May 2025

National Password Day is observed annually on the first Thursday of May, which happened to be May 1st for 2025. National Password Day is dedicated to raising awareness about the importance of secure password practices. Passwords are extremely important, as they are often the primary barrier that prevents unauthorized access to sensitive systems, data, and personal information. However, passwords can be challenging for individuals. People will often choose simple, easy to remember passwords, or reuse passwords across multiple services. These habits are frequently exploited by cybercriminals to gain unauthorized access and are completely avoidable. When passwords are created that follow strong security standards, and are used properly, it becomes extremely difficult for an attacker to gain access with a password alone. So for this month, we are diving into passwords, including the BSD’s recommended minimum requirements, the use of password managers, and multi factor authentication. By understanding and applying best practices, you can help ensure that both your personal and University-related digital accounts remain secure.

 

Compromising A Password

Over the years, minimum password requirements have changed, and this is because as computing power increases, so does the speed at which attackers can compromise passwords. A password that was considered relatively secure 10 years ago may no longer be considered so by today’s standards simply because attackers are now able to guess passwords at a faster rate. In 2020, Hive Systems began to create charts that demonstrate roughly how long it would take to compromise passwords of certain lengths. The chart on the left is for 2025, and the chart on the right is from 2024, using the fastest hardware available:

For those knowledgeable in computer hardware, the 2025 chart numbers used 12 RTX 5090 Graphics Cards, and the 2024 chart used 12 RTX 4090 Graphics Cards.

Looking at the above chart, it is clear that in just one year, some passwords have become significantly faster for attackers to compromise. However, passwords that use a greater number of characters and incorporate character types are significantly harder to crack. When using enough of these characteristics, a password can take billions, trillions, or quadrillions of years to guess, assuming there has been no advancement in technological speeds. This is why it is important to regularly review minimum password requirements, and to preferably create passwords beyond the minimum standards to create a ‘buffer’ so that it won’t become inadequate and obsolete too quickly.

Minimum Password Requirements

The BSD’s minimum requirements for passwords is 12 characters, with characters from at least 3 of the following categories: lowercase letters, uppercase letters, numbers, and symbols.

The BSD also has standards for the use of passphrases. Passphrases are passwords created using combinations of words, which are often significantly easier to remember in comparison to randomly generated passwords. However, because passphrases do not typically use additional characters like numbers and symbols, the minimum requirements for them are stricter, being at a minimum 19 characters long. The below image summarizes the BSD’s password and passphrase requirements:

 

 

Password Managers

While the above standards do create strong passwords, they do not solve an additional problem: individuals will often reuse the same password across multiple accounts. This is a significant problem, as there is always the possibility that one service could be compromised and expose that password. Since individuals will often share the same email or username across multiple accounts, this means that if the same password is used across those accounts, then the failure of one service compromises the security of all of those accounts. However, there is a tendency to use a single password since remembering multiple passwords can be challenging. This problem can be solved with password managers, programs that generate and store multiple passwords for multiple accounts. To access those passwords, you only need to remember one master password, while the stored passwords can be randomly generated to high security standards. Password managers also frequently come with other quality of life features, like tools to generate secure passwords, synchronizing passwords across multiple devices, and automatically filling in passwords to login pages. This feature is useful in preventing phishing attacks. If a URL does not match the one saved within the manager, the password will not be automatically filled in, which can alert you that the webpage may be a fraudulent webpage.

During our April Destruction Event, we encountered machines with passwords written on sticky notes attached to them. Please avoid this practice! Writing passwords on sticky notes compromises security and makes sensitive information easily accessible.

Password managers are a great tool for bolstering security, but a common thought around them is “if a hacker guesses the password to our password manager, then won’t they get all of our passwords”? This is why it is extremely important to choose a long and secure master password to best protect the rest of your passwords. By using a password manager, individuals only need to remember one master password, making it easier to focus on creating a single, strong, and secure password. When choosing a password manager to use, keep the following points in mind:

  • It is recommended to use password managers that have multi-factor authentication (more on this in the next section) to further increase the security of your passwords.
  • A password manager should have a good security reputation. We should consider managers that use secure encryption standards and avoid ones that have had a history of multiple data breaches.
  • Building upon the previous two points, the built-in password managers included with a browser or device, such as Edge Wallet, Chrome autofill, and Apple Keychain, are not recommended, as they usually lack 2 factor authentication and secure encryption standards. Usually these lack any kind of password protection at all, so if our device is being shared or left unlocked in the open, then all our passwords can be vulnerable. We recommend services that function through a website or browser extension (if they are reputable).

Multi-Factor Authentication

While having a secure password is certainly important for secure authentication, it should not be the only factor that determines entry into an account. Even secure passwords are not immune to being stolen through phishing, data breaches, or keyboard sniffing malware. This is why it is ideal to not rely on passwords alone, but to have multiple layers of defense. This concept is known as “Multi-Factor Authentication” (MFA), although it is frequently referred to as “Two-Factor Authentication,” as most accounts will only use two layers of defense. By adding another layer of defense, your account security is enhanced significantly, as an attacker would need to compromise a password and each additional factor. Having a second layer of defense also makes phishing attacks significantly harder to pull off, as attackers must not only steal a victim’s password but also obtain their MFA credentials, adding layers of time and complexity that often expose the attack. It is for this reason that the BSD encourages the use of MFA whenever possible.

What serves as an additional factor for authentication? There are a few ways that this can be implemented:

  • Authentication Codes: This is the most common form of multi-factor authentication, where a secondary code is sent to a trusted device (typically a smartphone) via email, SMS, or an authentication app. This is the method used by the University through the Duo Authentication service, although unlike most authentication apps, you enter the code into the app, rather than the app generating a code.
  • Biometric Authentication: This usually is implemented in the form of a fingerprint, face, or iris scan. Most commonly this is simply used as one layer of authentication (usually for logging into your phone), but some services will require both your password and a biometric scan to log in.
  • Location: Some services will prevent logins from foreign locations. For example, if your banking service sees an expensive purchase in another country, then they might block in suspicion of fraud.

If you have questions on the University’s Authentication service, then we recommend checking the page here: https://security.uchicago.edu/two-factor-authentication/

For personal accounts, the options available for MFA will often be limited depending on the service. Some may only offer two-factor authentication through SMS, although whenever possible, we recommend the use of an authenticator app. These apps typically function by scanning a QR code provided by the service, and from then on, the app will generate codes that will reset around every 30 seconds. This is very difficult for attackers to get around, as it is much harder for an attacker to guess a code that regularly changes. There are plenty of reputable authentication apps available, such as from Google and Microsoft, but note that the Duo Mobile app used by the University also has this functionality, so you can keep all of your MFA credentials in one place. If a service does not have the ability to be used with an authentication app but does still have additional MFA options through email or text, then we still recommend its use. Authentication apps are generally considered to be the most secure form of MFA (short of using a USB token, which we will not discuss today), but adding on any additional layers of defense will make an account more secure than just sticking to one.

We hope this information has been helpful. With this knowledge, you should be able to create and handle passwords that will keep your accounts safe. 

If you have any topics you would like us to write about in our newsletter, please feel free to drop us a line and let us know by e-mailing security@bsd.uchicago.edu