Do not use the same password for different services, especially never use a password you use for a University service for any other service.
It only gives hacker the chance to get access to all your services all at once by using the same password for different services. The University works hard to ensure its services handle passwords in secure ways. The same may not be true for services that you register to use outside the University. You cannot guarantee that they will take the same care to protect passwords. There have been several high profile cases where large numbers of passwords have been stolen by hackers. Do not use your University passwords for other services outside The University.
Choose strong passwords.
Do not use weak passwords that are easy for hackers to crack. The link below is the information about how to choose a strong password.
Do not use the default passwords.
Remember to change all default passwords. If a new service or device gives you a default password, change it as soon as you can.
Storing them in an encrypted file
This is perhaps the most direct way. You type your passwords into a file, and make sure that the file remains encrypted when you are not using it. Unencrypt the file when you need to add a new password, or to read (or copy) the password to let you log in. Don't write down your passwords, unless you keep them in a strong locked cabinet like a "safe".
To make this work, you need to be able to choose strong passwords to unlock/decrypt the file. It is very important you commit this master password to your memory. As long as the encryption algorithm is strong, and your master password is strong, you can even carry copies of the encrypted file with you, on your laptop or a USB key.
The disadvantage is, if someone is able to guess your master password, they have access to all your services. You can also never trust your encrypted file on a computer or device that has been hacked or belongs to someone else. They might be capturing everything you type, including your password.
Here is the information about how to encrypt documents
Using on-line password managers
On-line password managers are another useful method for storing your passwords. Their use is not without risk. Should your provider ever be compromised you may lose access to your passwords.
Before using a password manager for banking passwords, you should check with your bank. Read their guidance, as they may not support the use of these tools
The current good practice for using these services is:
- to choose strong passwords or passphrases for your most vital services, and commit these to your memory
- for the majority of passwords, consider a password manager or encrypted file
Password managers for personal use include:
If you are unsure whether you want to use a password manager, a good source of further information is the following blog post from the National Cyber Security Centre
What does the NCSC think about Password Managers?
The University now provides access to LastPass Premium password manager for free to all students. More details can be found at:
Systematic methods
Some people prefer a systematic approach, a method or "algorithm" for their passwords as an alternative to storing them, or memorising them. To do this you could:
- memorise a strong password segment (e.g. sdkf8f.n3)
- insert some characters into and/or before and after these based on something about the service that you know you are able to recall
For example: a password for Tesco on-line could be that password, combined with what you associate Tesco with, for example your favourite item in that shop:
- Tesco-sdkf8f.n3-cornflakes
There are many other systematic methods you could try that might suit you better. An example of a completely different system is QWERTYcard:
There are always some times that you need to re-set or renew your password, so you have to make sure your contact information is correct and up-to-date.
Typically, there are three main method to recover your passwords:
- By email
- By message
- By security questions
If there is any change of your current contact information, change it for all services you've registered as soon as possible.
- shoulder surfing: looking over your shoulder while you type your PIN or password
- taking a seat behind you, and filming your reflection in the train window
- confidence tricks, (also known as social engineering)
- finding copies which have been stored insecurely, on a bit of paper or in a file that they get access to
- establishing fake WiFi networks and using these to capture your password
- stealing password databases from poorly managed on-line services
- guessing, based on your pet’s or your children’s names, or by learning about your hobbies, previous aspect of your life, etc …
- doing a brute-force attack: trying all words from all on-line dictionaries (including trying millions of passwords already stolen).
- enticing you to click on a "phishing" link.