Password Management

Do not store passwords in insecure places, such as:

• Paper notepad, post-its, etc

• Un-encrypted computer notes or file

• An email you send to yourself

• Other creatively bad places

User Success recommends that all official-use passwords should be changed on a yearly basis. This especially applies to accounts and sites that contain or lead to user data, such as Profile/SSO, email, ticketing, and donations.

What to use

1. Use a password manager

   1. Only have to memorize one “master” password.

   2. Passwords are (supposed to be) safely encrypted.

   3. Password managers save new and updated passwords as you create them.

   4. Cross platform (computer + mobile) are best, but it is possible to migrate from a browser’s password cache (like Chrome).

   5. Burning Man's currently supported password manager is LastPass. There will be updates soon from Tech regarding changes to this product.
      Please see this page for more information:
      LastPass

2. Passwords you don’t need to memorize - use unique, random passwords
   Recommended length: 20 random characters

   1. Every password manager has a random generator, as do most browsers.

   2. Longer is better. The manager remembers them for you.

3. Passwords you need to memorize - use long, memorable passwords

   1. Multiple words - four recommended

Example: margin-measure-ruler-lines

Word/phrase generators online:

https://www.useapassphrase.com/

https://preshing.com/20110811/xkcd-password-generator/

https://xkpasswd.net/s/ (click button XKCD in upper right for four-word passphrases)

2. Sentence or phrase

Example: RunForThe7HillsMaria

3. Meaningful to you, but not obviously connected to you (birthdays, family names, etc)

4. Two-factor protection

This is a topic worthy of its own page: we already have one for Okta's code verification app:

Multi-Factor Authentication

Besides a code-generator app, two-factor can also be a text message or several other methods.

Consider using two-factor protection for high-value sites such as:

1. Password manager (LastPass can use Okta Verify, Google Authenticator, or others)

Please contact User Success via Tech Help Form for assistance enabling LastPass two-factor.

2. Core email accounts which could be used to reset other accounts

Gmail two-step verification

3. Social media and financial accounts

Facebook two-factor authentication

Instagram two-factor authentication

Key accounts should probably get a new password on a regular basis, perhaps once a year. With a password manager, this is quite easy to do - updated passwords are saved automatically.

Common guidelines (from Wikipedia)

Guidelines for choosing good passwords are typically designed to make passwords harder to discover by intelligent guessing. Common guidelines advocated by proponents of software system security have included:

• Consider a minimum password length of 12 characters as a general guide. Both the US and UK cyber security departments recommend long and easily memorable passwords over short complex ones.

• Generate passwords randomly where feasible.

• Avoid using the same password twice (e.g. across multiple user accounts and/or software systems).

• Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences.

• Avoid using information that is or might become publicly associated with the user or the account, such as user name, ancestors' names or dates.

• Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relatives' or pet names, romantic links (current or past) and biographical information (e.g. ID numbers, ancestors' names or dates).

• Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.