Set a different password for each website or application you log into

It is Use different passwords for each site you visit. If someone obtains the password for one account, how many other sites or data can they access using that same password?

Use a password management tool

A password management tool allows you to create and securely store strong passwords. There are many software options to help you manage your credentials, security questions, etc. Some popular options include 1Password, LastPass, KeePass, and PassKey.

The only approved solutions for University passwords is the University's implementation of Bitwarden. To request a Bitwarden account for your unit, see Bitwarden, FAQ.

Use the longer passwords or passphrases

Different sites have different limitations on the number of characters you can use in your password. Longer passwords are harder to guess or hack than shorter ones. The University of Illinois accommodates NetID passwords up to 127 characters.

If possible, a passphrase may be preferable to a password. A good passphrase will use three or more words of at least five letters, separated by special characters. Deliberate misspelling, substitution, and capitalization will further strengthen a passphrase.

For example, the passphrase Trains-Mispe11-Wizardry is both more secure and easier to remember than T9iB4@qo.

Use Multi-Factor Authentication

Multi-factor authentication (MFA) requires at least two factors to logon to a service:

• something you know (your password)
• something you have (your phone or token)
• something you are (your face or fingerprint)

The university uses both the "something you know" and "something you have" factors for most logons. Without having your phone or token, an attacker won’t be able to receive or send the one-time verification required to authenticate. MFA is required for current university employees and students.

• See Multi-Factor Authentication (MFA), Introduction for more information.
• Sign up for Two-Factor Authentication (MFA) at identity.uillinois.edu.

Stop bad password habits

• Don’t use your address, birth date, or easily recognized or obtained information in your passwords.
• Provide obscure answers to security questions. Many times, security questions have answers that are easily obtained in other places. Your first pet’s name? Your kindergarten teacher’s name? Your mother’s/father’s middle name? Without thinking about it, many people include this information in blogs or social media posts.
  • Instead of answering the question directly, consider adding an appended word to the end of the answer. For example, if the question is, “What city were you born in?,” answer “chicagobaseball” instead of “chicago.”
  • Another option is to provide a false answer that you document and save in a password manager. For example, if the question is, “What was your kindergarten teacher’s name?,” answer “Jamaica” instead of the real answer.

Set a device passcode/password on your phone and other mobile devices

Set your device to require a passcode or password to wake the device from sleep mode or to unlock the device. Many devices are accessed because they weren’t password protected.