Passwords

Access to all of W3C TAG systems is controlled by a single password, managed at a central account server. While this simplifies using the systems, it can present a risk to enterprise security if users do not follow best practices with regard to password strength and secure credential storage. An attacker who gains control over a user’s account password will be granted access to every system the user has rights to, increasing the amount of potential damage.

In addition to following the password constraints and recommended best practices outlined below, users should enable Two-Factor Authentication for their account.

 Constraints

  • Passwords must be at least 12 characters in length
  • Passwords must not begin or end with a space
  • Passwords must not contain easily guessable information such as the user’s name or email address

 Best Practices

 DO

  • Use a password manager to generate and securely keep track of all your passwords
  • Randomly generate passwords to prevent them from being guessed
  • Make your passwords long to prevent brute-force attacks
  • Include both upper-case and lower-case letters
  • Include one or more numerical digits
  • For passwords of less than 32 characters, use one or more special characters such as !, @, #, $, %, etc.

 DON’T

  • Use words from your personal information or other easy-to-guess sources, e.g. calendar dates, telephone numbers, license plate numbers, spouse or pet names, etc.
  • Use single dictionary words, e.g. football, monkey, antidisestablishmentarianism, etc.
  • Use keyboard patterns, e.g. qwertyuiop, 1qaz2wsx, !@#$%^&*, etc.
  • Use simple sequences, e.g. abc123, 9876543210, aeiouy, etc.
  • Use common passwords, e.g. letmein, passw0rd, trustno1, etc.
  • Use emoji. Emoji encodings vary on different platforms and change over time causing your password to change in unpredictable ways. Furthemore, some device keyboards don’t support entering emoji or change the available emoji over time
  • Write down or store (in plain text) your passwords where they can be easily found
  • Re-use the same password for different sites, otherwise a compromise of one of your accounts can expose others

Unmanaged Passwords

Even if using a password manager, you must have at least one unmanaged password that is used to protect all of the passwords stored in your password manager. Unmanaged passwords must never be written down or stored unencrypted anywhere, which means they need to be something you can remember and type in easily. However, they also need to be strong passwords, especially when used as a master password for a password manager.

Don’t create unmanaged passwords manually, humans are notoriously bad at both generating and recognizing randomness. Instead, use a tool that generates a strong, random password that is easy to memorize but very hard to guess.

One such tool is xkpasswd.net: click the XKCD preset, click Generate 3 Passwords, and select the one easiest to memorize.

Managed Passwords

Passwords stored in a password manager don’t need to be easily memorizable. This allows your managed passwords to be very long, random, and secure. Here are some best-practices we recommend for managed passwords:

  • Use a password of 32 characters or more (64 is recommended)
  • Use the password manager to generate unique, random passwords
  • Use a different password for every account