Skip to content

When choosing passwords, it is important to choose complex passwords that are diificult for humans and computers to guess.

There are several approaches to creating secure passwords. In this post, a summary of the suggested password components to enhance your online security are provided.

Minimum password length: 18 characters

Passwords should contain:

  • Include Symbols
  • Include Numbers 
  • Include Lowercase Characters
  • Include Uppercase Characters

Tips for Maintaining Password Security 

  • Use a password manager - these tools can manage all of your passwords, assist in generating secure passwords, and provide awareness of compromises of your username or password online.
  • Regularly Update Passwords: Absolutely change passwords when you learn of any compromise of sites where you have accounts. Also, it is a good idea to set a schedule for changing passwords. Using a password manager can greatly reduce the effort in changing passwords more frequently.
  • Be Wary of Phishing Scams: Do not share your passwords through email or messages. Always verify the source before entering your credentials. 

It is highly recommended that you enable Two-Factor Authentication (2FA): 2FA on all sites, but particularly in sites that contain your financial and personally identifiable information (that includes social media). Multifactor authentication adds an extra layer of security by requiring a second form of verification. 

Common Password Mistakes to Avoid 

  • Using Common Passwords: Passwords like “123456,” “password,” and “qwerty” which are easily guessable. 
  • Recycling / Reusing Passwords: Using the same password across multiple sites increases your risk if one site is breached. 
  • Writing Passwords Down: Storing passwords in plain sight, like on sticky notes, can lead to unauthorized access.
  • Public Information: Using phrases that contain publicly available personal information or things you shared on social media.

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Content from National Cybersecurity Alliance. (2023, November 22). Take control of your data.

ALL YOUR ONLINE ACTIVITY GENERATES A TRAIL OF DATA

Your online activity creates a treasure trove of data. This data ranges from your interests and purchases to your online behaviors, and it is collected by websites, apps, devices, services, and companies all around the globe. This data can even include information about your physical self, like health data – think about how an app on your phone might count how many steps you take. 

You cannot control how each little piece of data about you and your family is collected. However, you still have a right to data privacy. You can help manage your data with a few repeatable behaviors. Your data is valuable and you deserve to have a say! 

Here are some simple, easy tips you that will help you manage your data privacy:

Know the tradeoff between privacy and convenience 

Nowadays, when you download a new app, open a new online account, or join a new social media platform, you will often be asked for access to your personal information before you can even use it! This data might include your geographic location, contacts, and photos.

For these businesses, this personal information about you is tremendously value — and you should think about if the service you get in return is worth the data you must hand over, even if the service is free.

Make informed decisions about sharing your data with businesses or services:

  • Is the service, app, or game worth the amount or type of personal data they want in return?
  • Can you control your data privacy and still use the service?
  • Is the data requested even relevant for the app or service (that is, “why does a Solitaire game need to know all my contacts”)?
  • If you haven’t used an app, service, or account in several months, is it worth keeping around knowing that it might be collecting and sharing your data?
Adjust privacy settings to your comfort level

For every app, account, or device, check the privacy and security settings. These should be easy to find in a Settings section and should take a few moments to change. Set them to your comfort level for personal information sharing; generally, we think it’s wise to lean on the side of sharing less data, not more.

You don’t have to do this for every account at once, start small and over time you’ll make a habit of adjusting all your settings to your comfort. We have in-depth, free resources like our Manage Your Privacy Settings page that lets you check the settings of social media accounts, retail stores, apps and more.

Protect your data

Data privacy and data security go hand-in-hand. Along with managing your data privacy settings, follow some simple cybersecurity tips to keep it safe. We recommend following the Core 4: 

Manage Your Privacy Settings

Content in this post includes recommendations and suggestions for password creation and management as well as information on training materials available to the GW community.  This resource guide is presented as part of the Cybersecurity is a Shared Responsibility awareness campaign.  The GW IT Security team provides these posts to support increased awareness and knowledge across all stakeholder groups.  The principle the posts follow is that cybersecurity is a shared responsibility for all users.  Suggestions on content, areas of focus, or to arrange team training should be directed to infoec@gwu.edu.

Persistent cyber-attacks target personal, organizational, and system accounts.  The resources and training modules below are designed for various technical knowledge levels.  Some resources including some training modules may require access to restricted content.  Access restrictions for any sites requiring access will be noted.  External links to sites not controlled by GW will also be noted with an external link notation.  Details on organizations providing the external materials are listed at the bottom of this article in the event you are not familiar with the acronym or function.

Password Strength and Complexity Resources, Articles, and Guidance

Increased understanding of the need for strong and complex passwords as well as emerging security technologies is critical to ensuring your data and access to your systems and services are secure.

Password Managers

Password managers are applications used to store passwords.  Generally, provide a convenient place to store all of your passwords, requiring you only remember the password manager master password.  These solutions can be installed on devices, access through cloud services, and/or integrated into web browsers.  They provide convenience of only remembering one password to access a tool that contains all of your unique passwords.

The Best Password Managers | PCMag – External Content Hosted by PCMag

Training Modules

The following modules are available to faculty and staff through GW’s Talent@GW system.  Search for training titles in the Learning -> Browse for Training menu after logging into Talent@GW.  Managers can assign training to staff through the Talent@GW system as well.

Creating Strong Passwords - Security Awareness Training

Audience – Introductory Level of Technical Knowledge

Talent@GW Search Term - Password Security

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Privileged Access (8 minutes)

Audience – Intermediate Level of Technical Knowledge Required

Talent@GW Search Term  -Privileged Access

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Windows Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Windows Administration

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Linux Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Linux Administration

Content Provider and Location:  KnowBe4 Module  Accessed Through Talent@GW

Privileged User Security Series: Secure Database Administration (15 minutes)

Audience – Intermediate to Advanced Level of Technical Knowledge Required

Talent@GW Search Term - Secure Database Administration

Content Provider and Location:  KnowBe4 Module Accessed Through Talent@GW

 

Securing Windows Server 2016: Managing Privileged Identities (1 hour 7 minutes)

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2016: Server Hardening Solutions

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2019

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2019

Content:  LinkedIn Learning Module Accessed Through Talent@GW

 

Securing Windows Server 2016: Managing Privileged Identities (1 hour 7 minutes)

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2016: Server Hardening Solutions

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2016

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Securing Windows Server 2019

Audience – Advanced Level of Technical Knowledge Required

Talent@GW Search Term – Server 2019

Content:  LinkedIn Learning Module Accessed Through Talent@GW

Password Guidance and Reference Materials Sources and Organizations

CISA https://www.cisa.gov/ - CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. We are designed for collaboration and partnership. Learn about our layered mission to reduce risk to the nation’s cyber and physical infrastructure.

ISACA  https://www.isaca.org/about-us  - As a globally recognized leader in IS/IT for over 50 years, ISACA is a professional membership organization committed to the advancement of digital trust by empowering IS/IT professionals to grow their skills and knowledge in audit, cybersecurity, emerging tech and more.

SANS sans.org launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.

Do you get a little chill thinking about the dozens of login credentials you have set up throughout the wilderness of the internet? If so, don’t worry – you aren’t alone. Identity management, sometimes called identity and access management (IAM), increases in importance every year. That’s why we celebrate Identity Management Day!   

Identity management, though, is not just a concern for businesses and organizations. You can help protect your data by understanding and implementing some simple identity management practices. You have the power to own and maintain your digital identity!  

CONFIGURE YOUR SECURITY SETTINGS  

Every time you sign up for a new account, download a new app, or get a new device, immediately configure the privacy and security settings to your comfort level. Check the settings on old accounts and delete any apps or accounts you no longer use.  

DON’T TAKE THE BAIT  

If you receive an enticing offer via email or text, don’t be so quick to click on the link. Instead, go directly to the company’s website to verify it is legitimate. If you’re unsure who an email is from—even if the details appear accurate—or if the email looks “phishy,” do not respond and do not click on any links or open any attachments found in that email as they may be infected with malware. Report phishing to your organization’s IT department or your email provider.  

SHARE WITH CARE  

Think before posting about yourself and others online, especially on social media. Consider what a post reveals, who might see it and how it might affect you or others. Personal information readily available online can be used by attackers to do a variety of things, including impersonation and guessing usernames and passwords.  

SHIELD YOUR PASSWORD WITH MFA   

Multi-factor authentication (MFA), or as referred to in GW as 2-Step Authentication, will fortify your online accounts by enabling the strongest authentication tools available, such as biometrics or a unique one-time code sent to your phone or mobile device.  

USE A PASSWORD MANAGER  

Use password managers to generate and remember different, complex passwords for each of your accounts. While not a perfect solution, a password manager is currently the most secure way to send passwords and other login credentials to family members or coworkers. Duplicating passwords or using common passwords is a gift to hackers. If one account is compromised, a hacker will typically try the same username and password combination against other websites.  

TURN ON AUTOMATIC UPDATES  

Keep all software on internet connected devices – including personal computers, smartphones and tablets – current to reduce risk of infection from ransomware and malware. Configure your devices to automatically update or to notify you when an update is available. Software updates often fix security flaws. Outdated software can be riddled with security holes easily exploited by attackers.  

For more tips and advice, visit www.identitymanagementday.org/  

Original blog content provided by The National Cyber Security Alliance. For the original post, click here. 


For more information on GW IT Security, please visit our security website: https://it.gwu.edu/gw-information-security 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu 


IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), or visit ithelp.gwu.edu 

GW Information Technology (GW IT) is investigating reports of scam emails regarding GW benefits information with a link to a fake GWeb (Banweb) site that instructs recipients to login using their GWID and PIN. Logins to the fake site may allow hackers to harvest user credentials. Impacted users have been notified.

As a cautionary measure, GW Information Security recommends that recipients who may have logged into the fake site should change their PIN and verify all the information on their profile, especially bank accounts for direct deposit, addresses, and security questions are correct.

To change your PIN, follow these steps:

  1. Log into the GWeb Information System using the appropriate button on the GWeb page.
  2. Once you are logged into the main GWeb menu page, click on the Personal Information Menu tab at the top of the page and select Change PIN.
  3. You will be prompted to enter your old PIN number and then enter and re-enter your new PIN.

GW IT continues to take proactive measures to keep our campus community safe. GW students, faculty and staff should ignore such requests for information and report any suspicious electronic communication to abuse@gwu.edu.

Protect your information!

Always be wary of messages requesting account verification, confirmation or upgrade, payment or personal information such as your passwords, GWID, Social Security number or credit card information.

Universities are frequently targeted by malicious actors who will attempt to acquire personal information about you and other members of the university community through email and over the phone. Please be aware that these attempts often seem legitimate.

Ask questions, trust your instincts, and if things seem off, don’t be afraid to take a message and follow-up later. Attackers will frequently use a sense of urgency to prompt the victim into making a risky decision.

Questions? Concerns? Please contact GW Information Technology at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

The US Department of Education Office of Federal Student Aid has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions. Multiple institutions of higher education have reported that attackers are using a phishing email to obtain access to student accounts by providing links to bogus student portals.

If you have received this email or a similar one, please do not reply to it, open any attachments or click on the link.

Scam Phishing sample message

If you have responded to the phishing attempt with your GW UserID and corresponding password, please change your password immediately by visiting identity.gwu.edu and clicking on “Reset/Forgot Password”.

Please remember that you should always be wary of messages requesting account verification, confirmation or upgrade, payment or personal information such as your passwords, GWid, Social Security number or credit card information. Additionally, please ensure that your computer is patched with the most recent operating system updates.

If you receive any phishing attempts in the future, please do not reply to them, open any attachments or click on any links. Please forward the email to abuse@gwu.edu.

If you have any questions about the validity of a link you see or a message you receive, please contact the IT Support Center at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.