Skip to main content
University of Florida

Passwords

One of the most common ways hackers gain access to personal information is by cracking passwords. New tools allow attackers to test substantial amounts of password “guesses” on thousands of computers, and it only takes one correct attempt to cause irreparable damage.

Your online accounts – including your GatorLink – hold a plethora of personal information that could allow hackers access to your files, money, or identity, as well as those of your school or employer! Even seemingly inconsequential information can be dangerous in the wrong hands; social engineers can weaponize small details about an individual by using that information for impersonation, thereby gaining access to much more sensitive information.

The first step in protecting yourself from these attacks is following sound password practices. Read on to learn more about the best ways to set and enhance your passwords.

Need to update your GatorLink password? Visit the GatorLink Account Management Portal.

Setting Strong Passwords

There are two main categories of passwords to consider: traditional and passphrases. Both can sufficiently protect your accounts when configured correctly.

Traditional Passwords

The table below shows the estimated time it would take an attacker to guess your password, based upon it’s length and composition. As shown, longer and more complex passwords are strongest.

 Number of Characters Numbers Only Lowercase Letters Upper and Lowercase Letters Numbers, Upper and Lowercase Letters Numbers, Upper and Lowercase Letters, Symbols
4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly Instantly Instantly
6 Instantly Instantly Instantly 1 sec 5 sec
7 Instantly Instantly 25 sec 1 min 6 min
8 Instantly 5 sec 22 min 1 hour 8 hours
9 Instantly 2 min 19 hours 3 days 3 weeks
10 Instantly 58 min 1 month 7 months 5 years
11 2 sec 1 day 5 years 41 years 400 years
12 25 sec 2 weeks 300 years 2k years 34k years
13 4 min 1 year 16k years 100k years 2m years
14 41 min 51 years 800m years 9m years 200m years
15 6 hours 1k years 43m years 600m years 15bn years
16 2 days 34k years 2bn years 37bn years 1tn years
17 4 weeks 800k years 100bn years 2tn years 93tn years
18 9 months 23m years 61tn years 100tn years 7qd years
  • All passwords must contain at least 8 characters, though using 14 or more will make your password hack-resistant
  • Do not contain words found in a dictionary, or the name of any character, person, product, organization, or media
  • Combine uppercase letters, lowercase letters, numbers, and symbols
    • Avoid common substitutions of letters (such as 0 for o, or $ for S), as password crackers know and frequently guess such replacements
  • Make them significantly different than your other passwords
  • Mix up the order; do not put all the symbols and numbers at the end of the password
  • Do not contain anything easily associated with you including:
    • Name
    • Birthday
    • Address
    • Username/ID number
    • Phone number
    • Names and birthdays of relatives and friends
    • Names of your pets
    • Any other information that could be easily found about you, such as what you have posted on your social media accounts

A good idea for creating strong passwords is to combine a letter (or a few letters) from each word of a memorable phrase. For instance:

  • Phrase: His father drove a green 1975 Ford Maverick

Password: HFDaG1975Fd-Mvk

  • Phrase: Jack and Jill have two orange tabby cats named Whiskers and Tuna.

Password: J&Jh2OTcnWs&Ta

  • Make them difficult to guess, even by someone you know
  • Choose at least 4 words for your passphrase
    • To make your passphrase extremely secure, use at least 6 words
    • Do not worry about the character count of your passphrase, what matters is word count & randomness
  • Make sure the words you choose are sufficiently random and unrelated to each other
    • “TheDogGoesWoof” is a weak passphrase
    • “SparkleShimmerShineDiamond” is also a weak passphrase
  • Make them easy for you to remember
  • Include uncommon words in your passphrase
  • For added security, insert a character or number between two of the words
  • Consider using the Diceware word list (see the Using Diceware section) to create truly random combinations of words

Storing Passwords

Once you have created a strong and unique password, safely storing it is critical. Below are some tips and solutions for the safe storage of your passwords:

It is important to note that UF policy forbids any digital storage of passwords used for UF business, including GatorLink passwords.

Short Video Explaining Strong Passwords

Next Steps

Setting up a strong password is a great first step in securing your accounts. However, it is not the only step you can take! If you are reading this, you are likely familiar with Multi-Factor Authentication (MFA) with Duo Mobile. UF requires MFA because it helps protect your GatorLink account from phishing emails, password cracking, and other cyber-attacks.

A good idea may be to enable similar MFA methods on your other accounts, including your personal email, bank, and social media accounts. Doing so adds an additional layer of protection. Brainstation has an in-depth guide on using MFA, and the 2FA Directory publishes a list of popular services that support MFA, with links on how to enable each.

For a general guide, check out the brief video below for a tutorial on the process of enabling MFA on your personal accounts:

Configuring MFA on your personal accounts can be a critical choice in protecting your accounts from compromise. It will require some extra effort compared to a password-only login, but in today’s evolving cybersecurity landscape, that effort can make all the difference in protecting your identity, financial information, and even your image.

1.   Visit the Account page for the website or service you wish to enable MFA for using a computer or tablet
2.   Locate and select the MFA/2FA Menu
3.   Select enable MFA/2FA and follow the prompts. Select authenticator app if given a list of options, and ignore any prompts to download a specific Authenticator App (unless later setup fails).
4.   When you reach a screen showing a QR code setup screen, pause and open the Authenticator App (such as Duo Mobile) on your mobile device
5.   Locate the option to add a new account, and select it
6.   Select “Use QR Code.” You can use Enter Code as a fallback if the QR code method fails
7.   Return to your computer, and use your phone’s camera to scan the displayed code
8.   Once the code has been scanned, click Continue on your computer
9.   On your mobile device, give this account a nickname. Afterward, enter the account code from your phone onto the computer to confirm everything is working
10.   That’s it! Next time you sign into this account, you will use both your password and a code generated by your Authenticator app.