Shoulder Surfing

Shoulder surfing is the term used when someone is looking over your shoulder and observes you entering your password, e.g. on the train or in the park. When entering passwords on smartphones, the letters and characters are sometimes displayed for a short amount of time, which makes it even easier for others to read along. Always make sure that no one is able to read along when you enter sensitive information, such as your password. For laptop screens there are special privacy filters which make it difficult for others to read what is on your screen.

Social Engineering

Social Engineering means that an attacker directly contacts his potential victims and tries to obtain confidential information by false statements and fraud. Phishing also belongs to this category (more information can be found here). However, personal contact or contact via phone is possible. Attackers often disguise themselves as support in order to get your password. No support, in particular no IT support, would ask you for your password, neither via e-mail nor at the phone. Never disclose your password to anyone.

Keylogger

A keylogger is usually placed on your computer by malware. Once a keylogger is placed on your computer, it records all your keystrokes and sends the information to the attacker. Do not download any software from dubious Internet websites and do not open attachments from unknown senders.

More about malware and information on how you can protect yourself can be found here.

Sniffing

The term sniffing attack is used when the network traffic and the data transmitted are intercepted, e.g. the password used for login on a specific site. In particular if you are using external and public wireless networks, you should exclusively use encrypted connections such as HTTPS. If you process internal information of the university, please activate the VPN connection to the university’s network.

Database is hacked

It is quite common that online services do not sufficiently protect their websites and, in particular, their password database. Once attackers have gained access to the database, it is easy for them to do more harm, if the database storing the password is not encrypted. It is quite common that the user accounts and/or e-mail addresses are stored together with the corresponding passwords. Since many online services use e-mail addresses for login, attackers may try to login to other services, such as PayPal, by using the same combination of e-mail address and password. It is therefore indispensable that you use an individual password for each service that you use.

Dictionary attack

Attackers may also exploit the fact that many passwords consist of existing words. This is called a dictionary attack. Attackers use so-called rainbow tables as lists of hash values of names, locations and words from different dictionaries. These lists can be easily found on the Internet. The attacker then only needs to compare the rainbow tables to the hash value of the password.

* hash value: Passwords are transformed into hash values which are then stored. These values are unique and cannot be traced back to the original password.

Brute force attack

The term brute force attack is used when an attacher tries all possible combinations of letters, numbers and symbols to “guess” the password. Depending on the passwords’ length and complexity, the attacker has hacked the password in a few seconds. A long and complex password with lower case and upper case letters, numbers and symbols offers good protection against this kind of attack.

Uni-ID

As employee or student at the University of Mannheim, you are assigned a user ID. This user ID is required to access your e-mail account, Ilias or fileshare.

For more information on your user ID, please refer to id.uni-mannheim.de.

Please note that this page is only available in the network of the University of Mannheim. If you are located elsewhere, a VPN connection is required.

Your e-mail account requires special protection

There are different reasons why your e-mail account requires special protection and therefore a complex and, most importantly, unique password.

• If attackers have access to your e-mail account, they are able to reset the passwords for other services. This means the attacker can access the services and all data stored there.
• E-mail addresses are commonly used as login for further services. If you use your e-mail password also for other services, it is easy for the attacker to login to every account.
• Attackers use hacked e-mail accounts to receive information on persons you are communicating with.

The Windows password prevents other people from accessing your computer and the information stored on your computer.

Change your Windows password

• To change the password on your local computer, press “alt+ctrl+delete” at the same time and chose the option “change password”.
• Now you have to enter your old password once and your new password twice.

What is a password manager?

A password manager is a type of vault in which you can securely store your passwords so that you can access them when needed. Depending on the type of password manager, the program offers additional functions such as the possibility to create random passwords, to add notes or to store identity and payment data.

• You only need to memorize one password, the key password, in order to access all other passwords.
• Since you do not need to memorize the individual password, it is easy to create an individual password for every user account.
• By using the password generator which is often integrated you can create complex, random and secure passwords.
• Many password managers have two-factor authentication by using a key file.

What are the downsides?

• If you forget your key password, lose the key file or the entire database, none of the passwords can be accessed anymore. Therefore, it is important to create back-ups of the key file and database.
• If the key password becomes known to another person, this person can access all passwords. It is therefore indispensable that the key password is complex and secure.

Keepass and its conditions of use

A password manager is not centrally provided by the University of Mannheim, however, we recommend the free password manager “KeePass”.

If you use KeePass on a computer provided by the university, the following conditions of use have to be observed:

• Master password: at least 12 characters, uppercase and lowercase letters, symbols and numbers
• Password database: only accessible by you
• Backup: backup of the password database and key file, if applicable, has to be ensured
• Cloud services: NOT to be used for the backup or synchronization of the password database

Please find detailed instructions on how to use KeyPass here (in German).