Passwords

Password Security

Guessing one of your passwords may enable a criminal to access many of your systems, your money, your identity, etc. Never share your password with anyone.

IT Services and your local IT support staff will never ask for your password.

There is no hard and fast rule for what constitutes a "secure" password and different sites and services have varying requirements which can restric the password that you actually choose.  Ultimately, a good password is one that you can remember but that nobody else knows. The trick is maintaining those two conditions!  This page is intended to give you some practical tips on choosing and managing your passwords.

For a secure password, do not use:

  • Your username (whether identical, reversed or rearranged)
  • Your first or last name or date of birth
  • Names or dates of birth of your nearest and dearest
  • Your house name or your home street
  • Dictionary words

Good passwords will often be a mixture of:

  • Long - an absolute minimum of 8 characters, ideally at least 12;
  • Complex - not simply one or two dictionary words, or a derivative of them;
  • Random - not linked to you in any way (no dates of birth, dog’s names, etc.);
  • Unique - different for every single service you use
  • Including some upper (A-Z) and lower-case (a-z) letters, some digits (0-9), and some other printable characters e.g. ,;:?%^*[]{}+-) if permitted

Passwords vs passphrases

Essentially passwords and passphrases are the same thing.  However by thinking of long pass-phrasesrather than short complext pass-words you can often come up with passphrases that are both very strong and easy to remember.  As an example, consider the passphrase "thisisareallygoodpassword".Although this uses only lowercase letters of the alphabet, the length (25 characters) means that to try every possible combination of letters would take an attacker at least somewhere in the region of 7.83 hundred billion centuries(and that is with one hundred trillion guesses per second)!!  Of couse if you use this particular passphrase it might take an attacker considerably less time so do think of something better!

Adding padding

Long passphrases therefore don't necessarily need to be particularly complex. You can also add length quite easily without making passphrases harder to remember for example by adding punctuation marks at the beginning or end of your passphrase.  Take the passphrase above with five exclamation marks at the end (i.e. "thisisareallygoodpassword!!!!!").  At the same rate of guessing as above this increases the time necessary to try every possible combination to a whopping 4.32 hundred thousand trillion trillion centuries!!

Of course there are other factors to consider when creating "secure" passwords and passphrases but this hopefully gives you some useful tips.  For more information and to experiment with different passphrases check out https://www.grc.com/haystack.htm.  Please note though - DO NOT PUT ANY REAL PASSWORDS INTO THIS SITE!

Some more simple tips for better web password security

Graham Cluley, senior technology consultant at Sophos, explains a simple way of creating a complex hard-to-guess password - and how you should never use the same password on different sensitive websites.

Thumbnail of video by Graham Cluley, senior technology consultant at Sophos

For even more security use two-factor authentication where possible:

  • Your bank and financial accounts may already use extra verification like this i.e. send a text to your mobile if someone else tries to login to your account, or you login to your account from a computer you’ve not used before.
  • It is also available in many other services like Facebook, Twitter and Google, but you have to enable this in the settings.

How to remember so many passwords

  • Storing passwords in your Internet browser carries risks
  • Make a password easy for you to remember, hard for others to guess
  • So long memorable phrases are often better than short complex passwords, like 'correcthorsebatterystaple' (but don't use this one!)

Songs and poems

Why not choose the initial letters of words in a line from a favourite song or poem. For example, 'Shall I compare thee to a summer's day?' becomes 'S1ctta5d?' (but don't use this one!) Note the capital letter, the numbers to replace letters and some punctuation.

Don't leave it lying around, or stick it to the underside of your keyboard or on your monitor, or store it in a folder or document called Passwords! Add it as a scribble in an already busy page.

You can create your own version of two-factor authentication

Use one long complex master passphrase on all sites but use individual suffixes/prefixes

  • Write down those suffixes/prefixes which are different for every site
  • You can even carry those suffixes/prefixes in your wallet:
  • You remember one master password like 'correcthorsebatterystaple' (but don't use this one!), and prefix it with a different mini-password for each site. You keep an index of the mini-passwords in your wallet. (You can take a photo of your list as a back-up). In your wallet your list looks like:

Wallet passwords

Password managers

You can use password managers such as KeePass (open source) and others like Google Authenticator, LastPass, 1Password, PCTools random password generator, SuperGenPass

Use a strong master phrase and NEVER use it anywhere else

Write down your passwords

If you have to write passwords down do it securely (see the sections above):

"Amazon         6f5nJ

Facebook         1qllt"

So in Facebook to login you would enter your email address and '1qlltcorrecthorsebatterystaple'

What if you think someone has your password?

If someone else does find out your password, you must change it immediately

If you think you may have given your account details to someone else in response to an email (phishing):

  1. Don't panic - mistakes do happen
  2. Change your password as soon as possible via the registration website or via your local IT support staff.
  3. Let your local IT support staff know
  4. If you still have a copy of the email, please forward it to phishing@it.ox.ac.uk so we can help others avoid making the same mistake

Please do not be afraid to own up: we would rather you told us than tried to cover up a mistake.

Don't use the Administrator account

  • Just like legitimate software, most malware requires Administrator privileges to be able to run on your computer.
  • If you are using Windows try, where possible, to use a limited account for your day-to-day activities.
  • Mac and Linux: Do not log in as admin or root. Instead, use a command like sudo to perform command-line operations requiring root access.

Personal firewalls

  • A computer firewall acts as a virtual wall against intrusion from the internet
  • Microsoft Vista, XP and some other systems are supplied with a firewall as standard - check the firewall is active
  • A range of Open Source and commercial products are available which provide basic protection against malicious attacks directed at your computer from the internet

Other sources of information


Service area: 

Written by IT Services. Latest revision 16 September 2014