Play infiltrators

Can you infiltrate different organisations and find the vulnerabilities to steal their data? Created by UWE Bristol PlayWest students working out of The Foundry.

Play now
Infiltrators main menu

Password insecurity and how to beat the bad guys

Who cares?

You, because criminal actions taken online are in your name, or your personal details and information could be stolen and used against you to:

  • commit fraud in your name
  • scam friends and family by pretending to be you
  • steal your money.

Why are Passwords insecure?

Once it's known, it's known - a computer cannot tell if it's really you using it or someone else.

If they're too weak they can be guessed, there are billions of passwords on the internet already. That number you added at the end, or in place of the letter - they're all known techniques.

Even if you have set a long strong password/phrase, if you've reused it on another site that gets breached it will get added to those online password lists forevermore and eventually they'll be tried against your various online accounts.

When should I change my password?

If you think there's a slight chance that someone else knows it, or you've reused it on another site, change it.

Check if your password has been found online via Pwned Passwords.

Where can I change it?

You can change your password yourself once you set up your security profile.

How do you improve them?

  • Make it longer - try three random words, things that would not exist together in a dictionary.
  • Make it unique - do not reuse it, if possible use a password manager to remember them all for you.

Two easy steps to make it harder for cybercriminals

Password security

  • Never share your password with anyone
  • Use a strong and unique password for every account
  • Consider using a password manager to keep passwords safe

MFA (multi-factor authentication)

  • It's free and easy to set up and use
  • Protects your identity
  • Increases your security

Multi-factor authentication (MFA)

Why you should use multi-factor authentication (MFA)

The short answer is because it will make things more secure. The long answer involves Ronald Reagan.

How to set up MFA

Multi-factor authentication (MFA) is more secure than just a password, because it requires something you know plus something you have. No hacker has your physical phone.

  1. Go to your security profile.
  2. Make sure you are signed in with your UWE Bristol email address and password.
  3. Select Security info.
  4. Now add a minimum of two security info methods:

Only the methods listed above will allow you to access Office 365 apps on personal devices (which includes your UWE Bristol email account). Email is another method, but can only be used for password reset authentication.

Important: If you only have one method of verification and that device is not available (for example, your mobile has no charge or it's been stolen), you will not be able to sign in to a service that requires MFA. Having additional methods of verification will also be useful when changing any of your devices.

Responding to MFA notifications

Your response to a MFA notification will depends on the security info method you set up:

  • Mobile app - tap the notification or open the Microsoft Authenticator app on your phone and tap approve or reject.
  • Text message - type the code received by text message into the login screen.
  • Phone call - answer the call and press the hash key (#) to confirm.

If you haven't tried to log in but receive a notification, you should either reject it or take no action.

If you receive unexpected alerts often, check whether you have any apps running in the background or on other devices. If you can't identify the source, contact the IT Service Desk for advice.


Make passwords difficult to guess by:

  • using a unique password for every account
  • using the three random words technique below
  • never share your password with anyone for any reason
  • using a password manager to store and suggest passwords
  • mixing upper and lower case letters, along with numbers (0-9) and special characters (%^!#)
  • using a minimum of 12 characters in length - always remember, longer is stronger.

Use three random words

A good way to create a strong and memorable password is to use three random words, made up of upper and lower case letters, numbers (0-9) and symbols (%^!#).
For example: 3purple_house_monkeys27!

Be creative and use words memorable to you, so that people can't guess your password. Your social media accounts can give away vital clues about yourself, so don't use words such as a family members name or favourite sports team which are easy for people to guess.

Cybercriminals are very smart and know many of the simple substitutions we use such as 'Pa55word!' which utilises symbols to replace letters.

A password manager can help

With a password manager, you only need to remember one strong master passphrase that protects all of your credentials in a secure vault.

Many provide useful features that make your online life easier while being more secure, such as automatically entering your credentials and generating new strong passwords for you.

You will also find that most password managers support multi-factor authentication (MFA), making access to your password manager even more secure.

The University does not support a single product, however, there are several free and paid-for tools such as KeePass, LastPass, and 1Password.

Caution: if you choose to download a password manager and forget the master passphrase, IT Services will not be able to restore it.

Change your password

What next...

The Information Security Toolkit is full of top tips and advice to help safeguard you, others and the University against cyber threats.