Passphrase and Password Protection

Introduction

This document defines standards for the creation and use of passphrases and passwords to protect the UBC Electronic Information that Users handle.
Passphrases (sequences of words or other text) and passwords (words or strings of characters) are common and important ways to access and protect digital information on or off the Internet through almost any type of Device. Consequently, attackers attempting to access information use a variety of tools to guess or steal passphrases/passwords.
In summary, the top three ways to keep a passphrase/password safe and protect the information are:
1. create a strong passphrase/password;
2. guard it carefully (e.g. don't share it or write it down); and
3. avoid reusing it for other systems.
The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Creating a Passphrase/Password

Bad Examples (Easy to Guess)	Good Passphrase Examples (Preferred)	Good Complex Password Examples
Pa$5w0rd!	pass turtle phrase	Hx%2Pe2fWE
WhiteCaps2018	trophy.sky.sings.gold	5vE@Pu57^j
12345678ABC	1plusfourbeaches	9#fAaXu7y6tt
GameofThrones	facelessdragonhorse	p39&k1WX3EGxKo
Vanc0uv3r	rainbeachpuddles	gqEWep8#32v2xF8i
2March1976	SingingLionorLamb	Yy6*&u22rB
qwerty1234	Elephantkickscat!.!	Jb06MTKS35
M0nk3yABC	MonkeyPatsTiger1	854Htt8EvR
ILoveYou	mammamialetmego	4Qz7cSPgdAB15wLm

Use a passphrase with a minimum of 16 characters. If a minimum of 16 characters is not technically allowed by a system, use a complex password that contains upper and lower case letters, numbers and symbols that is as long as possible, but a minimum of 10 characters. Guidelines for consideration:
1. To create a passphrase, consider using a phrase of disconnected words that you can picture in your head (e.g. "plug in sunshine thimbles" or "StingersSingPaint").
2. To create a complex password when a passphrase is not an available option, consider using the first letter of each word in a phrase. For example, "I ride my bike to school at 7 AM!" becomes "Irmbtsa7AM!".
3. Avoid using a password that replaces a letter with a number, such as "Br0adcast!" where the "O" is replaced with a zero. Password guessing programs can easily crack these types of alpha/numeric replacements.
4. Password generation and storage programs should be used to create and manage passphrases/passwords.
5. Name, username, address, date of birth, family members’ names or any other term that can be easily guessed should not be used to create a passphrase/password.

Changing a Passphrase/Password

Passphrases/passwords for Campus-wide Login accounts must be changed annually. For all other accounts, it is recommended that passphrases/passwords be changed annually. When changing a passphrase/password:
1. do not use the 10 most recent passphrases/passwords that have been used on the same system;
2. do not use the same passphrase/password for personal accounts and university accounts; and
3. it is recommended to use unique passphrases/passwords for different accounts, so that even if one is stolen, it does not allow access to other accounts owned by the same User.
4. each time a passphrase/password change or reset occurs, a Multi‑Factor Authentication (MFA) challenge is required for employee Campus-wide Login accounts. For all other accounts, it is recommended.

Protecting a Passphrase/Password

Case Study: Why You Shouldn’t Share Your Password

A single user ID and password was shared amongst a research lab’s personnel. One of these individuals maliciously destroyed some of the data in the account. Since this was a shared account, it was challenging to identify the responsible party.

If a passphrase/password is written down, it must be locked away in a secure, inaccessible location such as a safe.
Best practices state that passwords should not be shared for any reason—even with trusted individuals such as supervisors or University IT Support Staff.
University IT Support Staff will never ask for Users’ passphrases/passwords.
Do not respond to emails or phone calls requesting passphrases/passwords and Multi-Factor Authentication (MFA) passcodes, even if they appear to be from a trusted source. These requests are often attempts to steal Users’ credentials.
Passphrases/passwords must be immediately changed if there are suspicions that they could have been compromised and the incident must be reported to UBC Information Security (see the Reporting Information Security Incidents standard).
Use of a Password Safe/Manager is the recommended method to securely store multiple passphrases/passwords, as it is only necessary to remember a single master password. Refer to the Password Safe guideline.

Passphrases/Passwords for Devices with Touchscreen Interfaces

Choosing your Password/PIN for a Mobile Device

A simple password/PIN option is to think of a 5 or 6 letter word and spell it out using the letters on the numeric key pad. Example: HOUSE becomes ”46873”.

Due to smartphones and tablets having touch-screen interfaces, it is not practical to use a strong password to lock the Device. Instead, a numeric password/PIN can be used, as long as it is at least five characters long.
See the Securing Computing and Mobile Storage Devices/Media standard for further requirements regarding Mobile Device security.

Biometric Alternatives to Passphrases / Passwords / PINs

Biometric controls such as fingerprint readers and facial recognition are acceptable alternatives to passphrases/passwords/PINs.

Multi-Factor Authentication

Where available, it is recommended that Users take advantage of Multi-Factor Authentication.

Additional Requirements for University IT Support Staff

For University IT Support Staff, there are additional requirements around the storage of passphrases/passwords. These requirements are detailed in the User Account Management standard.

Information Security Standard U2