Passwords, passphrases and passkeys

Purpose

Unique user names and secure passwords are used by systems to distinguish between authorized users and unauthorized individuals. Weak passwords can be cracked by a threat actor within a matter of seconds or minutes, merely delaying their access to your systems and data, rather than preventing it.

Audience

FACULTY RESEARCHERS ADMIN STAFF IT STAFF STUDENTS

Initial considerations

Do NOT share your password with anyone, regardless of their stated intent. Your supervisor, manager, colleague, nor IT staff should ask you to provide it.

Follow the University’s safe password practices when protecting institutional accounts and systems.

https://securitymatters.utoronto.ca/resources/safe-password-practices/

What can I do?

Consider the following principles when choosing a password.

Unique

For every account you have, you should use a unique password to help limit the exposure caused by a breach or theft to just one account.

Long

Create a password with 14 or more characters.
Brute-force attacks, wherein all character combinations are attempted in order to guess a password, are most successful for short passwords.
- Whereas a password made up of 8 characters could take only hours to crack, passwords over 14 characters would take centuries.

Random

Avoid common phrases, words associated with your identity (e.g.; name, username, job, family members, hobbies, interest) and other easily guessable words or strings of characters.

Complex

Use a combination of uppercase and lowercase letters, numbers, and special characters.

Enroll in the University’s multi-factor authentication (MFA), if you haven’t done so already.

https://isea.utoronto.ca/services/utormfa/

Use a password manager to help prevent password reuse.

When passwords are reused across multiple accounts, a single data breach or successful phishing attempt could result in malicious individuals gaining access to the various accounts where that password was used.

Where possible, use passkeys over passwords.

Passkeys are digital credentials, stored on a device and generated through public-key encryption, whereby authentication is performed by nature of the device being trusted, rather than you providing a password.
- https://theconversation.com/what-are-passkeys-a-cybersecurity-researcher-explains-how-you-can-use-your-phone-to-make-passwords-a-thing-of-the-past-196643

Be aware of known phishing attempts and report suspicious emails to help protect your and others credentials.

https://securitymatters.utoronto.ca/category/phish-bowl/

🔍 Search

✉️ Additional help

General

https://uoft-infosec-cf.atlassian.net/wiki/spaces/ISH/pages/4948958/Additional+help#%F0%9F%9B%A1%EF%B8%8F-Information-Security-(IS)

https://uoft-infosec-cf.atlassian.net/wiki/spaces/ISH/pages/4948958/Additional+help#%F0%9F%96%A5%EF%B8%8F-Information-Technology-(IT)

Researchers

https://security.utoronto.ca/services/research-information-security-program/

\uD83D\uDCCB Related articles

Page:

Data collection and survey management
Page:

Remote interviews
Page:

Security awareness training
Page:

Synchronize system's time with a U of T time server
Page:

Virtual private networks (VPN)
Page:

Computing or storage environment for research
Page:

Updates and patching
Page:

Send, share or transfer data
Page:

Best practices to secure systems and environments
Page:

Physically secure data and devices