News by Topic

Click on a topic below to see the latest headline

Customize "My Headlines" by Topic

Choose the topics of most interest to you to follow under "My Headlines".

Subscribe

Sign up for newsletters, news feeds, social media and other news sources.

Resources for News Media

Are you a reporter working on a story? Here's where you find help from Duke.

Tech Tips: Managing Passwords

Tech Tips: Managing Passwords

Duke IT Security Office provides strategies for keeping information safe

print |

Editor's Note: "Tech Tips" is an ongoing series that provides Duke staff and faculty with technology tips and tricks.

Photo by Big Stock.

Durham, NC - 123456. Iloveyou. Password.

These are examples of most commonly used bad passwords. Of course no one loves passwords as evidenced by how often we choose bad ones, but we rely on them every day to access and protect personal information and systems.

And every day it gets easier for those passwords to be leaked, stolen or cracked.

"In the past year, Dropbox, LinkedIn and Zappos have reported security breaches and leaked passwords. At Duke, we get phishing emails all the time. And the average password can be cracked in minutes," said Richard Biever, the university’s chief information security officer.

Still, there are some strategies for managing passwords without using post-it notes. At a recent "Learn IT @ Lunch" session sponsored by the Office of Information Technology, Biever offered the following tips from Duke's Information Security Office:

Use multiple strong passwords

It used to be a strong password was eight characters and a mix of uppercase lowercase, numbers and symbols. Today a strong password has at least 11 characters and one each of uppercase, lowercase, number and symbol.

And one password isn't enough. Biever, for example, uses a unique password for each of his accounts. If you don't want to manage that many, consider grouping passwords: one for financial institutions, a separate password for Duke NetID, another for casual accounts with no access to financial information.

But reusing passwords is risky, he warns: "If I use the same password on LinkedIn and other services, and LinkedIn reports a breach, now I have to worry about, 'Where else did I use that password?' and I have to go change it in all those other places as well."

Change your password regularly

At a minimum, Biever recommends once a year.

Consider using a password escrow tool

Duke's IT Security Office recommends LastPass, which offers a free option, and 1Password, which costs about $50 for a single use.

"It's hard to create and remember multiple passwords. What was the last long string of unrecognizable characters you memorized?" Biever said. "Some services provide a password generator and will store password history and sync with mobile devices."

Use multi-factor authentication when available

Some online services, including Google, Dropbox and Facebook, offer the option of multi-factor authentication, which requires that a user provide more than one form of verification to prove their identity.

Duke is piloting multi-factor authentication with a group of IT staff for single-sign-on access. "Our intent is to offer it as an option to the Duke community for accessing online resources," Biever said.

Set a strong passcode on your mobile device

Create a four-digit code for smartphones, and set the device to remote wipe after 10 incorrect log-in attempts.

"Smartphone muggings are more common than ever, but a code and remote wipe puts a big speed bump in terms of what a thief can do if they get your phone," Biever said.

Security experts acknowledge that password technology provides inadequate protection, but it's the best system available now, Biever said. "At some point your password will be stolen," he said. "These strategies will just help to lessen the impact."

We encourage Duke faculty, staff and students to share ideas, collaborate and discuss issues on Duke Today. To post a comment, you must log-in with your Duke NetID and password. Any comments or materials that are inappropriate, disrespectful or violate Duke policies will be deleted. These may include statements or materials that:

  • promote commercial enterprises;
  • sell, or solicit offers to sell, goods or services for personal gain;
  • promote a political candidate or political party; or
  • violate policies regarding personal, proprietary or protected health information.

For more information, visit our guidelines for posting content.

Comments

You are not logged in. Please log in to leave a comment. Comments are restricted to faculty, staff, and students.

© 2014 Office of Communication Services
705 Broad Street, Box 90496, Durham, NC 27708
(919) 681-4533; FAX: (919) 681-7926

Submit A Story Idea

We value your suggestions and feedback. Got an idea for a story, video or photo you would like to see in Duke Today?

Submit a Story Idea