Passwords are extremely important as they help to limit access to an account or service to one specific user and prevent illegitimate access. However, in today’s world cyber criminals aim to gain access to accounts to view/steal sensitive information, to cause disruption, or commit financial crime.
How can someone gain access to my password?
There are different ways for criminals to gain access to someone’s password, some of which are discussed below:
Leaked credentials:
This can occur when you sign up to a service which is later breached, and the details are stolen and sold on the Dark Web. Often, the e-mail address and password that you used to register for this service is included in the breach, and criminals will use the same details to try and log into accounts for other services where you may have used the same registration details. It is recommended to use a unique password for each account to mitigate this risk.
Haveibeenpwned is a free service that monitors data breaches and catalogues them. You can enter your e-mail address here and it will identify any data breaches in their catalogue where your email address has been included. This list is not exhaustive but is a useful reference point. If your e-mail is in a breach, we recommend you change your password for that account immediately, along with any other account that shares the same password.
Password stealer:
This is a type of malware (malicious software) which steals information that is stored on your device or collects information that you type into your keyboard. This type of malware is often delivered via malicious phishing e-mail attachments or links, or by downloading malicious software, and is commonly bundled together with pirated software. Ensure that you are vigilant about software that you download and the links that you click on.
Brute forcing:
If a criminal does not know your password, they may attempt to guess it. This can be done via automated ‘brute force’ attacks where a large number of different passwords are entered until the correct one is accepted, or via ‘password spray’ attacks where many different accounts are targeted with a common password. This can be avoided by choosing strong, complex passwords.
Manual collection:
This either occurs when someone physically observes you entering your password and memorises the details, or if you write your password down and store the details in public (e.g. a note on your desk). Ensure that you are not being observed when entering your password and do not write your password down and leave it in public.
How can I protect myself?
Previous studies have shown that 81 percent of confirmed breaches were due to weak, reused, or stolen passwords. To avoid this, please follow the steps below.
Create a strong password that is memorable to you, but difficult to guess. The National Cyber Security Center (NCSC) recommends using ‘three random words' within your password.
Choose this carefully and you can create passwords that are easy to remember. Combine this with a mixture of uppercase (A-Z), lowercase (a-z), numbers (0-9) and special characters (@ # ? < > ! £ $ % + -), and this will be difficult for anyone to guess. Avoid using anything that is guessable in your passwords, such as names or years of birth. We recommend a minimum of 8 characters, but the longer your password is, the more secure it is.
Good Example: Mountainsoupcompetition93!
Bad Example: Thelionking1*
The latter is a bad example because the three words are not random.
If you feel that your password could be stronger, please visit the Digital Services webpages to learn how to update it.
-
Choose a unique password for each account
Never re-use the same password more than once. Furthermore, do not choose passwords that have minor incremental adjustments (Thelionking1, Thelionking2, Thelionking3, etc.) as these changes will be easily guessed.
-
Ensure no-one else knows your password
- Do not share your password
- Do not allow anyone to observe you entering your password
- Do not write your password down and keep it in a public place
- Do not click on any malicious phishing links that will take you to fake login pages and collect your details.
Please refer to our phishing page for further advice.
-
Do not download any unapproved software that is not from an official store such as the Google Play Store, Apple App Store or the Microsoft App Store.
-
Enable Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a security process that requires individuals to provide multiple forms of identification (e.g. entering a code in an Authenticator app, or entering a code received via SMS) before accessing a system, application, or online account.
-
This means that even if someone unauthorised does gain access to your password, they cannot gain access to your account without the additional authorisation method being used and approved. We recommend that you always register for MFA on any account that you have, wherever it is permitted.
-
You can manage the MFA method on your University account here (we recommend using the Microsoft Authenticator app). Advice on setting up MFA for your personal accounts on other services can be found here.
