Strong Passwords

Threats for Passwords

Login credentials, i.e., the combination of user names and passwords, are the most common method of logging in to access-protected devices such as one's own computer or personal services (cloud services, email providers, online stores, etc.). This makes credentials interesting for attackers, as they could use them

  • to order expensive goods or services at your expense,
  • to register for or deregister from exams for you,
  • to "attack" your friends and colleagues (damage your reputation),
  • to access or manipulate your information in cloud storage,
  • or to read your e-mails and send e-mails on your behalf.

Criminals mostly try to get login data with the help of malware, attacks on services or phishing, or to guess weak passwords by automated trial and error, so-called brute force attacks.

  • Recommendations for Strong Passwords

    To choose secure passwords, the following requirements must be considered:

    • Passwords should be at least 12 characters long, the longer the better
      (exception: at least 20 characters for offline vulnerable encryption methods, such as WPA2 for WLAN access).
    • Passwords should always be a combination of upper and lower case letters, numbers and special characters (e.g. ?!%+...).
    • Passwords should not be able to be found in dictionaries.
    • Also, passwords should not be names of family members, friends or favorite stars. Other personal information, such as birth dates, are also not recommended.
    • Passwords should not consist of repetitive or keyboard patterns (e.g., 1234abcd, asdfgh, 1111aaaa).
    • Simple changes, such as prefixing or adding single digits or special characters, are predictable and should be avoided.

     

    Also when dealing with passwords, some important recommendations should be followed:

    • Use different passwords for different services (Uni, Amazon, Google, eBay, etc.).
    • Only enter your university password on university websites. If in doubt, check the authenticity of the website before entering.
    • Enter your passwords only on encrypted and trustworthy websites.
    • Enter passwords only on trusted devices that are provided with basic security measures (antivirus software and firewall).
    • Never give passwords to third parties (not even to employees of the university or the CIT of the University of Münster). No company will ask you to provide your password by phone or e-mail.
    • Change preset passwords.
    • Do not write down passwords on sticky notes, e.g. on your screen, or in unencrypted text files.
    • If you want to keep a list of your passwords, store them in a secure place that is inaccessible to third parties, such as a safe.
    • If your password becomes known, change it immediately or have your access blocked. For university login data, you can change your password in the IT portal or have your access blocked at the service desk or by calling the service hotline.

  • Two-Factor Authentication

    For additional protection of your accounts, a good option is to use two-factor authentication. More and more services offer this option, including the IT Portal, Google, Apple, Microsoft, Dropbox or Amazon. When using two-factor authentication, you are asked to confirm your identity using another factor when you log in. Often, short numerical codes are used for this, which are only valid for a very short period of time and are delivered via app, e-mail or SMS, for example.

    The University of Münster uses two-factor authentication for authentication purposes in more and more services (Cisco AnyConnect VPN, VDI, IT portal, ...). A one-time password (OTP) is used as the second factor. Each OTP is only valid for a single use and cannot be used a second time. To generate such one-time passwords, you need a one-time password generator, for example "Google Authenticator", which you can install as an app on your smartphone.

    Here you can find a short collection of frequently asked questions about OTP: FAQ OTP.

    For setup instructions and recommendations for OPT generators for different operating systems, see OTP.

  • Password Manager

    To manage secure passwords without having to remember them all, a password manager tool can be very helpful, e.g. KeePass. It stores your passwords encrypted in a password database, and all you have to do is to remember one strong password with which the password database is encrypted. If the password is secure, the encryption is good enough to also store the password database in a cloud storage (for example, sciebo), so you can access your passwords from anywhere.

  • Password Generator

    There are many different options to generate secure passwords. The following password generator presents a few of those options. It also includes a password strength check to help with finding a secure passsword.

  • Further Information

    You can find more information about passwords at the BSI.

    You can also use the following services to check whether your email addresses appear in password lists captured by attackers:

    HPI Identity Leak Checker

    Have I Been Pwned