IT and Library Services

Passwords

Passwords are the most common way to to prove to computer systems who you are.  Usually combined with a username, or several other pieces of information, your password is the single most important few characters you need to remember.

Be it your university password, that of your bank, building society, utility companies or even your email  and social media accounts (which are now used to authenticate to so many other systems),  remember that the best security in the world is useless if a malicious or other unauthorised person has a legitimate user name and password.

This is why all providers and companies insist that you use complex passwords and never tell anyone what your password is.

Regulation

Our Policy for Password Management and Multifactor Authentication encourages good password management to help you keep your accounts safe. We recognise that password expiration can cause inconvenience, so we support our need for security with pragmatic processes to minimise disruption as much as possible.

Why do I need to change my password?

You may well feel that your password is secure and does not need to be changed unless you choose to do so, but there are wider concerns. Here are some of the questions that the IT Service Desk has received:

Why should I worry about the security of my account?

If someone gains access to your account, they can do far more than look at your personal files. For staff, this means access to e-mail and shared areas, for students, it means access to your student record, exam marks, coursework submission etc., as well as Portal and Moodle accounts. They could do everything that you can do on any computer to which they might have access (maybe by connecting as you across the network). Not only can they read your files, they can delete or alter them. They could send e-mail and post to newsgroups - messages that will appear to have come from you. They could download pornography onto your home area. They could breach most of the Rules and Regulations for the use of ICT, and several civil and criminal laws, and do so in your name.

Why would anyone want to break in to my account?

Most people don't want to cause trouble for people they don't know. Unfortunately, others are simply malicious. It's very probable that none of these people would ever find out your password. But why take the risk?

For the reasons above, we insist that you change your password. This is to protect yourself and others. Once someone has broken into your account, they can inconvenience others in two ways:

  1. Denial of Service attacks.
    Computing resources are not infinite: It is easy to set up processes which take nearly all of a given resource (CPU cycles, network bandwidth, etc.), thus taking it away from all other users. ILS would soon become aware of problems of this nature and would take steps to rectify the situation, but other users could be inconvenienced. If a Denial of Service attack is targeted on some external site, the University's good name may be compromised.
  2. A platform for more serious attacks.
    The goal of a hacker is to gain administrative access to the systems s/he has broken into: once this is achieved, it opens the entire system for attack. There are many ways of managing this but most of them first require access to an account (any account). Thus the security of your account is the first hurdle in the path of a hacker: if they can break into your account, it's a good step on the way to gaining further privileges.

And the culprit will appear to be you.

Why every 180 days? This makes my password less secure as I will need to write it down.

The 180 day change rule is broadly in line with most other Universities. If you follow the guidelines given on the managing university passwords section of this page, you should be able to create a memorable password without needing to write it down.

My bank doesn't require me to change my password every 180 days - why do you?

Your bank usually requires more than a single password to access your account. For this reason, it should not be necessary to change your banking passwords often.

My ISP doesn't require me to change my password - why do you?

Your account with your ISP allows you to connect to the Internet and maybe access an e-mail account with them. Universities are different in that they are relatively open organisations with a lot of high value resources (e-mail accounts to send spam, high bandwidth, open networks, computers allowing interactive login etc.). Your account also grants access to personal resources such as your student record, exam marks, submit coursework etc. which should remain private to you.

Why are the new password rules so complicated?

If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters, you force a hacker to continue trying every possible combination to find yours. If we assume that your password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better. Refer to the managing University passwords page for more information.

Character Sets used in Password Calculation Possible Combinations
Dictionary words (in English): ~600,000 words. 600,000
Numbers Only 10^8 100,000,000
Lowercase Alpha Set only 26^8 208,827,064,576
Full Alpha Set 52^8 53,459,728,531,456
Full Alpha + Number Set 62^8 218,340,105,584,896
Full Set of allowed printable characters set (10+26+26+19)^8 645,753,531,245,761

The longer your password the more secure it is. If we take the full set of allowed printable characters set (the last line above) and increase the password length, the possible combinations jump exponentially.

  • 8 Characters > 645,753,531,245,761 (645 Trillion) Combinations
  • 9 Characters > 45,848,500,718,449,031 (45 Quadrillion) Combinations
  • 10 Characters > 3,255,243,551,009,881,201 (3 Quintillion) Combinations

When we refer to character sets, they are typically numbers, upper and lowercase letters and a given set of symbols. For example:

Characters Number of Characters
0123456789 10
abcdefghijklmnopqrstuvwxyz 26
ABCDEFGHIJKLMNOPQRSTUVWXY 26
`~!@#$%^&-_=+[{]}. 18

General password guidance

Using a weak password that can be easily guessed is not a sensible move. Remember, there are many applications that can generate and test millions of passwords per hour. Even strong passwords are not infallible, but they make things as difficult as possible for a hacker.

You can find more information on your University of Greenwich password construction and changing passwords here. For a visual representation of password strength, see The Password Meter.

Please do NOT use the ¬, | , £, €, & or # signs as several older University systems cannot currently support them in passwords.

What makes a good password?

A good password should be easy to remember but must be difficult to guess:

  • Do not make the password the same as your account name.
  • Do not use your surname or any of your forenames as a password.
  • Do not use the names of your boy or girlfriend, relative, dog, cat, budgie …
  • Do not use your car registration number – even an old one!
  • Do not use your address.
  • Do not use any word found in a dictionary (nor plurals) even with a numeral on the end.

Your Password and how you currently use it.

Is your password weak and easy to hack? Do you use strong passwords?

  • Do you write your passwords down or store them on your PC in plain text, such as in Notepad or Word?
  • Do you select 'Yes' when applications ask you if you want them to remember your passwords for you?
  • Do you tell anyone (including your partner, flatmate or best friend) what your passwords are? (It could be a very good idea to change your password if you change your partner.)
  • Do you select the same password for every account?
  • Do you use your University password for non-University accounts?
  • Do you use easy to guess words, such as your pet's name, mother's name, partner's name, etc?
  • Do you use phone numbers, pin numbers, student number, staff payroll number, etc?
  • Do you use commonly-known acronyms or patterns, such as, uog, abcde, qwerty or 12345 or words that are found in dictionaries?

If you answer 'yes' to even one of the above questions you are giving an open invitation to hackers or bots to access your password-protected accounts and are making yourself a target for identity theft. Remember that you should never divulge your University of Greenwich passwords or use them for non-University accounts.

A Good Password: Construction and Usage Suggestions.

  • Make the password at least eight characters long
  • Whenever permitted, include a mix of upper case letters, lower case letters, numbers and special characters, eg. ! , . = < > ' " : ; ? / { } [ ] ~ - \ ( ) _ + $ % ^ * @
  • Make it easy for you to remember, but impossible for anyone else to guess
  • Change the password at regular intervals
  • Use specialist software, such as Password Safe, to prevent writing passwords down or storing them on your computer in unencrypted form
  • If an application asks you if you want it to remember your password for you, just say no

If you are doing all of the above, then you are using strong passwords and doing your best to prevent hackers from accessing your password-protected accounts- well done!

Bad passwords

Every year password management firm SplashData complies a list of worst 25 passwords from the (in 2015) 2 million passwords leaked online.  These passwords are the most commonly used. (comments in brackets are comparison to 2014)

The University password policy should exclude you from using any of the following passwords however, if you are using any of them (or very similar) for you own private accounts, it is strongly recommended that you change to a more complex password as soon as possible.

1) 123456 (unchanged)

2) password (unchanged)

3) 12345678 (up 1)

4) qwerty (up 1)

5) 12345 (down 2)

6) 123456789 (unchanged)

7) football (up 3)

8) 1234 (down 1)

9) 1234567 (up 2)

10) baseball (down 2)

11) welcome (new)

12) 1234567890 (new)

13) abc123 (up 1)

14) 111111 (up 1)

15) 1qaz2wsx (new)

16) dragon (down 7)

17) master (up 2)

18) monkey (down 6)

19) letmein (down 6)

20) login (new)

21) princess (new)

22) qwertyuiop (new)

23) solo (new)

24) passw0rd (new)

25) starwars (new)