Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
U of T Information Security
Information Security Handbook
Information Security Handbook
Results will update as you type.
  • Getting started
  • Strategies
  • How-tos
    • Back up data
    • Baselines and configurations
    • Classify data
    • Computing or storage environment for research
    • Cyber security alerts and advisories
    • Data collection and survey management
    • Data integrity
    • Delete or destroy data and devices
    • Encrypt data and devices
    • Passwords, passphrases and passkeys
    • Physically secure data and devices
    • Remote interviews
    • Report a security event or incident
    • Safe web browsing
    • Security awareness training
    • Send, share or transfer data
    • Synchronize system's time with a U of T time server
    • Travel or work remotely
    • Updates and patching
    • Virtual private networks (VPN)
    • Virus and malware protection
    You‘re viewing this with anonymous access, so some content might be blocked.
    /
    Passwords, passphrases and passkeys
    Updated May 02, 2024

      Passwords, passphrases and passkeys

      Purpose

      Unique user names and secure passwords and passphrases are used by systems to distinguish between authorized users and unauthorized individuals. Weak passwords can be cracked by a threat actor within a matter of seconds or minutes, merely delaying their access to your systems and data, rather than preventing it.

      Audience

      faculty researchers Admin staff IT staff students

      On this page

      • 1 Initial considerations
        • 1.1 Follow the University’s safe password practices when protecting institutional accounts and systems.
      • 2 What can I do?
        • 2.1 New account, new password (or passphrase).
        • 2.2 Use passphrases.
          • 2.2.1 Long
          • 2.2.2 Random
        • 2.3 Use complex passwords, when passphrases are not possible.
          • 2.3.1 Long
          • 2.3.2 Random
          • 2.3.3 Complex
        • 2.4 Enroll in the University’s multi-factor authentication (MFA), if you haven’t done so already.
        • 2.5 Use a password manager to help prevent password reuse.
        • 2.6 Where possible, use passkeys over passwords.
        • 2.7 Be aware of known phishing attempts and report suspicious emails to help protect your and others credentials.

      Initial considerations

      Do NOT share your password with anyone, regardless of their stated intent. Your supervisor, manager, colleague, nor IT staff should ask you to provide it.

      Follow the University’s safe password practices when protecting institutional accounts and systems.

      • Safe password practices - Security Matters

      What can I do?

      New account, new password (or passphrase).

      • For every account you have, you should use a unique password or passphrase to help limit the exposure caused by a breach or theft to just one account.

      Use passphrases.

      Long

      • Create a passphrase made up of 5 or more words.

      Random

      • Avoid common phrases or words which are closely correlated with each other. A limited dictionary size reduces the possible complexity of a passphrase.

      Use complex passwords, when passphrases are not possible.

      Long

      • Create a password with 14 or more characters, where allowed.

      • Brute-force attacks, wherein all character combinations are attempted in order to guess a password, are most successful for short passwords.

        • Whereas a password made up of 8 characters could take only hours to crack, passwords over 14 characters would take centuries.

      Random

      • Avoid common phrases, words associated with your identity (e.g.; name, username, job, family members, hobbies, interest) and other easily guessable words or strings of characters.

      Complex

      • Use a combination of uppercase and lowercase letters, numbers, and special characters.

      Enroll in the University’s multi-factor authentication (MFA), if you haven’t done so already.

      • Multi-factor authentication (UTORMFA) - Information Security at University of Toronto

      Use a password manager to help prevent password reuse.

      • When passwords are reused across multiple accounts, a single data breach or successful phishing attempt could result in malicious individuals gaining access to the various accounts where that password was used.

      Where possible, use passkeys over passwords.

      • Passkeys are digital credentials, stored on a device and generated through public-key encryption, whereby authentication is performed by nature of the device being trusted, rather than you providing a password.

        • What are passkeys? A cybersecurity researcher explains how you can use your phone to make passwords a thing of the past

      Be aware of known phishing attempts and report suspicious emails to help protect your and others credentials.

      • Phish Bowl Archives - Information Security at University of Toronto

      Search

      How do I...

      Additional help

      General

      Contact us | Information Security (IS)Preview

      Contact us | Information Technology (IT)Preview

      Researchers

      Research Information Security - Information Security at University of Toronto

       Related articles

      • Page:
        Data collection and survey management
      • Page:
        Remote interviews
      • Page:
        Security awareness training
      • Page:
        Synchronize system's time with a U of T time server
      • Page:
        Virtual private networks (VPN)
      • Page:
        Computing or storage environment for research
      • Page:
        Updates and patching
      • Page:
        Send, share or transfer data
      • Page:
        Best practices to secure systems and environments
      • Page:
        Physically secure data and devices

       

       

       

      {"serverDuration": 47, "requestCorrelationId": "037c7dd4590341f58958a91cf04734fb"}