Password security advice

Photo credit: uc graphic

Password Security

The use of passwords has become ubiquitous in our everyday life. Logging in into your e-mail account or unlocking your smartphone... Passwords and PINs are everywhere. It therefore more important than ever to use secure passwords. But what is a secure password and how to I memorize more and more passwords? On this page, you will find the answers to these questions and to many more password questions.

We also offer regular trainings on the use of secure passwords.

Training overview

 

Photo credit: Anna Logue
At a glance

A secure password ...

  • has at least 10 characters
  • contains uppercase and lowercase letters, symbols and numbers
  • is known only to you
  • is unique to each user account

Tip: The longer your password, the more secure!


Additional useful tips

Besides the basic requirements for passwords mentioned above, you should also observe the following:

  • Your e-mail account requires special protection and should therefore have a unique and complex password. Below you will find more information on why you should set up special protection for your e-mail account.
  • Please change initial passwords immediately after your first login.
  • Please do not save any unencrypted passwords on your computer, in your browser or in external clouds. Your password should also not be on a sticky note next to your screen.
  • Check the answers to your security questions. Can someone find the answers, e.g. in social networks?
  • If your computer is infected with a virus or you suspect that your password has been stolen, you should immediately change your password.
  • Do not recycle old passwords.

Questions on password security

How are passwords “hacked”? How do I create a secure password which I am able to memorize? Is there a secure method to save passwords?

Answers to these questions can be found below.

  • How passwords can be “hacked”

    Shoulder Surfing

    Shoulder surfing is the term used when someone is looking over your shoulder and observes you entering your password, e.g. on the train or in the park. When entering passwords on smartphones, the letters and characters are sometimes displayed for a short amount of time, which makes it even easier for others to read along. Always make sure that no one is able to read along when you enter sensitive information, such as your password. For laptop screens there are special privacy filters which make it difficult for others to read what is on your screen.


    Social Engineering

    Social Engineering means that an attacker directly contacts his potential victims and tries to obtain confidential information by false statements and fraud. Phishing also belongs to this category (more information can be found here). However, personal contact or contact via phone is possible. Attackers often disguise themselves as support in order to get your password. No support, in particular no IT support, would ask you for your password, neither via e-mail nor at the phone. Never disclose your password to anyone.


    Keylogger

    A keylogger is usually placed on your computer by malware. Once a keylogger is placed on your computer, it records all your keystrokes and sends the information to the attacker. Do not download any software from dubious Internet websites and do not open attachments from unknown senders.

    More about malware and information on how you can protect yourself can be found here.


    Sniffing

    The term sniffing attack is used when the network traffic and the data transmitted are intercepted, e.g. the password used for login on a specific site. In particular if you are using external and public wireless networks, you should exclusively use encrypted connections such as HTTPS. If you process internal information of the university, please activate the VPN connection to the university’s network.

     


    Database is hacked

    It is quite common that online services do not sufficiently protect their websites and, in particular, their password database. Once attackers have gained access to the database, it is easy for them to do more harm, if the database storing the password is not encrypted. It is quite common that the user accounts and/or e-mail addresses are stored together with the corresponding passwords. Since many online services use e-mail addresses for login, attackers may try to login to other services, such as PayPal, by using the same combination of e-mail address and password. It is therefore indispensable that you use an individual password for each service that you use.


    Dictionary attack

    Attackers may also exploit the fact that many passwords consist of existing words. This is called a dictionary attack. Attackers use so-called rainbow tables as lists of hash values of names, locations and words from different dictionaries. These lists can be easily found on the Internet. The attacker then only needs to compare the rainbow tables to the hash value of the password.

    * hash value: Passwords are transformed into hash values which are then stored. These values are unique and cannot be traced back to the original password.


    Brute force attack

    The term brute force attack is used when an attacher tries all possible combinations of letters, numbers and symbols to “guess” the password. Depending on the passwords’ length and complexity, the attacker has hacked the password in a few seconds. A long and complex password with lower case and upper case letters, numbers and symbols offers good protection against this kind of attack.

  • Methods for creating a secure password

    Memory aids

    Think of a sentence which is easy to memorize:

    The distance between Mannheim and Frankfurt is more than 13 kilometers“

    Now take the first letter of each word and compose your password:

    T d b M & F = m t 13 k.

    Tip: Replace words by suitable symbols (e.g. “and“ becomes “&” or “is” becomes “=”)


    Combination passwords

    Think of two independent words:

    • Gas station & apple juice

    Now combine these words:

    • Applegasjuice, gasjuice, gasapple, …

    Capitalize randomly at least once:

    • gaSjUIce

    Now add numbers and/or replace letters:

    • gaS27jUIc3

    At the end you add symbols and/or replace letters:

    • g@S27_jUIc3

    Combinations of words

    When using this method you take a random, incoherent sequence of words or fantasy words as password.

    Please note: This method is not suitable for passwords of the user ID, since the password for the user ID allows for a maximum of 20 characters.

    Examples:

    • mooncakeshoppingcartparrotatlas
    • weave1001dark&SNconsole
    • Memory-aid “Aladdin/1001 Nights”:
      • Weave: magic carpet
      • 1001: 1001 nights
      • dark: night
      • SN console: Supernintendo game
  • User ID and security question

    User ID

    As employee or student at the University of Mannheim, you are assigned a user ID. This user ID is required to access your e-mail account, Ilias or fileshare.

    For more information on your user ID, please refer to passwort.uni-mannheim.de.

    Please note that this page is only available in the network of the University of Mannheim. If you are located elsewhere, a VPN connection is required.


    Security question

    Security questions are mostly used to reset a password.

    At the University of Mannheim, the security question is used to reset the user ID. Users may choose their own security question which, however, must have at least 4 characters and no more than 80 characters. The corresponding answer must not have more than 80 characters but must have at least 10 characters.

    Please observe the following tips when choosing your security question:

    • Please refrain from using standard security questions such as “My mother’s maiden name is” or “The name of my first pet”.
    • Keep in mind what others already know about you and what they might easily find out. In today’s world, many information about us are available on the Internet and, in particular, in social networks.
    • Choose a question and an answer which does not correspond to the question.
      • Example: Question: "My favorite book?” Answer: “I love strawberry cake.”
  • E-mail account

    Your e-mail account requires special protection

    There are different reasons why your e-mail account requires special protection and therefore a complex and, most importantly, unique password.

    • If attackers have access to your e-mail account, they are able to reset the passwords for other services. This means the attacker can access the services and all data stored there.
    • E-mail addresses are commonly used as login for further services. If you use your e-mail password also for other services, it is easy for the attacker to login to every account.
    • Attackers use hacked e-mail accounts to receive information on persons you are communicating with.
  • Windows password

    The Windows password prevents other people from accessing your computer and the information stored on your computer.

    Change your Windows password

    • To change the password on your local computer, press “alt+ctrl+delete” at the same time and chose the option “change password”.
    • Now you have to enter your old password once and your new password twice.
  • Password manager

    What is a password manager?

    A password manager is a type of vault in which you can securely store your passwords so that you can access them when needed. Depending on the type of password manager, the program offers additional functions such as the possibility to create random passwords, to add notes or to store identity and payment data.


    What are the benefits of password managers?

    • You only need to memorize one password, the key password, in order to access all other passwords.
    • Since you do not need to memorize the individual password, it is easy to create an individual password for every user account.
    • By using the password generator which is often integrated you can create complex, random and secure passwords.
    • Many password managers have two-factor authentication by using a key file.

    What are the downsides?

    • If you forget your key password, lose the key file or the entire database, none of the passwords can be accessed anymore. Therefore, it is important to create back-ups of the key file and database.
    • If the key password becomes known to another person, this person can access all passwords. It is therefore indispensable that the key password is complex and secure.

    Keepass and its conditions of use

    A password manager is not centrally provided by the University of Mannheim, however, we recommend the free password manager “KeePass”.

    If you use KeePass on a computer provided by the university, the following conditions of use have to be observed:

    • Key password: at least 12 characters, uppercase and lowercase letters, symbols and numbers
    • Password database: only accessible by you
    • Backup: backup of the password database and key file, if applicable, has to be ensured
    • Cloud services: NOT to be used for the backup or synchronization of the password database

    Please find detailed instructions on how to use KeyPass here (in German).