The University of Sheffield
Corporate Information and Computing Services

Managing Multiple Passwords

For many years CiCS has been offering advice on choosing a secure password to use with University services.

We must now emphasise that to keep it secure, you must not use your University password with any external IT service.

We have seen increasing numbers of external websites being compromised and University passwords being captured. This puts the security of University services and data at risk. Therefore it is vitally important that you use different, secure passwords for external IT services.

The information on this web page is designed to help you select and managing multiple passwords. As a minimum, you should think in terms of four categories of passwords as follows.

University Passwords

You have one University password for all University IT services, and a second VPN password for secure off-campus access.

CiCS ensures your VPN password is secure by generating it from random characters. However, you must ensure your University password is secure by following the advice linked below:

Choosing a secure password

Under no circumstances should you use your University password or your VPN password with any external IT service.

Financial Passwords

You may have multiple bank/building society and credit card accounts. These institutions have very secure online services but credentials are often seized by criminals using malware and phishing scams.

Ideally each financial password should be secure and unique, but you must not have so many passwords that you need to write them down. One compromise is to use a common theme that allows you to have unique financial passwords which share a common link. You should choose a theme that is quite personal to you.

Good advice on choose passwords using a theme is available in the following blog post:

Choose and Remember Great Passwords

Social Media Passwords

Social media (Facebook, Twitter etc) credentials are becoming increasingly important to criminals as they give access to so many interconnected aspects of a person’s life. You absolutely must not use your University password to access a social media service. Also you should not reuse your financial passwords on social media services.

Ideally, you should have different passwords for each social media site, it may be more realistic to have a second, less demanding collection of themed passwords.

Disposable Password

Finally, there are websites that just ask for a password to gain access to something unimportant. For example, software drivers, clipart, opinion polls etc. In this case it makes no difference if someone gets that password as long as it isn’t the same as your important passwords above. For such websites we recommend the use of non-University email accounts when registering; you may even wish to set up a disposable mail account just for this purpose. Strict password security is not as essential here but you must ensure that you do not reuse a password that would allow someone to access your sensitive accounts.