Information Security

Passwords

Tips and techniques for managing your passwords.

Use unique passwords for different services

The most important thing about passwords, is to not to use the same password for different services. 

If a thief or hacker gains access to one of your services, they do not gain access to your other services. If you discover one of your passwords has been stolen,  you do not need to change passwords on all your other services.

We have to learn how to manage a large collection passwords so that we can remember, or find them when we need them. With all the on-line services we use, at work and in our daily lives, it is important that we work out a way to do this. Options and advice for how are below. Everyone is different. Choose a method that works for you.

Never use a password you use for a University service for any other service.

The University works hard to ensure its services handle passwords in secure ways. The same may not be true for services that you register to use outside the University. You cannot guarantee that they will take the same care to protect passwords. There have been several high profile cases where large numbers of passwords have been stolen by hackers. Do not use your University passwords for other services outside The University.

Choosing strong passwords

Reasons for choosing strong passwords and tips for how to choose them.

Choosing strong passwords.

Protect your passwords

It goes without saying, that we must never reveal our passwords. Legitimate services, banks, IT Support, etc. never ask for password so they can "just log in and check".

If someone asks you for your password it is most likely a scam.

Other things you can do: delete, unsubscribe, avoid spyware

  1. Do not subscribe to more on-line services than you need to.
  2. Cancel, or close down on-line services that you no longer use.
  3. Change all default passwords. If a new service or device gives you a default password, change it as soon as you can.
  4. "Spyware" may silently infect your computer and collect your passwords. Protect your computer from malicious software by keeping your software and anti-virus up to date.

Managing your passwords

Choose a method for managing your passwords that works for you

There are at least two basic methods for managing passwords:

  • you store them in a (very) secure place
  • you have a systematic way of working them out

Whatever method you choose, you also need to have a recovery method; some way of re-setting or renewing your password when you need to.

Password recovery methods for services you use, need up-to-date email addresses

Most recovery methods involve sending an email to you, so it is very important that you keep the email address you register with services up to date.

Memorise some, use the "method" for the rest

Memorise a few passwords for the systems you use regularly, and use your management system for the rest.

Storing them in an encrypted file

This is perhaps the most direct way. You type your passwords into a file, and make sure that the file remains encrypted when you are not using it. Unencrypt the file when you need to add a new password, or to read (or copy) the password to let you log in.

To make this work, you need to be able to choose strong passwords to unlock/decrypt the file.  It is very important you commit this master password to your memory. As long as the encryption algorithm is strong, and your master password is strong, you can even carry copies of the encrypted file with you, on your laptop or a USB key.

The disadvantage is, if someone is able to guess your master password, they have access to all your services. You can also never trust your encrypted file on a computer or device that has been hacked or belongs to someone else. They might be capturing everything you type, including your password.

Using on-line password managers

On-line password managers are another useful method for storing your passwords. Their use is not without risk. Should your provider ever be compromised you may lose access to your passwords.

Before using a  password manager for banking passwords, you should check with your bank. Read their guidance, as they may not support the use of these tools

The current good practice for using these services is:

  • to choose strong passwords or passphrases for your most vital services, and commit these to your memory
  • for the majority of passwords, consider a password manager or encrypted file

 

Password managers for personal use include:

Keepass

LastPass

1Password

Dashlane

 

If you are unsure whether you want to use a password manager, a good source of further information is the following blog post from the National Cyber Security Centre

What does the NCSC think about Password Managers?

 

The University now provides access to LastPass Premium password manager for free to all students. More details can be found at:

LastPass for Students

Systematic methods

Some people prefer a systematic approach, a method or "algorithm" for their passwords as an alternative to storing them, or memorising them. To do this you could:

  • memorise a strong password segment (e.g. sdkf8f.n3)
  • insert some characters into and/or before and after these based on something about the service that you know you are able to recall

For example: a password for Tesco on-line could be that password, combined with what you associate Tesco with, for example your favourite item in that shop:

  • Tesco-sdkf8f.n3-cornflakes

There are many other systematic methods you could try that might suit you better. An example of a completely different system is QWERTYcard:

QWERTYcard

Secure storage of passwords

The emphasis is on the word “secure”. If you choose to store your passwords in a secure place, you have to make sure it is very secure. Don't write down your passwords, unless you keep them in a strong locked cabinet like a "safe". You can store your passwords in an encrytped folder. If you do this, always take care to ensure you do not store copies in any insecure places. 

Information about how to create and use encrypted folders is here

Encrypted Containers