Passwords

The password to your account is the key to the security of information, and more generally the integrity of the network system. Personal computer accounts must only be used by the individual to whom they were assigned and your password must not be disclosed to anyone.

It is your responsibility to be familiar with the University's "IT Code of Practice" and the "Regulations on the Use of Computing Facilities".

In particular you must adhere to the following:

  • Choose a strong password.
  • Do not tell anybody else your password.
  • Do not write your password down.
  • Do not use the same password for non-University systems

If you have disclosed your password to anyone else, or suspect that someone else knows your password you must change your password immediately. This can be done by going to our Computer User Account Management pages:

Managing multiple passwords

You must not use your University password with any external IT service.

We have seen increasing numbers of external websites being compromised and University passwords being captured. This puts the security of University services and data at risk. Therefore it is vitally important that you use different, secure passwords for external IT services. Advice on how to manage multiple passwords can be found on the Managing Multiple Passwords web page.

Choosing a strong password

Some passwords (names or words in the dictionary) can easily be broken using public domain software; others (car registration or telephone numbers) can be easily guessed. Therfore, never use a password that originates from your name, your partner's name, the name of your pet, etc.

Other techniques commonly thought to be secure, but which are not, are the use of reversal and appending. Memorable words (or names) are just reversed by the individual or repeated. Again password cracking software can easily check for such ruses. So for example, do not use "egroeg" (the reversal of george) or "georgegeorge" (the appending of george to itself) or "georgeegroeg" (a reversal appending combination).

Similarly it is not secure to simply use your username (or the reversal) also as your password.

You should not just add a number onto an otherwise easily guessed password. Hence, for example do not use "johnny3". Also do not convert standard letters into numbers, for example replacing the letter "l" with the number "1" or the letter "o" with the number "0". So do not use something like "fe110w".

A good system to use when choosing a password is to think of a phrase that is memorable to you, then break this down to the first (or last) character of each word, and finally intersperse this with a few numbers. So for example, using the phrase "the geese fly backwards over Sheffield" you would break this down to "tgfbos" (or "eeysrd") and then mix in some numbers to end with a password of "t3gf4bos" (or "ee2y6srd"). Be wary, however, of using well-known phases like quotations from Shakespeare ("tbontbtitq").

In addition, you should also think about how fast you can type a more difficult letter combination password, particularly in the presence of others who may be able to observe and remember a slowly typed password.

Those with system rights access should be more careful about their choice of password and the regularity that the password is changed.