FAQs: Password Management

Q. How often should you change your password?
A. You’ve probably heard that it’s a good idea to change your password as frequently as possible to prevent someone from guessing it.  There has been a lot of industry discussion recently regarding this bit of accepted wisdom.  The problem with this practice is that it makes it harder for people to remember WHICH password they’re using on a given system.  This in turn makes them substantially more likely to write something down and sticky-note it directly to their monitor.  The more usernames and passwords people are required to remember, the more likely they are to use the same password on all their accounts, which further adds to the confusion (and the risk).  The general consensus on whether users should change their password frequently is: it depends.  TRG has adopted the following guidelines for when you should change your password:

• For systems where security is vital, you should change your password at least every other year.
• If you suspect someone may have seen, heard or discovered your password, you should change your password immediately.
• If you give your password to someone else, you should change your password immediately (Don’t share passwords!!  See below).
• If you enter your password on a public terminal (in a classroom, at an airport or a convention, for example), you should change your password as soon as you return to a trusted computer.  See the “public computers” section below.
• You should NEVER change your password by clicking on a link in an unsolicited email; this is almost certainly a phishing scheme.

Back to top

Q. Should I avoid writing my password down?
A. In virtually every instance, it is more secure to memorize your password than to write it down.  If you absolutely MUST write down a password (because it’s too hard to remember, for example), TRG recommends the following guidelines:

• Never – and we mean never – attach a sticky note to your monitor with your username/password written on it.
• Don’t sticky it to the bottom of your keyboard, or in the desk drawer next to you, either.
• Make it hard to tell you’ve written a password by writing down the phrase from which you created your password (even better: in another language, if you happen to know one).
• Once you memorize the password, destroy or hide the written version.
• Never write down the name of the server or username in the same place as your password.
• If you have a smart phone with a “note” application (and you don’t have a tendency to lose things), consider writing your phrase there – but don’t write the name of the server, your username, or make it obvious this is a password.  A “shopping list” where the first letter of each entry corresponds to your password can be a simple way to hide it.
• Never write your password down for someone else.  See the section “When should I share my password?” below.

Back to top

Q. When should I share my password?
A. Never.  According to board-adopted district policy, sharing your password can result in permanent loss of system privileges.  If someone else needs access to your account, PLEASE just ask Distance Learning or Technology Resources for assistance.  No staff member will EVER ask you for your password, either in email or over the phone.  If anyone ever asks you for your password, please let TRG know immediately.

Back to top

Q. Can I use my password on public computers?
A. Examples of public computers would include a kiosk at a convention or airport, a computer in a classroom, an Internet café, or a student’s laptop.  It is trivial for a malicious user to capture all keystrokes (including usernames and passwords) through a minor modification (either hardware or software) to the computer; these modifications are extremely difficult to detect.  For this reason, it is never a good idea to use your username/password from a public computer.  If you are in an emergency situation and have to use a public terminal, be sure you change your password as soon as you once again have access to a trusted computer.

Note: This is different from using your personal laptop in a public environment.  For servers like Catalyst (which use httpS for security), it is generally OK to login using public wireless Internet access (e.g., Starbucks WiFi).  The major caveat here is that you MUST pay close attention to any security warnings you receive.  (See the note about security certificates below).

Back to top

Q. Why should I be cautious when using my password in a classroom?
A. In addition to the public nature of computers in a classroom environment (see above), you should also be aware of two things in the classroom environment: shoulder surfing and projectors.  The examples below are taken directly from TRG personnel experience.

Shoulder surfing is the name give to the action of looking at a keyboard while someone else is typing a password.  If your password is a simple pattern (think “qwerty”) or is a simple word with a number attached (think “laker1”), someone looking at the keyboard can very easily remember your password.  To prevent this, be sure no one is looking at (or pointing a camera phone at) the keyboard and use hard passwords like the ones explained at the beginning of this document.

You should also be aware of projection equipment in the classroom.  If you accidentally type your password in the “username” field, everyone looking at the screen will see your password in plain text.  Even if your password is really hard to guess, a simple camera phone will capture the password.   Likewise, if your password only has 4 or 5 characters, this will be apparent to anyone counting the asterisks when you enter your password.

Back to top

Q. My web browser offers to save my password for me. Is that OK?
A. If you are referring to a computer chained-down in your home that you are sure no one would ever want to steal, then the answer might be “perhaps.”  In nearly every other case, we do not recommend you allow your web browser to remember your username and password.  This is especially true for portable computers.  Physical theft is one of the leading causes of information leakage.

Advanced Password Options < FAQs: Password Management > Security Certificates