Skip to main content
Northwestern University

Password Best Practices

A strong password is an important part of your security portfolio. Here we outline some techniques for making and remembering good, strong passwords.

Why are strong passwords important?

Let's be honest, passwords are annoying, but they are the first line of defense against malicious actors. Passwords help ensure only people identified to access data stored on various workstations and servers across campus can do so.
  • Weak passwords allow viruses and malware to gain access to your computer and spread through the University's network.
  • Weak passwords enable hackers to use your computer to hack into other computers connected to the University's network.
  • Weak passwords allow hackers to use your e-mail account to send malicious messages to everyone in your address book, inbox and others.
  • Weak passwords enable hackers to deface your website, access your bank accounts, or even use your information to set up new credit card accounts or apply for loans

What makes a strong password?

We recommend using the following techniques to build strong passwords.

  • Longer is better. We recommend using 15 or more characters.
  • Use passphrases - it is better to have a long password with common words (e.g. PassedNoonTallSave9+) than to have a short password with random characters (e.g.Vjh/F5*B). They are also easier to remember than a random set of letter and characters!
  • Choose 4-5 random words.
  • Avoid using actual phrases like "ItWasADarkAndStormyNight" - hackers know to try these first.
  • It should be easy to remember (you don't want to write it down). Use a password manager such as LastPass.
  • Use a mixture of characters (most are case sensitive) to increase the full range of characters that might need to be guessed or calculated. Include:
    • Upper case letters
    • One of more numbers
    • At least one or two special characters

What should I avoid when creating a password?

Avoid using the following items in your passwords:

  • A previous password or variations of them
  • Proper names, especially of relatives or friends
  • Common character sequences such as "12345" or "mar2016"
  • Derivatives of NetIDs
  • Personal details such as variations of your own name, your spouse's and pet's names, license plate numbers, social security numbers, and birth dates

How do I remember my passwords or store them securely?

It is difficult when your employer requires you to have a password of at least a specific number of characters that must also include at least one number and one special character, but your bank requires a password with different specifications. Then, another website has different requirements for their passwords. Not only you cannot use the same password in all instances, you end up with an increasing number of unique passwords to try and remember. And that does not address the fact that these passwords also have unique usernames.

Creating secure passwords and remembering which username and password to use with a particular site or application can be very difficult. This often results in keeping a cheat sheet in your wallet, a list in your desk drawer, or yellow sticky notes on your computer.

A password manager can help create unique passwords for every site. You only need to remember one password to open the password manager. Most password managers also have mobile apps that will sync with your computer so you'll always have access to your passwords.

Weinberg IT currently uses LastPass to store a large number of passwords for each server and application that is used by Weinberg IT's staff. 

Weinberg IT recommends LastPass for their strong security features and cross-platform compatibility.

Back to top