Information Security
Information Security
Contact us

Passwords

Tips and techniques for managing your passwords.

Use unique passwords for different services

Avoid using the same password for different services. 

This means that if a thief or hacker gains access to one of your services, they do not gain access to your other services. If you discover one of your passwords has been stolen,  you would not need to change passwords on all your other services.

Never use a password you use for a University service for any other service.

The University works hard to ensure its services handle passwords in secure ways. The same may not be true for services that you register to use outside the University. You cannot guarantee that they will take the same care to protect passwords. There have been several high profile cases where large numbers of passwords have been stolen by hackers. Do not use your University passwords for other services outside The University.

Choosing strong passwords

Reasons for choosing strong passwords and tips for how to choose them.

Choosing strong passwords.

Protect your passwords

It goes without saying, that we must never reveal our passwords. Legitimate services, banks, IT Support, etc. never ask for password so they can "just log in and check".

If someone asks you for your password it is most likely a scam.

Managing your passwords

Choose a method for managing your passwords that works for you

There are at least two basic methods for managing passwords:

  • you store them in a (very) secure place
  • you have a systematic way of working them out

Whatever method you choose, you also need to have a recovery method; some way of re-setting or renewing your password when you need to.

Using online password managers

The University now provides access to LastPass Password manager for free to all staff and students. More details can be found at:

LastPass for staff

LastPass for Students

Online password managers are another useful method for storing your passwords. Their use is not without risk. Should your provider ever be compromised you may lose access to your passwords.

Good practice for using a password manager, includes creating a master passphrase to secure the 'vault' that you will not forget, but that will not be easily hacked.

NB - Before using a  password manager for banking passwords, you should check with your bank. 

Password managers for personal use include:

Keepass

LastPass

1Password

Dashlane

Password recovery

Password recovery methods for services you use, need up-to-date email addresses

Most recovery methods involve sending an email to you, so it is very important that you keep the email address you register with services up to date.

We have to learn how to manage a large collection passwords so that we can remember, or find them when we need them. With all the on-line services we use, at work and in our daily lives, it is important that we work out a way to do this. Options and advice for how are below. Everyone is different. Choose a method that works for you.

Storing them in an encrypted file

This is perhaps the most direct way. You type your passwords into a file, and make sure that the file remains encrypted when you are not using it. Unencrypt the file when you need to add a new password, or to read (or copy) the password to let you log in.

To make this work, you need to be able to choose strong passwords to unlock/decrypt the file.  It is very important you commit this master password to your memory. As long as the encryption algorithm is strong, and your master password is strong, you can even carry copies of the encrypted file with you, on your laptop or a USB key.

The disadvantage is, if someone is able to guess your master password, they have access to all your services. You can also never trust your encrypted file on a computer or device that has been hacked or belongs to someone else. They might be capturing everything you type, including your password.

Systematic methods

Some people prefer a systematic approach, a method or "algorithm" for their passwords as an alternative to storing them, or memorising them. To do this you could:

  • memorise a strong password segment (e.g. sdkf8f.n3)
  • insert some characters into and/or before and after these based on something about the service that you know you are able to recall

For example: a password for Tesco on-line could be that password, combined with what you associate Tesco with, for example your favourite item in that shop:

  • Tesco-sdkf8f.n3-cornflakes

There are many other systematic methods you could try that might suit you better. An example of a completely different system is QWERTYcard:

QWERTYcard

Secure storage of passwords

The emphasis is on the word “secure”. If you choose to store your passwords in a secure place, you have to make sure it is very secure. Don't write down your passwords, unless you keep them in a strong locked cabinet like a "safe". You can store your passwords in an encrytped folder. If you do this, always take care to ensure you do not store copies in any insecure places. 

Information about how to create and use encrypted folders is here

Encrypted Containers

 

Other things you can do: delete, unsubscribe, avoid spyware

  1. Do not subscribe to more on-line services than you need to.
  2. Cancel, or close down on-line services that you no longer use.
  3. Change all default passwords. If a new service or device gives you a default password, change it as soon as you can.
  4. "Spyware" may silently infect your computer and collect your passwords. Protect your computer from malicious software by keeping your software and anti-virus up to date.
This article was published on