Skip to Navigation | Skip to Content

Password Tips & Security

about getsecure getsecure documents services contact

search the site

related pages

did you know?

  • If you have forgotten the password you use with your NYU NetID and/or your password hint, follow the instructions on the NetID & Password page.
  • You are required to change the password you use with your NetID at least once each year.
Creating a Good Password
Password and Account Security

Creating a Good Password

Why are passwords important?

Believe it or not, there are lots of people out in the world who try to guess or "crack" passwords in order to snoop around. We have an obligation to protect information stored on our computer systems from unauthorized access. The kind of access people have to computers in public institutions like NYU provides many opportunities for password cracking. Creating "good" passwords and keeping them private are important elements of computer security. This means making "good" passwords that are difficult or impossible to guess or be discovered – even by individuals who with mischievous or criminal intent try to guess or "crack" password in order to gain access to computer accounts or systems.

ITS requires NYU community members to change their passwords on an annual basis, which makes it more difficult for a password-protected account to be compromised. Remember, it is your obligation to protect information stored on NYU computer systems and to protect those systems from unauthorized access.

How can I create a good password?

When activating your NetID and setting or changing your password, please take into account the following password guidelines (required for NYUHome passwords, but useful for all passwords):

  1. passwords must be 8 or more characters in length
  2. must consist of letters (a-z and/or A-Z) AND at least one number (0-9) AND at least one special character: !@#$%^&*()_-+=[]|\;"~',<>./?
  3. the alphabetic portion of a password, taken as a whole, may not be a dictionary word proper name, or person's initials
  4. you may not reuse a password that you've previously used with NYUHome

Examples of Good Passwords

  1. You can use a phrase to generate a password:
    • Take the phrase "I Love To Eat Hotdogs Everyday".
    • Use the first letters: iltehe
    • Apply capitalization and substitute punctuation/numbers for letters: Il2e!E
  2. You can also use a common word as a seed for a password:
    • By itself, "hotdog" makes a horrible password, but if you apply some of the tricks above (capitalization, punctuation, and misspellings) the result is a much better password: H0t!daWg.
    • You can also use a word but substitute numbers for some of the letters, and insert a special character in a way that you'll remember. For example, by replacing the vowels with the number 7 in the word "Spiderman," then inserting a backslash between the syllables, the password could be "Sp7d7r/m7n".

What should I avoid when creating a password?

  • Do not use your user name, first name, or last name.
    Your name and user name are stored in the password file and many cracking programs use this information to generate possible password combinations.
  • Do not use anyone's first name or last name.
    Many password-cracking programs have large name databases and can easily guess passwords based on names. Names of friends, relatives, fictional characters, etc. are commonly associated with an individual and do not make good passwords.
  • Passwords that use patterns on the keyboard (i.e., qwerty) are not secure.
    Although such passwords are easily typed, they are also easily guessed.
  • Words spelled backwards don't make secure passwords.
    Most cracking programs try both the forward and backward representation of words in their databases, and therefore passwords of such nature are not secure.
  • Substituting 1's and 0's for l's and o's is not enough to make a good password.
    Password cracking programs have rule sets designed to break passwords that substitute numbers for letters they resemble. Similarly, passwords such as 2Good4U, although cute, are not really secure either.
  • Do not simply use a word followed or preceded by a number as a password. A common password-guessing algorithm adds numbers to the front or back of a dictionary word, Passwords of this form are therefore easily cracked. Non-alphabetic characters should be used throughout the password.
  • Do not use dictionary, or dictionary-based words as passwords.
    Password cracking programs have large dictionaries that they use to guess passwords. Cracking programs also have large FOREIGN LANGUAGE dictionaries, therefore, the practice of using foreign words as passwords is INSECURE.
  • Your password should NOT be all numbers, uppercase letters or lowercase letters, nor should it have repeating characters.
  • Never use a password that has been cited as an example of how to pick a good password.

Password & Account Security

Can I tell others what my password is?

No. Don't tell anyone your password, not even if they claim to be a system administrator. Sharing passwords is a violation of NYU policy. There are good reasons you should not share your password. If someone to whom you had provided your password were to use your account in an inappropriate manner, you could be held responsible for their actions.

Why can't I share my NetID and password with a trusted colleague?

Letting another person use your NetID, no matter how much you trust that person, violates data security. Each NetID is assigned to a specific individual who must accept full responsibility for any work done on that NetID. Each of your colleagues must use his or her own NetID, or apply for one (all NYU staff must have their own NetIDs). Note: If you are involved in the hiring of new staff, you should request a NetID ahead of time so that it will be ready for use when needed. It may be possible to expedite the new employee's NetID assignment by having your Division's HR representative contact the ITS Client Services Accounts Group at its.accounts@nyu.edu.

No one representing NYU will ever ask you to give your password to them by email or over the phone. If someone DOES do this, do not respond to them! Instead, call the ITS Client Services Center at 1-212-998-3333, and send an email to security@nyu.edu, to make sure we know about it. We will deal with the offending party.

To ensure that your office has access to your files and data for business continuity purposes, your department can use a shared file server, or have an departmental IT staff member set up an alternate account on your computer.

Is it safe to send my login/password through email?

No. You should never include your password in an email message. There are programs out there that have the ability to spy on traffic sent over the internet. If you send out a message with your password in it, there is a possibility that it could be intercepted and then your account would be compromised.

Besides, you're not supposed to be sharing it with anyone anyway, so the need to send it through email would never arise, right?

Page last reviewed: May 15, 2007