Skip to content

Passwords

Passwords - Password Managers - Passkeys

Passwords

Passwords are a ubiquitous challenge for everyone.  We all have numerous accounts, and maintaining unique passwords for every account is a pain.  Studies find that people manage as manage as many as 240 accounts (Dashlane) and 255 (NordPass Survey, 2024).  Managing this many items induces fatigue, creates opportunities for re-use, or use of simple passwords.  This resource page seeks to provide a central repository of information related to passwords including information about:

  • Password Strength
  • Password Managers
  • Passkeys

Password Uniqueness and Strength Matters

Re-used and simple passwords are major contributors to compromised accounts.  64% of passwords only contain eight to eleven characters according to Security.org's 2023 survey.  Digital Shadows reported in 2022 that out of 24 billion credentials compromised, research showed only 6.7 billion contained unique pairings of user named and passwords.

Vulnerable passwords lead to account compromises and
leaks of personal information, financial data, and reputational harm.

There are several recommendations to strengthen, randomize, and secure passwords.  It starts with using strong passwords.  The Cybersecurity and Infrastructure Security Agency (CISA.gov) recommends using strong passwords on the Use Strong Passwords resource page.  The following short video also covers recommendations.

The CISA Strengthen Your Passwords with Three Simple Tips

A strong password follows ALL THREE of these tips.

  1. Make them long

    • At least 16 characters—longer is stronger! 

  2. Make them random

    • Two ways to do this are:
      1. Use a random string of mixed-case letters, numbers and symbols. For example:
        1. cXmnZK65rf*&DaaD
        2. Yuc8$RikA34%ZoPPao98t
    • Another option is to create a memorable phrase of 4 – 7 unrelated words. This is called a “passphrase.” For example:
      • Good: HorsePurpleHatRun
      • Great: HorsePurpleHatRunBay
      • Amazing: Horse Purple Hat Run Bay Lifting
    • Note: You can use spaces before or between words if you prefer!

  3. Make them unique

     Use a different strong password for each account.  For example:
    • Bank: k8dfh8c@Pfv0gB2
    • Email account: legal tiny facility freehand probable enamel
    • Social media account: e246gs%mFs#3tv6

Managing Passwords

Use a Password Manager - CISA Recommendation

For most people, generating and remembering long, random and unique passwords for every account is not possible. Rather than write them down, use a password manager! A password manager is an easy-to-use program that generates, stores and even fills in all your passwords. Password managers tell us when we have weak or re-used passwords and can generate strong passwords for us. They can also automatically fill logins into sites and apps as we move from one to another.

When we use a password manager, we only need to remember one strong password—the one for the password manager itself. (Tip: Create a memorable long “passphrase” as described above.)

There are many password managers to choose from. Some are free, like the built-in password managers in your web browser, and some cost money. Search a trusted source for “password managers” like Consumer Reports, which offers a selection of highly rated password managers. Read reviews to compare options and find a reputable program for you.

When we use a password manager, we are much more likely to use a long, random and unique password on every site. And that makes it much harder for someone to steal our valuable information!

From: CISA https://www.cisa.gov/secure-our-world/use-strong-passwords

The IT risk and assurance team describes Password Managers as software that allows users to generate passwords, store, and manage account information including usernames and passwords all in one location. Password managers offer other features such as complex password suggestions, identifying weak or repeated passwords used, and alerting its users when their credentials appear compromises. When you use a password manager, you will set a password that is often referred to as the “master” password.  This will be the only password you will need to remember. For more information about why password managers are useful see the following: 

Password managers are available in different formats: 

  • An online service hosted by a third party and accessed through a website portal. This type is useful if you need access to the password manager from multiple devices. 

  • Software installed locally on a workstation that can operate either completely offline or connected to the internet to synchronize your information to a cloud database and get software updates.  

Are Password Managers Secure? 

Password managers can offer a high level of security level for account credentials and information, if best practices are used to secure their master password.  Whether you use, or planning to get, an online, or an offline password manager, you need to follow the following practices: 

  • Do your research and get a trusted password manager software that has a high reputation in the industry. 
  • Use a strong master password for your password manager account and never forget it. Some password manager vendors would never retrieve your account if you can’t remember your master password. 
  • Enable two-factor-authentication (2FA) to your password manager account for an extra layer of security.  
  • Keep your password manager software, web browsers, and all other software you use up-to-date. 
  • Audit the list of devices that are approved to access your password manager. 
  • For work-related accounts, always use password managers that are approved by your organization. Follow your organization’s policies, standards and procedures when processing, storing or sharing work-related data. 

Remember, if password managers are managed appropriately, they will offer you the level of security you are looking for to your online accounts’ passwords. 

Choosing a Solution - Password Manager Reviews

Passkeys - Alternatives to Passwords

Passkey Background

While password managers can assist with the memorization and management challenges, traditional passwords do not leverage modern security capabilities.  A rapidly evolving technology involves passkeys in place of passwords.  At a basic level passkeys leverage your personal computer, mobile device, or even a password manager to provide a validated (through finger print for example) encrypted response to login challenges from a website you have an account on.  This process effectively replaces the matching of a password you submit to one stored on the site.  In the passkey scenario you are providing an encrypted answer to a unique challenge and all of the communications are encrypted.  Through the use of public key and private key technology and in underlying technology, your identity is verified and access granted without your private key being transferred.   There is a more technical explanation of the passkey process here: Passkey (Passkey Authentication) Technopedia June 2023.

Basic passkey process steps:

  1. You establish a passkey on a website and device that support the technology.
  2. Once established, when you access a site instead of entering a password, your device will ask you to verify your identity
  3. You use, on your personal, device-based authentication (PIN number, fingerprint, or facial recognition) to authorize website access.
  4. Your device confirms your identity for the site through encrypted messaging. 
  5. The website grants you access.

The process of the challenge question to your device and the messaging back to the site is encrypted, your private key is not transferred, and information about the web site all combine to make this login approach more secure than using passwords.  A PCWorld article - Passkeys Explained: How to Embrace a Passwordless Future Today from May 2024 has additional information on passkeys and notes there are directories of providers that support passwordless logins:

Services with passkey support

There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.ioPasskeys Directory, and Keeper, among others.

If you utilize a password manager, most offer support for managing and using passkeys. Cloud services can enable passkey use across multiple devices.  While there are many options to explore a simple way to get started would be using solutions from vendors deeply connected to devices and the device operating systems software like Google, Apple, and/or Microsoft.

Ars Technica published an article in May of 2023 with frequently asked questions about passkeys  Passkeys may not be for you, but they are safe and easy—here’s why   The article covers common questions about privacy, personal account security, and trust.  The following excerpt from the site recaps how the passkey process works while enhancing your personal cybersecurity. (emphasis added).

Que: Passkeys give control of your credentials to Apple/Google/Microsoft, to a third-party syncing service, or to the site you’re logging in to. Why would I ever do that?

Ans: Assuming you’re using a password to sign in to a service such as Gmail, Azure, or Github, you’re already trusting these companies to implement their authentication systems in a way that doesn’t expose the shared secrets that allow you to log in. Logging in to one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials that they had before.

... the private key portion of a passkey never leaves a user’s encrypted devices. The authentication occurs on the user device. The user device then sends the site being logged in to a cryptographic proof that the private key resides on the device logging in. The cryptography involved in this process ensures that the proof can’t be spoofed.

Key takeaways:

  • Passwords will still be present for many sites for some time.
  • Passkeys provide more secure authentication for sites and device that support them.
  • Explore passkeys on a couple of sites and expand your use as you gain experience.
  • It is a good idea to try the technology, as it will become more prevalent and in some cases required to access web applications.

Account Compromise Recovery Resources

unofficial GW hippo mascot holding a lockThis content is presented by the GW IT Cybersecurity Risk and  Assurance team. #SecuringGW is a shared responsibility, if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu.

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.