Password Security

Passwords are the first line of defence against cybercriminals accessing your devices or online accounts. This makes them a valuable target for attackers trying to steal your sensitive personal information, such as your bank account details, address or date of birth.

Choosing a strong, unique password for each important account you have helps to protect against unauthorised access to your sensitive personal information. Using different passwords means that, should one of the systems you use be compromised, cybercriminals are unable to use the same credentials on other systems.

Choosing a Strong Password

  • Passwords should be at least 8 characters in length

  • Use a mixture of uppercase (A-Z), lowercase (a-z), numbers (0-9) and special characters (@ # ? < > ! £ $ % + -)

  • Avoid commonly used words or personal details e.g. your name, house/street name, phone number, family members' names, pets' names, place of birth, favourite sports team, etc., as these are often publicly available on social media

  • Do not use single words found in a dictionary, even if these are spelled backwards or in another language

  • Avoid using single words preceded or followed by a number (e.g. friday13, 37corvette)

  • Do not use passwords which contain three or more repeating characters (e.g. purple777)

  • Avoid using common keyboard patterns (e.g. qwertyuiop, 2wsx3edc4rfv)

A secure password is especially important for your primary e-mail account, as the password reset feature other systems use will often send new passwords or password reset links to this account.

Three Random Words

The current recommendation from the UK Government's Cyber Aware campaign is to use three random words. These can be any three words in any order, and numbers or special characters can still be used, for example 7blueElevat0rRis!ng33, but don't use words or phrases which are easy for other people to guess e.g. TheLionKing.

Some Important Password Advice

  • NEVER share your passwords with anyone

  • Do not reuse passwords – Always use a unique password for each important account you have

  • Do not write passwords down, send them in e-mails or text messages, or leave them unsecured anywhere (such as sticky notes stuck to monitors or underneath keyboards)

  • Do not use 'autocomplete' or 'Remember me' for passwords in your Web browser, as someone else could log in to your account if they have access to your device

  • Do not use your University password for any personal accounts such as social media apps, online banking, ecommerce accounts, or personal e-mail accounts such as Outlook or Gmail

Password Manager Apps

It can be difficult to remember a lot of complex passwords for many different systems. Fortunately, there are apps called 'password managers' which can securely store a variety of passwords for you and even generate strong passwords for your online accounts.

There is a variety of password manager apps available to download from online app stores; however, three free options we recommend for students are Dashlane, LastPass, and RoboFormEverywhere (free for education).

If you don't want to use a password manager app then it's possible to use a strong base password and use a system you can remember to create a unique password for each site. For example, we could take the second and fifth letter of a site and place these between our three random words, or better place the next alphabetical character instead. So, using our '7blueElevat0rRis!ng33' example, our Facebook password would be '7bluebElevat0rcRis!ng33' and our Twitter password would be '7bluexElevat0ruRis!ng33'.

Two-Factor Authentication

Two-factor authentication (2FA) is an extra level of security designed to ensure that you're the only person who can access your account, even if someone else happens to know your password. Two-factor authentication uses a combination of something you know (your password) and something you hold (a generated code) or something you are (such as your fingerprint) to confirm your identity.

Many online banking applications, ecommerce sites and e-mail providers support two-factor authentication using a numeric code sent in a text message to your phone, which can only be used once. This means someone would need to have access to your phone as well as knowing your password to access your online account.

There are several methods for two-factor authentication including:

  • Receiving a text message

  • Receiving an automated phone call

  • Using an authentication app on your smartphone, such as Google Authenticator or Twilio Authy

  • Using a hardware token, such as Duo or YubiKey

  • Using biometric scanning, such as fingerprint (Touch ID) or facial recognition (Face ID, Windows Hello)

We recommend you enable two-factor authentication for your most important accounts to protect your sensitive personal information. There is a useful guide to enabling two-factor authentication for Google, Facebook, Twitter, Instagram and other popular online services here.

Digital Services is currently looking to enable the option to use two-factor authentication to access your University account. Please keep an eye on your University e-mail and this page for more information in due course.

Social Media Single Sign-In

Google, Facebook, LinkedIn and other social media services offer an option to seamlessly sign in to third-party websites using your social media account credentials.

This makes it easier to log in to these websites without needing to sign up for an account on the site or provide your sensitive personal information – you only need to remember the password for your social media account!

This also provides the benefits of the social media site's security mechanisms when logging in (such as two-factor authentication, account lockout protection, etc.) and means there is one less password you need to worry about being compromised if the third-party website suffers a breach.

There are, however, a few important things to be aware of when using this service:

  • If your social media account password is compromised, an attacker could use this to log in to not only your social media account but also any third-party site which you have authorised to use the social media site's log in

  • When you log in to a site using your social media account, the site might ask permission to collect data from your social media profile for marketing or tracking purposes. You should carefully review which data the site is requesting permission to access before you authorise this

I think my University account has been compromised, what should I do?

Always change your password immediately if you suspect that your University account or password has been compromised and report this to the IT Service Desk by phoning 01785 353800 or e-mailing 3800@staffs.ac.uk.