How to secure your online accounts
Our various online accounts can store a lot of private data, such as bank information, credit card numbers, home addresses, phone numbers, etc., making each of us a prime target for phishing, social engineering, and identity theft. With so much on the line, isn’t it worth taking a few minutes to ensure you use a strong password and multifactor authentication, update default account settings, or review your social media posts for sensitive information?
The first step to securing any account is a strong password. Cybercriminals trying every possible password combination can crack a weak password in a matter of hours. The same process may take more than a lifetime if the password is longer, contains lower- and uppercase letters, and uses numbers and special characters, especially when arranged randomly.
Use passwords that cannot be easily guessed, and protect your passwords from others.
- Do not share your usernames or passwords.
- Avoid writing usernames and passwords down.
- Consider using a password manager, which securely stores your passwords across all devices.
The following passwords are weak as they can be easily guessed or deciphered.
Strong, cryptic passwords contain a mixture of numbers, symbols, and uppercase and lowercase letters. You can create a strong and unique password by using a phrase and incorporating acronyms and shortcut codes.
A strong password should also be:
- A minimum of 14 characters (as recommended by Microsoft), but the longer the better!
- While the U requires a minimum password length of eight characters, increasing password length by even a single character makes it 93 times harder for a criminal to crack.
- Difficult to guess.
- It should not include personal information, such as usernames; names of family, friends, or pets; birthdays; addresses; hobbies; etc.
- Unique for every account, especially critical accounts, such as banking.
- Stolen passwords are often posted online for other threat actors to use. If one of your passwords is cracked on one site, a criminal may try using that password on other websites to gain access to more of your accounts.
The following passwords are strong:
You should password-protect all of your devices. Try our secure password tester to check if your passwords are strong enough or if you should change any of them.
Multifactor authentication (MFA)
A strong password is only half the battle in keeping your account secure. Also known as two-factor authentication (2FA) and two-step verification, multifactor authentication (MFA) is a highly effective step in securing your account. MFA can take multiple forms, all of which ensure that you are the only one accessing your account.
MFA methods include:
- A verification code received by email or text
- Biometric identification, such as facial recognition
- An additional security question
- A code from an authenticator app like Duo Security
- A secure hardware token
The University of Utah requires Duo Security to access university accounts and resources, such as UMail, UBox, Campus Information Services (CIS), and Canvas. Duo’s mobile app works on most smartphones and tablets, and is the preferred method of authentication. You may also purchase a Duo token through the U Campus Store. You can manage Duo 2FA for your U accounts through the Duo Management Portal.
Sharing information on social media
What you share on social media could compromise your account. For example, one common way to reset passwords is by answering security questions, and if you’re not careful, someone may be able to guess your answers from your social media and break into your accounts.
Common social media mistakes include:
- Providing excessive personal information
- Ignoring privacy settings
- Using an easy-to-guess password
- Commenting on or sharing posts that ask, “What is your favorite hobby?” or “What was your first car?”
- Online services often use these common security questions as part of the password reset process
- Not using MFA
What you can do:
- Be careful about what you share
- Set your profiles and accounts to private so only your friends can access your posts and information
- Do not accept unknown connection/friend requests
- Use complex passwords
- Turn on MFA when available