Password Security

Further explanation is provided on this page, but you must follow these rules to keep your passwords and logins secure:

1. Choose a SECURE (hard to guess) password.

2. ONLY use your university email address for university business.

3. NEVER use your university password for any other site or service!

4. NEVER share your password(s) with anyone!

5. NEVER let anyone else login to any of your university or personal online accounts or apps.

6. REMEMBER: NO genuine organisation or representative will ever ask you for any of your passwords.

7. If you think someone else knows your university password - change it immediately AND contact the IT Service Desk.

8. If you think someone else knows one of your personal passwords - change it immediately and contact the service provider.

Watch the Passwords video from the Internet Safety for Students course on Linkedin Learning (University login required).

Passwords should be hard for somebody else to guess but easy to remember.  A good rule is to make sure that somebody who knows you well, couldn't guess your password in 20 attempts. Whilst you need a secure password, you also need to remember it without having to write it down somewhere.

1. Password Guidance

All passwords must be minimum of 10 characters with a mix of upper and lower case and a number (and non-alphanumeric characters if desired [excluding "£ & and +] though these should be used randomly and not for simple letter/number substitution as this increases burden of memorising rather than actually increasing security)

Passwords should be easy to remember, but hard for somebody else to guess. A good rule is 'make sure that somebody who knows you well, couldn't guess your password in 20 attempts'.  The UK National Cyber Security Centre has some useful advice on how to choose a non-predictable password.

Think three random words: Three well-chosen random words can be quite memorable but not easy to guess. It provides a good compromise between protection and usability.  If using What3Words for random word selection,

do not use your home address or personal location which could be easily identified.

Once chosen, re-order the words.

2. Choosing a secure and memorable password

When generating such a password avoid using personal information, a single dictionary word and predictable keyboard sequences such as 'Qwerty123' or 'Zxcvbnm123'.  In addition, Ensure the password is unique. Do not use the same password with multiple accounts. This way, if one of your personal accounts are compromised, the attacker will not be able to breach any other of your accounts. including your university network account.

The UK National Cyber Security Centre (NCSC) has some useful advice on how to choose a non-predictable password.

3. Password length

Length matters! Although many services require a minimum length of 8 characters for a password, using 16 characters is not twice as secure - it is millions of times harder to guess.

Cyber security experts say that 8 "letter" passwords can be hacked in minutes, but that 12 to 16 characters satisfy most security requirements and can take years for a computer to guess. 

4. Personal as well as University

This advice should be applied to any of your personal online services as well as your University network user account. For student network user accounts there are some fundamental policies that are enforced which must be adhered to when selecting a password. Failure to do so will result in your new password not being accepted. These are as follows:

• Minimum of 8 characters in length
• Combination of uppercase, lowercase (and non-alphanumeric characters if desired though these should be used randomly and not for simple letter/number substitution)

5. Test your password(s)

The bitwarden website will allow you to test your potential passwords for security. The service is free and secure - they don't store any information that you type into the box. Try a few combinations and don't stop until you manage to get "Your password score: Strong".

bitwarden: Password Strength Testing Tool

There are an increasing number of websites and services being compromised by hackers and because some people use their University email address and the same password, for external sites, University passwords are being captured and can be used to access your account and University systems.

This puts the security of University services and data at risk, therefore it is vitally important that you use a different email address and a different secure password for external IT services; such as social media and online shopping accounts.

	ONLY use your university email address for university business!
	NEVER use your university password for any other site or service!

Advice on choosing a secure password can be found in the section above.

Disclosing your University password(s) directly contravenes the University’s Computer Acceptable Use Policy and presents a real risk of malicious use, service disruption, data loss or damage to the university’s reputation – as well as disciplinary action against you.Section 4 of the aforementioned policy provides more information and advice regarding the disclosure of passwords as well as usernames.

Put simply:

	NEVER share your university (or personal) IT password(s)
	NEVER let anyone else login to any of your accounts using your password (not even family and friends)

No member of University staff will ever ask you for your password(s)

No staff member from an external service provider will ever ask you for your password(s)

If you believe someone knows your password, you must change it immediately; the IT Service Desk can assist you in doing this.