitution, misspellings, and other tricks that are meaningful to you to arrive at a strong password that is easy for you to remember.
- Memorable phrase: “I like ham and cheese sandwiches.”
- Remove spaces: “ilikehamandcheesesandwiches.”
- Use shorthand, and misspell words: “ilykhamandchzsammies.”
- Use some characters, numbers and mix cases: “1lYkh4m&chZsa2mies.”
- It would take a desktop PC about 71 quadrillion years to crack this password.
Another method suggests combining four random common words to create a strong password (e.g., cattreetireeagle). Add a number or special character between the words for increased difficulty (e.g., cat5tree$tire2eagle9).
Test the Strength of Your Password Strategy
Don't enter any of your actual passwords, but use How Secure is My Password?» to see how hard your password strategy is to crack by creating a similar password using your strategy.
Never re-use passwords across service providers and accounts. Using a unique password for each account is far more important than the complexity of any individual password.
Criminals who steal your usernames and passwords from one online service can use them to gain access to other services. Massive data breaches at major service providers are all too common these days. If you use the same password for more than one account, and one of your service providers is breached, you've jeopardized your other accounts and the personal information they contain.
Password managers are tools and programs you can use to manage all of your passwords. Both cloud-based services and desktop application password managers use a single “master” password to control access to your other passwords.
We recommend using these services and products, with the following cautions: Cloud-based services are subject to the limitations and potential security problems of all cloud services. Desktop applications can be more secure, but less convenient to use. In both cases, your master password must be a unique, very strong and complex passphrase.
IMPORTANT NOTE: Do research on password managers to ensure they do not have unneeded tracking, particularly from third-party partners. Some password managers have zero trackers, while others have seven or more. Fewer trackers generally means more privacy and protection of personal information.
Don't Share Passwords
- Never tell anyone your passwords, period. Not your mom, not your significant other, and not even tech support!
- If multiple people need to access a single device, set up separate profiles with a unique log in and password for each person.
- Always keep your passwords private and secure.
- Consider using a password manager to help you organize your passwords.
Don't Email Passwords
- Never send passwords via email. Even when encrypted, emailing passwords is not a good practice.
- If you're considering emailing someone a password, refer to "Don't Share Passwords" above.
Often you may get asked to save your password when logging into a website. Even when given the option, never save passwords in your browser. If someone gets access to your computer, they could easily access all of the services where you saved passwords.
Instead of storing passwords in a browser, use a password manager and browser plug-in with a master password that locks each time the browser is closed.
Make sure your new passwords are strong and unrelated to your previous password. A common password mistake is to use a variation on the previous password. This "transformation" strategy gives criminals a huge advantage because they already have most of what they need, and only have to discover what has changed.
Multi-factor authentication (sometimes called two-factor authentication) adds another layer of security by combining your password and username with a notification sent to your phone or another device.
We recommend turning on multi-factor authentication for all your accounts that offer it.
KU requires multi-factor authentication using Duo for all KU faculty and staff.