Selecting a strong password and managing it securely

Your password is both your electronic identity and the key which you use to access University data. It is your responsibility to select a strong password and to manage it securely as you are personally accountable for its use.

Choosing strong passwords

Why should you choose a strong password and what makes one?

Why you need strong passwords

It takes automated software under 90 minutes to crack most people's passwords. Specially created computers can be designed to do this in just a few minutes.

Password cracking software tries all combinations of letters and numbers ("brute force" or "incremental" attack).
They also try any word you might find in a dictionary ("dictionary attack") - including foreign languages.
They also use tables of known weak passwords (rainbow tables)
Finally, they may use compromised login details from other sites (credential stuffing)

The websites you use try to harden themsleves against attack - your password may be a weak point.

Tips for safe (strong) passwords

Remember a few strong passwords for the systems you need to keep most secure.

University systems require a password at least seven characters long, but we recommend you choose more. See "Long passwords" below.
Ideally, use a mix of upper- and lower-case letters, numbers and punctuation marks
A strong password looks like a random sequence of symbols - use some non-alphabetic characters such as @#$!%+-/:?_
Use non-dictionary words - like XKCD or one of the other approaches, described below

Long passwords

Long passwords are usually stronger as they can make brute-force attacks take much longer.

Choose long passwords for the few services you think need most protection
If you are using a long password, it's a good idea to use 15 characters or more

A long password, is only any good if it is also strong, so choose these carefully in such a way that you can remember them, but it is very difficult for others to guess.

It is actually more important to choose unique passwords for the services you use, than it is to choose very long ones. Do not make it too hard for yourself to remember very many long ones.

Passphrases

The recommended way to choose very strong passwords, is to use a passphrase. This is a password made up of (at least) four randomly chosen words. It is as easy to remember as four randomly chosen letters, but it results in very strong passwords. For example a passphrase could be:

banana castle aardvark elegant

or to make it compatible with a service that insists on punctuation marks and capitals:

Bana.na.Castlea@rdvarkElegant.

It is the combination of length and random nature of the words combine to make the password strong.

Other approaches to choosing strong passwords

Weak password	Stronger password	Comment
sunshine	%5un555h1n3_SuperMan	Replaced letters with numbers, added special characters, but with a lot of randomness added in
sherlock	SHlmsVSPrf.M	Derived from the phrase "Sherlock Holmes VS Prof. Moriarty"
billiejean	440D&fn,tlwohs	If you know the lyrics of a song, don't use the chorus and certainly not the title "She's just the girl who claims that I am the one". Use instead for example: "For forty days and forty nights, the law was on her side"
janet (my sister)	ono!Wswlmmshcohh	Oh no! When she was little my mum spilled hot custard on her head.

Mistakes leading to weak passwords

Do not make these mistakes when choosing a password:

your username as a password (even backwards or mixed up).
using any name, or any word in any language.
obvious personal information (your year of birth, phone number, national insurance number, address, etc.).
all digits, or just one letter.
a real word with only one or two obvious digit substitutions, like 'p4ssword' or '5ecret'.
fewer than eight characters (a "brute force" attack can crack 7 letters in a few minutes)
characters from books, films, etc. (Gandalf, Sherlock), band names, song titles etc. (no matter how obscure).
passwords that are too easy or too difficult to type: an easy password can be guessed by anyone who sees you type it, and you will only be able to type a difficult password slowly - with the same result.

Ways that Cyber Criminals steal your passwords

Password theft is one of the favourite pastimes of hackers. The easiest way to steal your password, is to watch (or film) you while you type it. Other methods are:

shoulder surfing: looking over your shoulder while you type your PIN or password
taking a seat behind you, and filming your reflection in the train window
confidence tricks, (also known as social engineering)
finding copies which have been stored insecurely, on a bit of paper or in a file that they get access to
establishing fake WiFi networks and using these to capture your password
stealing password databases from poorly managed on-line services
guessing, based on your pet’s or your children’s names, or by learning about your hobbies, previous aspect of your life, etc …
doing a brute-force attack: trying all words from all on-line dictionaries (including trying millions of passwords already stolen).
enticing you to click on a "phishing" link.

If you want more information on passwords the National Cyber Security Centre provide guidance on this and a number of other cyber security topics. Their advice around passwords can be found at the following:

https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

Did you know...

A password with 7 characters and just letters can be cracked almost instantly, but a password with 15 characters in will take 100 years to crack and 1bn years if you included upper and lower case, numbers and symbols.

Managing your password

Do:

Immediately change your password if you think that it has been revealed to anyone else or compromised;
Check that it does not appear in clear text in any file or program;

Dont:

Use the same password for both your University and private computer accounts, such as on-line banking, Facebook etc.;
Save your password in a web browser or app;
Be fooled into giving your password away. You may occasionally receive scam emails that appear to have sent by IT telling you that your mailbox is full, or that there is a problem with your account etc, but the University will never ask you for your password;
Reuse your password.

Remember

A computer that is left logged on and unattended gives anyone access to information which is accessible to the authorised user, and allows others to use the account of the user for malicious purposes.

If a computer is left unattended, it should be shut down or locked through the use of a password access 'hot-key' or password-protected screen saver.