Password Security

As threats and attempts to steal information and account login information increase, the needs for advanced security measures are critical. A strong, unique Tufts password that is handled properly and protected is part of a proper security approach. Ideally the best practice includes also coupling Two-Factor Authentication in addition to using a static userID and password.

Using strong passwords that you don't write down unprotected, share with others, or use on multiple sites are some of the first and most important steps to keeping your files and private information secure. Strong complex passwords avoid dictionary words and combine 8 or more upper and lowercase letters with numbers and special keyboard characters. To keep ahead of the game, it's best to change your passwords at least twice a year or immediately if it might have been stolen or you think you might have entered into a site that might not be legitimate. Due to the vast number of places that you need to login to for work and your personal life, it can seem overwhelming to keep track of all of your login IDs and passwords. Tempted to write them down? Instead, write a list of password hints and keep it in your wallet or considering using a password storage application.

Please be advised that Tufts IT support providers will never ask for your password. Even for system repair or maintenance, support providers should have access to an administrator account that does not require you to disclose your password.

Don't Share Passwords or Accounts

A shared account is a single login and password that is shared among multiple people. Although this practice may sometimes be convenient, it makes it impossible to determine which person used an account for a particular action. For systems that access regulated information, including Personal Information, shared accounts are prohibited by law. We also recommend against shared accounts for all other systems, unless they are absolutely required. Tufts Technology Support (TTS) can help you determine when they might be necessary, and how you can efficiently perform your work without them. In most systems, role-based controls make shared accounts unnecessary.

If TTS helps you determine that a shared account is required, it should be restricted to a single workstation. You may also need to coordinate your group's use of the account by keeping a log of who uses it, when they used it, and what they did. By keeping a record of changes, you can quickly determine whether an unauthorized change was made, which could indicate that the account credentials may have been shared outside the intended group. Finally, be sure to change the account's password every six months, and whenever a group member leaves or changes roles.

For these reasons, never use a shared account unless it is required, and where it is necessary, keep it restricted to the smallest possible number of people and workstations. Your efforts to avoid shared accounts, and to audit them when they are required, help Tufts stay secure.

Password Tools

There are many password management tools available to help you securely store and keep track of all your passwords and other sensitive information too. Instead of creating a written list of passwords that can be stolen or lost, try one of the many secure password tools available for free or for purchase. Although it may seem insecure to keep all that information on a computer, these applications have been developed to protect your information. Often, these applications offer additional features such as back-up to the cloud, syncing between multiple devices, creating private and shared team/family password vaults, creating complex passwords, and auto-filling passwords into website logins.

There are multiple vendors producing quality, secure applications for a range of cost from free to monthly subscription fees. Two key features to look for in making a choice include making sure the data is stored with strong encryption and there is a way to back-up or sync the data in the cloud or to a secondary device. Also, make sure when downloading the software to obtain it from the original vendor site or a known-good website.

Popular password managers:

  • LastPass
  • 1Password
  • KeePass
  • DataVault
  • Password Safe
  • Keeper
  • LogMeOnce