Use strong passwords for each service you use
Strong passwords are the first line of defence for your accounts. They protect your email and your data. The takeover of an account by a cybercriminal can put the University’s email, data and reputation at risk. Strong passwords protect you and everyone else.
Long passwords are strong passwords. The minimum password length that meets University standards is 12 or more characters. For key services - such as password managers, accounts with elevated privileges, and so on – you should use 15 characters or more. Using longer than these minimums is recommended where you can do so.
The longer the password is the harder it is for it to be "guessed" or brute forced – adding a few more characters can make it take literally hundreds of years more.
If you use a password manager you can choose the length of random password it generates. A long randomly generated password is the most secure but may also be hard to type manually; many password managers can type the password for you.
You can also generate “strong enough” passwords by choosing three or more random unrelated words of four or more letters and altering as necessary to fit with the password rules of the service or add extra complexity. See the UK National Cyber Security Centre advice and remember that using longer random unrelated words or more words will make longer and stronger passwords.
Use unique passwords for each service you use
This means that if someone gains access to one of your passwords they do not gain access to your other services.
Never use a password you use for a University service for any other service. Because the University cannot influence the security of non-University services we ask that you not use a password you use for a University service anywhere else.
Never reveal your password
If someone asks you for your password it is most likely a scam. Legitimate services, banks, IT Support, etc. never ask for your password. Pay attention to who might be watching as you enter your password - avoid "shoulder surfing"
Managing your passwords
Choose a method for managing your passwords that works for you. There are at least two basic methods for managing passwords:
you store them in a (very) secure place
you have a systematic way of working them out
Whatever method you choose, you also need to have a recovery method; some way of re-setting or renewing your password when you need to.
You should ensure before using any password storage mechanism that the passwords are stored securely and encrypted with a strong password. The recommendation about using a strong and long password to encrypt and protect your other passwords applies in all cases, and you should ensure that the passwords are always encrypted when not actively being used.
Storing passwords using password managers
The University provides access to the LastPass password manager for free to all staff and students. More details can be found at:
Password managers can be a useful method for storing your passwords. These can be held online or locally offline. Good practice for using a password manager securely includes creating a master passphrase to secure the 'vault' that you will not forget, but that will not be easily hacked - it should be as strong as possible, and therefore long; the recommendation for 15 or more characters applies.
NB - Before using a password manager for banking passwords, you should check with your bank.
Systematic password methods
Some people prefer a systematic approach, a method or "algorithm" for their passwords as an alternative to storing them or memorising them. To do this you could:
memorise a strong password segment (e.g. sdkf8f.n3)
insert some characters into and/or before and after these based on something about the specific service that you know you can recall
There are many other systematic methods you could try that might suit you better, but the recommendations about length always apply.
Most recovery methods involve sending an email to you, so it is very important that you keep the email address you register with services up to date. Because of this it is vital that the email address you use is well protected; strong passwords and any other security mechanisms available should be used.
Use Multi Factor Authentication whenever available
Many services have forms of Multi Factor Authentication (MFA) available; this is often also known as "Two Factor Authentication (2FA)" or "Two Step Verification". This uses something you physically have - usually a phone - as well as the password to provide extra security.
- If you no longer need an account on a service then you may wish to delete it. An account that you never use is just an added risk.
- If you are making a "one time" use of a service then use a "guest" facility if there is one - you do not always need to create an account.
- If a new service or device gives you a default password, change it as soon as you can.
- Protect yourself from malicious software that might try and capture your passwords by keeping your devices up to date and protected.