Passwords and passkeys

🎓 Purpose

Unique user names and secure passwords are used by systems to distinguish between authorized users and unauthorized individuals. Weak passwords can be cracked by a threat actor within a matter of seconds or minutes, merely delaying their access to your systems and data, rather than preventing it.

👥 Audience

FACULTY RESEARCHERS ADMIN STAFF IT STAFF STUDENTS

🔖 Contents

Initial considerations

Do NOT share your password with anyone, regardless of their stated intent. Your supervisor, manager, colleague, nor IT staff should ask you to provide it.

🛡️ Follow the University’s safe password practices when protecting institutional accounts and systems.

https://securitymatters.utoronto.ca/resources/safe-password-practices/

\uD83D\uDCD8 What can I do?

*️⃣ Consider the following principles when choosing a password.

Unique

For every account you have, you should use a unique password to help limit the exposure caused by a breach or theft to just one account.

Long

Create a password with 14 or more characters.
Brute-force attacks, wherein all character combinations are attempted in order to guess a password, are most successful for short passwords.
- Whereas a password made up of 8 characters could take only hours to crack, passwords over 14 characters would take centuries.

Random

Avoid common phrases, words associated with your identity (e.g.; name, username, job, family members, hobbies, interest) and other easily guessable words or strings of characters.

Complex

Use a combination of uppercase and lowercase letters, numbers, and special characters.

📱 Enroll in the University’s multi-factor authentication (MFA), if you haven’t done so already.

https://isea.utoronto.ca/services/utormfa/

🔓 Use a password manager to help prevent password reuse.

When passwords are reused across multiple accounts, a single data breach or successful phishing attempt could result in malicious individuals gaining access to the various accounts where that password was used.

🔐 Where possible, use passkeys over passwords.

Passkeys are digital credentials, stored on a device and generated through public-key encryption, whereby authentication is performed by nature of the device being trusted, rather than you providing a password.
- https://theconversation.com/what-are-passkeys-a-cybersecurity-researcher-explains-how-you-can-use-your-phone-to-make-passwords-a-thing-of-the-past-196643

🎣 Be aware of known phishing attempts and report suspicious emails to help protect your and others credentials.

https://securitymatters.utoronto.ca/category/phish-bowl/

🔍 Search

✉️ Additional help

👥 General

https://uoft-infosec-cf.atlassian.net/wiki/spaces/ISH/pages/4948958/Additional+help#%F0%9F%9B%A1%EF%B8%8F-Information-Security-(IS)

https://uoft-infosec-cf.atlassian.net/wiki/spaces/ISH/pages/4948958/Additional+help#%F0%9F%96%A5%EF%B8%8F-Information-Technology-(IT)

🔬 Researchers

https://security.utoronto.ca/services/research-information-security-program/

\uD83D\uDCCB Related articles

Page:

Data collection and survey management
Page:

Remote interviews
Page:

Security awareness training
Page:

Synchronize system's time with a U of T time server
Page:

Virtual private networks (VPN)
Page:

Computing or storage environment for research
Page:

Updates and patching
Page:

Send, share or transfer data
Page:

Best practices to secure systems and environments
Page:

Physically secure data and devices