Use strong passwords for each service you use
Strong passwords are the first line of defence for your accounts. They protect your email and your data. The takeover of an account by a cybercriminal can put the University’s email, data and reputation at risk. Strong passwords protect you and everyone else.
Long passwords are strong passwords. Most services, including University services, have a minimum password length but you should always user longer passwords than the minimum, and even longer passwords than normal for elevated privileges or password managers. Please see the University Information Security Policies and Standards for details of University minimum password lengths.
The longer the password is the harder it is for it to be "guessed" or brute forced – adding a few more characters can make it take literally hundreds of years more. In general there should be no maximum length of a password, so make them as long as you can.
If you use a password manager you can choose the length of random password it generates. A long randomly generated password is the most secure but may also be hard to type manually; many password managers can type the password for you.
You can also generate “strong enough” passwords by choosing three or more random unrelated words of four or more letters and altering as necessary to fit with the password rules of the service or add extra complexity. See the UK National Cyber Security Centre advice and remember that using longer random unrelated words or more words will make longer and stronger passwords.
Protect your personal accounts
Personal accounts are your responsibility and may be considered an easy target for threat actors, as they may perceive them to have fewer security measures in place. As well as putting you at risk a successful attack on your personal accounts can give mechanisms to further attack your University account. You should follow the advice below for your own accounts.
Use unique passwords for each service you use
This means that if someone gains access to one of your passwords they do not gain access to your other services.
Never use a password you use for a University service for any other service. Because the University cannot influence the security of non-University services we ask that you not use a password you use for a University service anywhere else.
Never reveal your password
If someone asks you for your password it is most likely a scam. Legitimate services, banks, IT Support, etc. never ask for your password. Pay attention to who might be watching as you enter your password - avoid "shoulder surfing"
Managing your passwords
Choose a method for managing your passwords that works for you. There are at least two basic methods for managing passwords:
-
you store them in a (very) secure place
-
you have a systematic way of working them out
Whatever method you choose, you also need to have a recovery method; some way of re-setting or renewing your password when you need to.
Password Storage
You should ensure before using any password storage mechanism that the passwords are stored securely and encrypted with a strong password. The recommendation about using a strong and long password to encrypt and protect your other passwords applies in all cases, and you should ensure that the passwords are always encrypted when not actively being used.
Storing passwords using password managers
The University provides access to the LastPass password manager for free to all staff and students. More details can be found at:
Password managers can be a useful method for storing your passwords. These can be held online or locally offline. Good practice for using a password manager securely includes creating a master passphrase to secure the 'vault' that you will not forget, but that will not be easily hacked - it should be as strong as possible, and as such it should be as long as possible. Please see the University Information Security Policies and Standards for details of University minimum password lengths, but for master passphrases longer passphrases - as long as possible - are best.
NB - Before using a password manager for banking passwords, you should check with your bank.
Systematic password methods
Some people prefer a systematic approach, a method or "algorithm" for their passwords as an alternative to storing them or memorising them. To do this you could:
-
memorise a strong password segment (e.g. @bGsdkf8f.n3)
-
insert some characters into and/or before and after this segment based on something about the specific service that you know you can recall
There are many other systematic methods you could try that might suit you better, but the recommendations about length always apply.
Password recovery
Most recovery methods involve sending an email to you, so it is very important that you keep the email address you register with services up to date. Because of this it is vital that the email address you use is well protected; strong passwords and any other security mechanisms available should be used.
Use Multi Factor Authentication whenever available
Many services have forms of Multi Factor Authentication (MFA) available; this is often also known as "Two Factor Authentication (2FA)" or "Two Step Verification". This uses something you physically have - usually a phone - as well as the password to provide extra security.
Other tips
- If you no longer need an account on a service then you may wish to delete it. An account that you never use is just an added risk.
- If you are making a "one time" use of a service then use a "guest" facility if there is one - you do not always need to create an account.
- If a new service or device gives you a default password, change it as soon as you can.
- Protect yourself from malicious software that might try and capture your passwords by keeping your devices up to date and protected.