Password insecurity and how to beat the bad guys
You, because criminal actions taken online are in your name, or your personal details and information could be stolen and used against you to:
- commit fraud in your name
- scam friends and family by pretending to be you
- steal your money.
Why are Passwords insecure?
Once it's known, it's known - a computer cannot tell if it's really you using it or someone else.
If they're too weak they can be guessed, there are billions of passwords on the internet already. That number you added at the end, or in place of the letter - they're all known techniques.
Even if you have set a long strong password/phrase, if you've reused it on another site that gets breached it will get added to those online password lists forevermore and eventually they'll be tried against your various online accounts.
When should I change my password?
If you think there's a slight chance that someone else knows it, or you've reused it on another site, change it.
Check if your password has been found online via Pwned Passwords.
Where can I change it?
You can change your password yourself once you set up your security profile.
How do you improve them?
- Make it longer - try three random words, things that would not exist together in a dictionary.
- Make it unique - do not reuse it, if possible use a password manager to remember them all for you.
Two easy steps to make it harder for cybercriminals
- Never share your password with anyone.
- Use a strong and unique password for every account.
- Consider using a password manager to keep passwords safe.
- Longer is stronger.
- Many password managers will suggest strong passwords for you.
MFA (multi-factor authentication)
- MFA is an additional layer of security on your accounts.
- Quick and easy to set up and is offered by many services.
- All passwords are vulnerable, MFA greatly reduces your risk.
- A password combined with MFA greatly increases security.
Multi-factor authentication (MFA)
Why you should use multi-factor authentication (MFA)
The short answer is because it will make things more secure. The long answer involves Ronald Reagan.
How to set up MFA
Multi-factor authentication (MFA) is more secure than just a password, because it requires something you know plus something you have. No hacker has your physical phone.
- Go to your security profile.
- Make sure you are signed in with your UWE Bristol email address and password.
- Select Security info.
- Now add a minimum of two security info methods:
Only the methods listed above will allow you to access Office 365 apps on personal devices (which includes your UWE Bristol email account). Email is another method, but can only be used for password reset authentication.
Important: If you only have one method of verification and that device is not available (for example, your mobile has no charge or it's been stolen), you will not be able to sign in to a service that requires MFA. Having additional methods of verification will also be useful when changing any of your devices.
Responding to MFA notifications
Your response to a MFA notification will depends on the security info method you set up:
- Mobile app - tap the notification or open the Microsoft Authenticator app on your phone and tap approve or reject.
- Text message - type the code received by text message into the login screen.
- Phone call - answer the call and press the hash key (#) to confirm.
If you haven't tried to log in but receive a notification, you should either reject it or take no action.
If you receive unexpected alerts often, check whether you have any apps running in the background or on other devices. If you can't identify the source, contact the IT Service Desk for advice.
Make passwords difficult to guess by:
- using a unique password for every account
- using the three random four-letter words technique below
- never share your password with anyone for any reason
- using a password manager to store and suggest passwords
- mixing upper and lower case letters, along with numbers (0-9) and special characters (%^!#)
- using a minimum of 12 characters in length - always remember, longer is stronger.
Use three random words
A good way to create a strong and memorable password is to use three random words, with each word being a minimum of four letters. Numbers (0-9) and symbols (%^!#) can still be used.
For example: 3purple_house_monkeys27!
Be creative and use words memorable to you, so that people can't guess your password. Your social media accounts can give away vital clues about yourself, so don't use words such as a family members name or favourite sports team which are easy for people to guess.
Cybercriminals are very smart and know many of the simple substitutions we use such as 'Pa55word!' which utilises symbols to replace letters.
A password manager can help
With a password manager, you only need to remember one strong master passphrase that protects all of your credentials in a secure vault.
Many provide useful features that make your online life easier while being more secure, such as automatically entering your credentials and generating new strong passwords for you.
You will also find that most password managers support multi-factor authentication (MFA), making access to your password manager even more secure.
Caution: if you choose to download a password manager and forget the master passphrase, IT Services will not be able to restore it.
The Information Security Toolkit is full of top tips and advice to help safeguard you, others and the University against cyber threats.