Passwords
Information about your passwords at University, and advice on setting secure passwords.
Your University Username (UUN) is your only username, but you may have several passwords:
- EASE - you choose this password when you register for EASE.
- Wireless/VPN/LapLAN - you choose this password when you register for this service (see below).
- University supported computers - registering with EASE automatically sets this to the same password as your EASE password. New students have to activate their labs account via EASE password.
- UNIX or departmental lab - Only students in some schools will be given these accounts, with separate passwords.
Reasons for choosing a strong password
- It takes automated software under 90 minutes to crack most people's passwords. Password cracking software tries all combinations of letters and numbers ("brute force" or "incremental" attack) and also any word you might find in a dictionary ("dictionary attack") - including foreign languages.
- The University uses high-grade encryption - your password is the weakest link in the chain.
- A weak password is the virtual equivalent of leaving your car or your front door unlocked.
- What's at stake: all your files and your mail; somebody could also send mail in your name, print using your credit, and use the personal information listed on MyEd to steal your identity.
- All students and staff are bound by the University Computing Regulations, which require you to take all reasonable precautions to maintain the integrity of your passwords.
Tips for safe (strong) passwords
- At least seven characters
- More than one word
- A mix of letters and numbers (for example, replace some letters with numbers)
- A mix of upper- and lower-case letters and numbers
- A strong password looks like a censored swear word - use some non-alphabetic characters such as @#$!%+-/:?_
- Non-dictionary words - such as the initial letters of the words in a line of a favourite song or book title. For example: "She's just a girl who claims that I am the one" = "5jagwctImt1"
Mistakes leading to weak passwords
- your username as a password (even backwards or mixed up).
- your real name in any form, or any part of it.
- obvious personal information (your date of birth, phone number, national insurance number, address, etc.).
- all digits, or just one letter.
- real words with only one or two obvious digit substitutions, like 'p4ssword' or '5ecret'.
- fewer than seven characters ("brute force" attack cracks 6 letters in 50 minutes).
- any word you might find in a dictionary (including foreign language dictionaries).
- characters from books, films, etc. (Gandalf, Sherlock), band names, song titles etc. (no matter how obscure).
- passwords that are too easy or too difficult to type: An easy password can be guessed by anyone who sees you type it, and you will only be able to type a difficult password slowly - with the same result.
Password examples
| Weak password | Strong password | Comment |
|---|---|---|
| sunshine | %5un5h1n3_ | Replaced letters with numbers, added special characters |
| sherlock | SHlmsVSPrf.M | Derived from the phrase "Sherlock Holmes VS Prof. Moriarty" |
| runforthehills | R0n4dHiLLs! | Replaced letters with numbers, mixed capitalisation, added ! character |
| JohnSmith | j04n5m1Th@Un1 | Replaced letters with numbers, mixed capitalisation, added @ |
| billiejean | 5jagwctImt1 | Derived from the chorus of "Billie Jean" - just as memorable |
Keeping your password secure
- Always make sure that you have logged off from the computer. Just turning the terminal off may not actually log you out, and the next person who comes along may find themselves in your account simply by switching the terminal on.
- Don't tell your password to others, accidentally or on purpose.
- Don't write it down somewhere, unless you have a decent safe to put it in!
- When given a password for a new account, change it as soon as you can; also change it each term.
- "Spyware" may silently infect your computer and collect your passwords. Protect your computer from malicious software.
Contacting Us
If you suspect that someone has gained access to your account, please contact us. Signs of this could include files and directories unexpectedly present or missing, mail or news postings you didn't make, or logins at times when you weren't around. You can visit an IS Helpdesk or contact the IS Helpline.
IS Helpline
Web: Self service portal (preferred)
Email: IS.Helpline@ed.ac.uk
Phone: +44 (0)131 651 5151
Availability: Opening hours
This article was published on Mar 9, 2012