Smart Password & Passphrase Tips

Protect Your Accounts

Why It Matters

Your password is often the first—and sometimes only—line of defense between your data and cybercriminals. Weak or reused passwords are easy targets for attackers.

What Makes a Strong Password?

A strong password should be:

• At least 15 characters long
• A mix of uppercase, lowercase, numbers, and symbols
• Unique to each account
• Never shared with others

Passphrases: Easy to Remember, Hard to Crack

Passphrases are longer, more memorable, and more secure—if done right. Avoid obvious choices like M$UDenver2025 or anything tied to your school, location, or birthday.

Instead, try something personal but random, like:

• sNowBoarding@brecki5fun!
• IL0ve2Dance!InTheRain
• LyricsLike:Th3SkyIsBlu3&SoAmI
• Coffee4Breakfast&coDe@Night
• MYdog$chases3squirrelsdaily

Tips:

• Use a line from a song, poem, or movie and tweak it with numbers and symbols (maybe not your favorite artist).
• Combine hobbies, places, or phrases in unexpected ways.
• Capitalize randomly and add special characters.

Tools to Help You Out

Password Managers
While we don't recommend a specific product, you can store and manage all your passwords with some of these examples:

• 1Password - https://1password.com/
• Bitwarden - https://bitwarden.com/
• Proton Password Manager - https://proton.me/pass

Most password managers support biometric login and built-in password generators.  Passphrases are great but completely random passwords are even better!

MFA Methods Ranked: Good → Better → Best

Multifactor Authentication (MFA) adds a second layer of security. MSU Denver accounts require MFA but do not permit SMS.  You can enable MFA on personal accounts too—like banking, streaming, and email—for added peace of mind.  But not all MFA is the same:

🔹 Good: SMS or Phone Call Verification

• How it works: You receive a code via text or phone call.
• Pros: Easy to use, widely supported.
• Cons: Vulnerable to SIM swapping, phishing, and interception.  Typically requires a cellular signal.
• Use when: No other option is available.

🔸 Better: App-Based Push Notifications or Number Matching

• How it works: You approve a login attempt via an authenticator app (e.g., Microsoft Authenticator, Duo) or input a number.
• Pros: More secure than SMS, harder to intercept, will function on WiFi and/or cellular data.
• Cons: Still susceptible to phishing if users approve fake requests or if they becomes a victim of adversary-in-the-middle (AITM) attacks (these are becoming more common!).  If you receive a message at 2AM and it’s not you, it's probably a sign your password is compromised and should be reported ASAP!
• Use when: You want convenience with improved security.

🛡️ Best: Phishing-Resistant, Device-Bound MFA

• How it works: Uses hardware tokens (e.g., YubiKey), biometrics, or passkeys tied to your device.
• Pros: Resistant to phishing, replay attacks, and credential theft.
• Cons: Requires setup and compatible devices.
• Use when: You want the highest level of protection—ideal for sensitive accounts like banking or sensitive systems.