The use of passwords has become ubiquitous in our everyday life. Logging in into your e-mail account or unlocking your smartphone... Passwords and PINs are everywhere. It therefore more important than ever to use secure passwords. But what is a secure password and how to I memorize more and more passwords? On this page, you will find the answers to these questions and to many more password questions.
Besides the basic requirements for passwords mentioned above, you should also observe the following:
How are passwords “hacked”? How do I create a secure password which I am able to memorize? Is there a secure method to save passwords?
Answers to these questions can be found below.
Shoulder surfing is the term used when someone is looking over your shoulder and observes you entering your password, e.g. on the train or in the park. When entering passwords on smartphones, the letters and characters are sometimes displayed for a short amount of time, which makes it even easier for others to read along. Always make sure that no one is able to read along when you enter sensitive information, such as your password. For laptop screens there are special privacy filters which make it difficult for others to read what is on your screen.
Social Engineering means that an attacker directly contacts his potential victims and tries to obtain confidential information by false statements and fraud. Phishing also belongs to this category (more information can be found here). However, personal contact or contact via phone is possible. Attackers often disguise themselves as support in order to get your password. No support, in particular no IT support, would ask you for your password, neither via e-mail nor at the phone. Never disclose your password to anyone.
A keylogger is usually placed on your computer by malware. Once a keylogger is placed on your computer, it records all your keystrokes and sends the information to the attacker. Do not download any software from dubious Internet websites and do not open attachments from unknown senders.
More about malware and information on how you can protect yourself can be found here.
The term sniffing attack is used when the network traffic and the data transmitted are intercepted, e.g. the password used for login on a specific site. In particular if you are using external and public wireless networks, you should exclusively use encrypted connections such as HTTPS. If you process internal information of the university, please activate the VPN connection to the university’s network.
Database is hacked
It is quite common that online services do not sufficiently protect their websites and, in particular, their password database. Once attackers have gained access to the database, it is easy for them to do more harm, if the database storing the password is not encrypted. It is quite common that the user accounts and/
Attackers may also exploit the fact that many passwords consist of existing words. This is called a dictionary attack. Attackers use so-called rainbow tables as lists of hash values of names, locations and words from different dictionaries. These lists can be easily found on the Internet. The attacker then only needs to compare the rainbow tables to the hash value of the password.
* hash value: Passwords are transformed into hash values which are then stored. These values are unique and cannot be traced back to the original password.
Brute force attack
The term brute force attack is used when an attacher tries all possible combinations of letters, numbers and symbols to “guess” the password. Depending on the passwords’ length and complexity, the attacker has hacked the password in a few seconds. A long and complex password with lower case and upper case letters, numbers and symbols offers good protection against this kind of attack.
Think of a sentence which is easy to memorize:
“The distance between Mannheim and Frankfurt is more than 13 kilometers“
Now take the first letter of each word and compose your password:
T d b M & F = m t 13 k.
Tip: Replace words by suitable symbols (e.g. “and“ becomes “&” or “is” becomes “=”)
Think of two independent words:
Now combine these words:
Capitalize randomly at least once:
Now add numbers and/
At the end you add symbols and/
Combinations of words
When using this method you take a random, incoherent sequence of words or fantasy words as password.
Please note: This method is not suitable for passwords of the user ID, since the password for the user ID allows for a maximum of 20 characters.
As employee or student at the University of Mannheim, you are assigned a user ID. This user ID is required to access your e-mail account, Ilias or fileshare.
For more information on your user ID, please refer to passwort.uni-mannheim.de.
Please note that this page is only available in the network of the University of Mannheim. If you are located elsewhere, a VPN connection is required.
Your e-mail account requires special protection
There are different reasons why your e-mail account requires special protection and therefore a complex and, most importantly, unique password.
The Windows password prevents other people from accessing your computer and the information stored on your computer.
What is a password manager?
A password manager is a type of vault in which you can securely store your passwords so that you can access them when needed. Depending on the type of password manager, the program offers additional functions such as the possibility to create random passwords, to add notes or to store identity and payment data.
What are the downsides?
Keepass and its conditions of use
A password manager is not centrally provided by the University of Mannheim, however, we recommend the free password manager “KeePass”.
If you use KeePass on a computer provided by the university, the following conditions of use have to be observed:
Please find detailed instructions on how to use KeyPass here (in German).