HHS OCIO HC3 TLP White Notification - Password Security & Best Practices for Users

Use multi-factor authentication (MFA) when possible.

• The best passwords can still be cracked. Multi-Factor Authentication adds another layer of protection in addition to your username and password. Generally, the additional factor is a token or a mobile phone app that you would use to confirm that you really are trying to log in.

Use different passwords for different accounts.

• If one account is compromised, the others will not be at risk.

Make passwords that are hard to guess, but easy to remember.

• To make passwords easier to remember, use sentences or phrases. Example: “pineappleonpizzaistasty”
• Hackers will use dictionaries of words and commonly used passwords to guess your password. Avoid single words, or a word preceded or followed by a single number (e.g., Password1).
• Do not use passwords that are based on personal information that can be easily accessed or guessed (e.g., birthdays, children’s or pet’s names, car model, etc.).

Length over complexity.

• The longer a password is, the better. Use the longest password or passphrase permissible by each password system.

But complexity still matters.

• To increase complexity, include upper- and lower-case letters, numbers, and special characters. Example: “pin3appl30nPizzaI$Ta$ty

Never reveal your passwords to others.

• Your login credentials protect information that is as valuable as the money in your bank account. Nobody needs to know your password but you. If someone is asking for your password, it is a scam.

View the detailed report below.