Passwords: from zero to hero

Today (Thursday 7 May 2020) is World Password Day! To mark the occasion Chloe Gibb from IT Services shares her tips and advice for improving and managing your passwords, an important element of the University's Cyber Security Programme:

The story goes, you’re signing up to a new website or app and those dreaded words appear on screen - choose a new password. After trying for a good 20 minutes to come up with something memorable that passes the minimum password criteria, you’d be forgiven for running away and screaming into a pillow. Or more likely you throw in your tried and tested password you use for everything else, so you can get on with your day.

This is common behaviour and understandable. It was how I approached passwords prior to joining IT Services a year ago as the Communications and Engagement Officer for the Cyber Security Programme.

Part of the Programme requires all staff to change their University computer account password; I hadn’t realised until joining the team that every year our IT Security team deals with thousands of accounts that are potentially compromised through passwords being reused. This activity was recently brought forward in response to our rapid move to remote working and increased cyber threats from cyber criminals who are playing on the fear and uncertainty surrounding the coronavirus pandemic. So, this World Password Day I wanted to share some of the advice and tips I’ve picked up, with the aim of making it quick and painless to change your password.

With only a hint of shame, here’s a look at my idea of password management then and now:

Then - password zero

Now - password hero 

I used to keep passwords in notepads, on post-its stuck to my screen and in diaries. Or possibly the most embarrassing mistake I made; individually emailing myself the login details for each website and storing the emails in a logins folder. I won’t forget the sound of gasps from the Information Security team when I admitted to it.

I got one of the password managers recommended by University IT Services - I didn’t know this sort of solution existed and it has made storing and accessing passwords so much simpler.

Password managers are applications that securely store your login credentials, including usernames and passwords.

I used passwords that were simple, personal and easy to remember (and to guess!).

I have a password manager, so I no longer need to write down passwords or try to remember them. It means I can confidently follow security standards and use longer, randomised passwords like G9nM3@Rb6!f4$ (this is not my password by the way, but for security reasons, I don’t encourage using this exact example in real life!).

Password Managers can automatically generate strong passwords for you and tell you the strength of any passwords you decide to create yourself. Some will even estimate how long it would take to crack your password.

I reused the same password over multiple websites

It took getting hacked last year for me to realise why the experts tell you not to reuse your password. It was inconvenient and time-consuming (literally hours) changing the hacked password everywhere else I was using it. If these criminals have your credentials for one thing, it’s only a matter of time before they try it for everything else.

To protect the University’s confidential and sensitive data, it’s important to follow its advice - not to use your University account password for anything else.

My password manager allows me to keep track of each unique password, so I’m now less tempted to reuse the same one.

You can also set password managers to safely, conveniently and automatically fill usernames and passwords on websites - so there’s even less reason to make the same mistakes I have with your password management.

I kept the same passwords for years and years.

I was using the same credentials I used to log in to MSN Messenger in 2003 to access Instagram in 2019!

Security has improved massively since 2003 but in the meantime, many big websites have been compromised (e.g. Yahoo, LinkedIn, Adobe). If you want to check your account you can do so at the excellent (but strangely named) www.haveibeenpwned.com Having checked my accounts on the service I’ve realised how important it was to do some housekeeping and have refreshed all my passwords.

A great feature of some password managers is a notification when your password is due for an update or if a service you use has been breached.

How to create a strong password and the recommended password managers:

Password advice

Join the 2,000+ staff and students who have taken the new Cyber Safety training. It’s regularly updated it to include information about current threats and advice on how to stay safe from attackers:

New cyber safety training

Questions? The IT Service Desk is ready to help.