The Keys to Password Security

By Alana Beltzer

It is important to develop good password habits in order to protect your accounts and sensitive personal data. The tips in the following article will help you create strong passwords and protect your online identity.

Weak and Strong Passwords

At USC, your password is used for much more than just email. For example, if you are a student, you may use your USC password to log into Blackboard, check your grades, or submit financial aid information. If you are faculty or staff member, you may use your USC password to submit grades, upload research proposals, or purchase classroom equipment and supplies. Because your USC password can be used to access many systems, it is important to maintain a strong password to avoid having your accounts on these systems compromised.

Weak passwords can be easily guessed by hackers or password-cracking computer programs. These passwords are often short, contain fewer than 8 characters, and include variations of your name or a family member’s name and simple numeric sequences such as 11111 or 12345. Such passwords offer minimal protection.

Strong passwords, or passphrases, are ones that do not contain personally identifiable information and that also force password-cracking computer programs to try as many combinations of characters as possible. A long password is a strong password. To be considered strong, a passphrase should contain 12 or more characters. Your USC NetID password should be between 12 and 32 characters long.

How to Create a Strong Passphrase

Creating and remembering a passphrase is often simpler than creating and remembering a password. A passphrase can be made up of several words that form a phrase or sentence. Such passphrases are more secure than shorter, complex passwords.

Although a passphrase cannot be a single stand-alone dictionary word or a common phrase, it can be made up of several words that form a phrase or sentence, such as “mysmartpuppy” (12 characters), “outofthepurplesky” (17 characters), or “Mom drinks plenty of apple juice” (32 characters, counting spaces). The longer you make your passphrase, the more secure it will be.

Other optional but recommended ways of increasing your passphrase’s security include adding a capital letter, punctuation mark, or number in the middle of your passphrase (“mysmar7tpuppy”), misspelling words (“outofthepuurplesky”), or swapping the order of the words (“Mom drinks plenty of juice apple”).

Of course, even the strongest passphrase must be kept a secret to remain effective. Please remember that no legitimate USC entity will send you an email requesting that you provide your user name or password. If you receive such an email (also known as “phish”), please forward it to security@usc.edu. For help with learning how to identify phish, see ITS’s About Phishing page.

Four Habits That Will Protect Your Password

The strongest passphrase will not protect you, if you are careless about safeguarding it.

Here are 4 key tips for protecting your password:

1. Keep your passwords private.

Do not write your passwords down and keep them in a place where others might see them, and do not share your passwords with others. Although it may seem convenient to have a friend check your email account or log into your computer, any time that you share your password, you greatly increase the risk that your account will be compromised. If you store passwords on your mobile devices, make sure that you keep your devices locked when not in use to prevent unauthorized access.

Be aware that sharing access to your USC computing account is a violation of university policy. For more information on password policies, please visit cio.usc.edu/policies/computing/ and read section 4.2.2.

2. Never email your password.

Passwords and other personal information, such as social security or credit card numbers, should never be sent via email, where hackers can easily intercept them. No legitimate organization, including ITS, will ever request that you send your password in an email.

You should also be wary of emails that request you to fill in your password and other personal information on a form or that directly link you to such forms. These are most likely phishing emails sent by hackers trying to gain access to your account. Due to this, automated emails from ITS will never contain these types of links.

3. Create different passwords for different accounts.

If you have one password for all your accounts, anyone who gets a hold of your password will have access to all your information. Even slight variations of the same idea can offer significantly greater protection.

4. Change your passwords at least once every year.

The longer your password remains the same, the greater the likelihood that a hacker will crack it and break into your account. Hackers Scam artists use malicious programs to try thousands of passwords against your account until they find a match. To ensure the security of your personal information, it is important to change all of your passwords at least once every year.

How Do I Know If My Account Has Been Hacked?

Once a hacker has obtained your password, your account is considered compromised. Many cyber criminals use compromised email accounts to send out spam and phishing messages from legitimate email addresses. A key sign that your email account has been compromised would be receiving error messages for email that you know you did not send. If you are shut out of an account and cannot log in, the account might have been hacked.

If you suspect that your USC computer account has been compromised, go to the USC Password Change page and change your password immediately. Then contact the ITS Customer Support Center so that we can gather the necessary information to prevent a larger security problem.

For problems with your USC NetID password, or for additional information on password security, please contact the ITS Customer Support Center at 213-740-5555 or send an email to consult@usc.edu.