Strong passwords protect your data as well as the entire City network.  A poorly chosen password can be easily guessed.  If this happens, a security breach can compromise the entire network.  In general, a strong password is one that is long enough and unusual enough that it cannot be readily guessed.

1. Make non-administrator passwords at least 8 characters long.

 Strong non-administrator passwords (passwords that allow access to sites and accounts) must have at least eight characters.


2. Make administrator and sensitive/critical account passwords at least 15 characters long.

 Strong administrator passwords (passwords that allow users to control systems, networks, or accounts) must have at least fifteen characters.


3. Use both uppercase and lowercase letters

 Strong passwords must use a combination of uppercase and lowercase letters.

Example: LPtRfWjXsw


4. Include digits and special characters.

 Strong passwords should also use digits and special characters in combination with letters.

Example: LP(4R^f7W!1


5. Do not use words in the password.

 Don’t create passwords from words in any language, slang, dialect, or jargon. Passwords should make sense only to you.  One recommended technique is to use the first letter of each word in a long phrase that you can easily remember, then add in capitalization, numbers, and special characters.


6. Do not use words with Os and l’s changed.

 Don’t try to circumvent the previous practice by changing Os in a word to zeroes, or changing l’s to 1's or pipes (vertical bars).  Hackers are aware of this common practice and will attempt to use them.


7. Do not use passwords from other accounts.

 Don’t use the same passwords, even strong passwords, for different accounts. Each of your accounts should have a unique password.  A password manager, such as KeePass, is recommended to help keep track of all of your passwords. Most password managers will even auto-generate a random, strong password for you! Malicous actors often sell or post online account credentials that were stolen in a system breach. The stolen credentials are then used to try to authenticate on other systems.


8. Do not create passwords based on names or other personal information that can be found online.

 Don’t use personal or family names to create a password.  Limit posting personal information about you on social media.  Don’t use titles either—that is, don’t use the name of a book, a song, or a movie.


9. Do not sequence passwords. 

 Don’t add, or change, a number or letter to a previous password to create a new password. For instance, don’t change “LP(4R^f7W!1” to “LP(4R^f7W!2”. The new password should not be similar to the previous 10 passwords.

10. Change your passwords on a regular basis.
It is recommended to change your passwords on a regular basis.  For sensitive accounts, such as work or banking/financial accounts, you should change them more frequently.  By changing your passwords regularly you reduce your exposure from a data breach or other password leak.

11. Don't store your passwords in an insecure manner.
You should never store your passwords where someone can easily find them, such as under your keyboard or in a desk drawer.  Again, a password manager is a great way to securely store and manage your passwords.

12. Whenever possible, enable MFA.
Multi-Factor Authentication prevents successful account authentication by a malicous actor if your password is breached or stolen.  It requires an additional factor (something you know, something you have, or something you are (biometric, Ex. fingerprint).  The most secure MFA methods use the latest protocols (such as WebAUTHN or FIDO2 - such as a security token or Authenticator app).  Timed One-Time Passwords (TOTP) are not quite as secure, but they are adequate for most accounts.  Email, SMS text messages, and phone calls are not very secure, but they are better than passwords alone.