Password management

From WSU Technology Knowledge Base
Jump to navigation Jump to search

Your passwords are your keys to unlocking all the online systems and services available at WSU and it is essential that all students and employees practice good password management to keep our network and data safe and secure. This includes setting strong passwords, changing your passwords on a regular basis and any time you think a password has been compromised, and never sharing your passwords with anyone. No one working for WSU will ever ask you to reveal your passwords.

Your StarID credentials

WSU and Minnesota State are in the process of standardizing on a single set of credentials for all supported online systems and services. This is called your StarID username and password. While most of our online systems and services use StarID credentials for authentication, a handful of others still require a different set of credentials, so you will need to manage multiple usernames and passwords for a bit longer.

StarID username

Every new student and employee receives a StarID username when they join any Minnesota State institution. This is a unique ID assigned for life. It remains the same even if you switch to another Minnesota State institution. When you use your StarID as your username to sign in to an online system or service, you will need to use one of three different formats. Consult this article describing StarID username formats for more information.

StarID password

Every StarID username has an associated password. You set your initial StarID password when you first receive your StarID username and you can reset your password on your own at any time. Normally, you are required to change your StarID password at least every 180 days. The StarID system sends an email notification to your primary campus email address 21 days, 7 days, and 1 day before your password expires. During the pandemic, this requirement has been waived until May 20, 2021.

Use strong passwords

When creating your passwords, use the following criteria to ensure they are difficult to crack:

  • Passwords should be between 8 and 128 characters long
  • Use at least 3 of these types of characters: uppercase, lowercase, numbers, special characters (e.g., !@#$%^&*()_+=-`{}[]|\:";'<>,.?/)
  • Do not reuse an old password or a password used to access another account
  • Do not include your first or last name

Passphrases

You can include spaces in your passwords, which means that you can use a memorable passphrase to create a complex password. Think of a sentence you can remember without writing it down, something meaningful to you that a friend would not guess. If the sentence meets all the criteria for a strong password, you're done. If not, make some adjustments that are easy to remember and don't change the meaning of the sentence. For example:

  • Add a number in place of a letter (e.g., 0 for "o", 3 for "e", 1 for "l")
  • Add a special character in place of a letter (e.g., $ for "s")

Multi-factor authentication

A growing number of online systems and services either require or offer multi-factor authentication (MFA), in which you use a second method (e.g., a one-time passcode texted to your cell phone), in addition to entering your password, to prove it's really you. WSU strongly recommends using MFA wherever it's offered (e.g., Amazon, Facebook, Google). Once enabled, even if someone has your password, that person will be unable to access your account without verifying their identity through this second method. Beginning on August 23rd, 2021 Minnesota State will require MFA when signing in to Microsoft 365. It is already required for all WSU staff. Students and faculty can enable it any time using these instructions.

Applications that remember your password

Some Minnesota State and WSU systems and services retain your credentials for a certain amount of time, such that you don't need to enter your username and password each time you sign in. Some do it automatically (e.g., Zoom) and others ask you whether you want the application to "remember" your credentials (e.g., Microsoft 365 in Fig 1). Feel free to use this handy feature in any Minnesota State or WSU system or service that offers it. However, understand that allowing a supported application like Zoom or Microsoft 365 to retain your credentials is different than using a third-party password manager (e.g., Google Password Manager, Apple iCloud Keychain, LastPass) to store your usernames and passwords.

Storing passwords

You probably can't rely on your memory

Although the safest place to store your passwords is in your long term memory, this is impossible for most people. Recent research indicates that the average computer user has about 100 online accounts. Assuming you don't reuse passwords and you are changing all your passwords regularly, that's too many passwords to retain and keep organized in memory. This often forces people to use the same password for multiple accounts. Also, once they have picked that "perfect" password, they don't change it or they make a minor change to it when required (e.g., change one or two numbers or letters). These are all bad practices and big security risks.

Do not save your passwords on paper

Some people write their passwords down and save them in a notebook or wallet. This is also a bad practice, particularly at work. If someone can sit down at your desk and find your password written on a sticky note or in a notebook in your drawer, your data, and possibly our campus network, are at risk.

Do not save your passwords in a file on your computer or phone

Saving your passwords in a spreadsheet or word processing document on your computer or phone is just as bad as writing them down on paper. If someone takes your device, there is a good chance that the file would be discovered and opened.

Use a password manager

A password manager is a local or online application that you can use to store your passwords securely. All password managers allow you to save your passwords in an encrypted database that requires a master password, and often MFA, to access. Some password managers use a local database saved on your computer that can only be accessed using that device. Others use an online database that can you can access using any device. The benefits of password managers include the ability to recover forgotten passwords and the automatic entry of passwords into the corresponding field when you sign in to applications that require authentication (i.e., you don't have to key in your password yourself).

More wiki articles

External links

 

Text is available under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.