Search Google Appliance

Information Technology

Password Management

Setting up and maintaining safe passwords is essential to online account security. Some simple tips you can use to create safe passwords are provided below. Your department may have other security policies that you must follow if they conflict with these password tips. 

To protect your IT Account information, it is critical that you:

Construct a strong password.
Password-guessing software has become increasingly sophisticated and many break passwords using ‘dictionary attacks’, trying endless combinations of characters. Follow the Complex Password Requirements listed above to ensure that your password can withstand these types of attacks.

Do not save your password.
Some applications offer to save your passwords. Always say ‘No’ when prompted to save a password online. Also, never write down your password. Instead, create a password reminder in case you forget it. For instructions on how to create a password reminder, see our Account Password Rules page.

Do not share your password.
By making passwords available to others, you put your personal information at risk and make it vulnerable to misuse. Do not send your password via email even if the message asking for your password appears official. Note that the UMass Amherst IT Help Center will never ask for your account information via email.

Change your password periodically.
To protect your password from ‘dictionary attacks’, change your password twice a year. If you suspect that your password has been stolen or compromised, change it immediately. Change your IT Account password in SPIRE

Do not recycle your password.
Do not use your IT Account password for other services (e.g., your bank account or your non-UMass email address). If your password is hacked, all the accounts using this password are at risk.

Log out of IT services.
Remember to log out of any IT service (e.g., UMail, SPIRE, computers in the IT Computer Classrooms) when you are finished using the service or when you step away from your computer.

What's at Stake?

If your password is compromised, you jeopardize:

  • Your privacy & reputation: Intruders may gain access to your email, bank account, and other sensitive information. Your identity may be stolen. Your email can be used to send defamatory messages in your name and your computer can be used to host illegal materials.
  • Your files: The contents of your computer may be destroyed or compromised.
  • Other computing resources: Hackers could use your computer to attack other computers.

It is critical that you create strong passwords that you maintain appropriately. Remember, in computer security, passwords are always the weakest link!

Use Different Passwords for Different Services

If you are using the same password for your email, bank account, and computer, and one account is hacked, all other are at risk. Create at least three different passwords. For:

  • Your IT Account
  • Accounts that contain sensitive personal information (e.g., your bank account)
  • Web sites that require registration (e.g., Amazon)

To keep track of your passwords, use one of our password strategies.

Change Your Passwords Regularly

Passwords become vulnerable over time. To reduce the risk of your computer being compromised, we recommend that you change your passwords at least twice a year. If you suspect that your password has been stolen or compromised, change it immediately. Learn how to change your IT Account password in SPIRE.

  • Malware and other viruses are known for stealing passwords. Please change all your passwords after cleaning up from a virus infection. If you suspect your computer has a virus, do not access any service that requires you to enter a password (e.g., online banking).
  • If one of your computing devices has been lost or stolen, it is important to change your passwords to reduce the risk of having your information security compromised. 
  • If you have administrative access to the Human Resources or Finance systems, you are required to change your IT Account password every 180 days. more...

Do Not Share Your Password

By making your passwords available to others (even people you trust), you put your personal information at risk. Please do not share your passwords!

Never send passwords or other sensitive personal information via email even if the original message appears official. Learn more about phishing scams. Note: UMass Amherst IT will never ask for your IT Account password or other sensitive information via email.

Do Not Use Remember My Password Features - Create a Password Reminder in SPIRE

Some applications will offer to save your passwords. Always choose 'No' when prompted to save a password online. We recommend that you create a reminder for your IT Account password and use our password tricks to create strong passwords that you can actually remember.

For your IT Account password, store a word or phrase in SPIRE to help jog your memory in case you forget it:

  1.  Log on to SPIRE with your NetID and password.
  2.  In the SPIRE navigation, go to My SPIRE > Change My Password. To set your reminder, you will need to change your password first.

Avoid Writing Down Your Password

Storing passwords on post-it notes on your monitor is an open invitation to access your information. At UMass Amherst IT, we believe no location is safe enough for storing passwords. If you absolutely must write down your passwords:

  • Write down password hints, not the actual password.
  • Keep your user name and passwords separate, not in the same document.
  • Use a safe location (e.g., your wallet, a locked file cabinet, or password storage software).

Another strategy for remembering passwords is to use themes & rules:

Choose a theme for all your passwords (e.g., your passwords are always based on your favorite songs or movies). Decide on a few rules that you'll use to construct your passwords. For example:

  1.  Select a song: Rome wasn't built in a day by Morcheeba.
    Theme: music. Rule: Use song name and artist.
  2.  Condense into a string of letters: rwbinadbm
    Rule: Use the first letter of each word
  3.  3. Add complexity: RwBi@dBm*00
    Rules: The first and third letters are always capitalized. 'a' is always replaced by '@", the password always ends with a symbol and two digits.

Note: Please do not use this example. Hackers often try passwords available in reference materials.