Strong passwords

Risks to passwords

Login credentials, i.e. the combination of usernames and passwords, are the most common method of logging in to access-protected devices such as one's own computer or personal services (cloud services, email providers, online stores etc.). This makes credentials interesting for attackers, as they could use them to:

  • order expensive goods or services at your expense
  • register for or deregister you from exams
  • 'attack' your friends or colleagues and thereby damage your reputation
  • access or manipulate your information
  • read your emails and send emails on your behalf

Criminals mostly try to steal login data with the help of malware, attacks on services or phishing, or by guessing weak passwords by automated trial and error, better known as  'brute force' attacks.

  • Recommendations for strong passwords

    When choosing a secure password, please consider the following requirements:

    • Passwords should be at least 12 characters long, the longer the better
      (exception: at least 20 characters for vulnerable offline encryption methods, such as WPA2 for WiFi access).
    • Passwords should always be a combination of upper and lower case letters, numbers and special characters (e.g. ?!%+...).
    • Passwords should not be able to be found in dictionaries.
    • Passwords should not be names of family members, friends or favourite stars. Other personal information, such as birth dates, are also not recommended.
    • Passwords should not consist of repetitive or keyboard patterns (e.g. 1234abcd, asdfgh, 1111aaaa).
    • Simple changes, such as prefixing or adding single digits or special characters, are predictable and should be avoided.

     

    With regard to managing your passwords, consider the following important guidelines:

    • Use different passwords for different services (Uni, Amazon, Google, eBay etc.).
    • Only enter your University password on University websites. If in doubt, check the authenticity of the website before entering.
    • Enter your passwords only on encrypted and trustworthy websites.
    • Enter passwords only on trusted devices that are provided with basic security measures (antivirus software and firewall).
    • Never share passwords with third parties (not even employees of the University or the CIT of the University of Münster). No legitimate company will ever ask you to provide your password by phone or email.
    • Change preset passwords.
    • Do not write down passwords on sticky notes, e.g. on your screen, or in unencrypted text files.
    • If you want to keep a list of your passwords, store them in a secure place that is inaccessible to third parties, such as a safe.
    • If your password becomes known, change it immediately or have your access blocked. For University login data, you can change your password via the IT portal or have your access blocked by contacting the CIT Service Counter or the Hotline.

  • Two-factor authentication

    For additional protection, a good option is to use two-factor authentication. More and more services offer this option, including the IT portal, Google, Apple, Microsoft, Dropbox and Amazon. When using two-factor authentication, you are asked to confirm your identity through another channel when you log in. Often, short numerical codes are used for this, which are only valid for a very short period of time and are delivered via app, email or SMS.

    The University of Münster uses two-factor authentication for an increasing number of services (Cisco AnyConnect VPN, VDI, IT portal, ...). A one-time password (OTP) is used as the second factor. Each OTP is only valid for a single use and cannot be used a second time. To generate one-time passwords, you need a one-time password generator, for example the "Google Authenticator", which you can install as an app on your smartphone.

    Here you can find a selection of FAQs on one-time passwords

    For setup instructions and recommendations for OPT generators for different operating systems, visit our info page on OTP.

  • Password manager

    To manage secure passwords without having to remember them all, a password management tool can be very helpful, e.g. KeePass. It stores your passwords in encrypted form in a password database, and all you have to do is to remember one strong password with which the password database is encrypted. If the password is secure, the encryption is robust enough to store the password database in cloud storage (for example, sciebo), so you can access your passwords from anywhere.

  • Password generator

    There are many different options for generating secure passwords. The following password generator presents a few of these options. It also includes a password strength check to help you come up with a secure password.

  • Further Information

    You can find more information about passwords at the BSI.

    You can also use the following services to check whether your email addresses appear in password lists captured by attackers:

    HPI Identity Leak Checker

    Have I Been Pwned