The importance of a strong, unique password

When your password can easily be guessed, cracked, or has been exposed in a data breach, it can lead to serious consequences, such as identity theft, the loss of confidential data, and in some cases, it can even compromise entire systems. See below for some tips on how to create a strong, secure password.

---

Tips for secure passwords

1. Make each password long and strong.
   The more characters in your password, the stronger it is. Short passwords can easily be cracked by an attacker, especially if they use common words.
2. Use multiple words to create a passphrase you can easily remember: Examples are "Don't forget to stand" or "stopping-woods-snowy-evening".
3. Create a unique password for each account.
   
   • Don't use the same password for different accounts. If one account gets hacked, all your other accounts with the same password could be at risk.
   • Never reuse passwords.
4. Keep your passwords secret.
   
   • Never share them with anyone, including your supervisor or family members.
   • Use a password manager for your personal passwords, and ask your employer if they offer a solution for work-related passwords.
   • Don’t write down passwords or store them in locations where they can be found by anyone else.
   • If someone contacts you asking for your password claiming they need it so they can help you, don’t engage with them. If they are calling you on your McGill phone number, hang up, and report the incident to the IT Service Desk. If they’re asking by email, report it as phishing.
   • Don’t use information someone can easily find out about you, like the name of your pets, family members, favourite song, or your favourite quote.
5. Never use public computers to log in to your online accounts.
   Exception: McGill computers that allow you to first log in with your own McGill account. Make sure you log out as soon as you are done, or any time you step away – even if just for a minute.
6. Use Two-Factor Authentication whenever possible. Set up Two-Factor Authentication (2FA) on your McGill account.

---

When should I change my password?

If you’re using strong, unique passwords, you only need to change them if there is a risk or confirmation that your password has been exposed (e.g. compromised). For example, you should change your password immediately if you spot:

• Unexpected Password Changes: You receive a notification that your password has been changed, but you didn't do it.
• Unusual Account Activity: You notice changes or activities in your accounts that you didn't make.
• Security Alerts: You get alerts from websites or services about suspicious login attempts or security breaches
• Leaked Password Lists: Your password appears in a leaked password database or on a site like Have I Been Pwned. Tip: this site lets you sign up for notifications if your email address(es) are spotted in major data breaches.
• Your password manager notifies you that your password has been compromised.
• News about a data breach: You might about a data breach in the news involving a service you use, or that organisation might contact you directly to let you know your data was impacted. Learn what to do when your McGill account is compromised.

---

Tools and resources to help you create, manage and monitor your password

The Holiday passphrase generator, available from the official Canadian Get Cyber Safe website can help you come up with creative passphrases that only you will know and remember.

Use a password manager

Most of us have many online accounts, resulting in a large volume of passwords that we can’t easily remember. A password manager addresses this issue; it helps securely create, store, and retrieve your passwords.

For more information about password managers and selecting the right one for your personal use, consult the following resources:

• Why a password manager will help you save time
• How to choose the right password manager for you
• The Best Password Managers (Independently reviewed by Wirecutter)

---