Passwords are the most common way to to prove to computer systems who you are. Usually combined with a username, or several other pieces of information, your password is the single most important few characters you need to remember.
Be it your university password, that of your bank, building society, utility companies or even your email and social media accounts (which are now used to authenticate to so many other systems), remember that the best security in the world is useless if a malicious or other unauthorised person has a legitimate user name and password.
This is why all providers and companies insist that you use complex passwords and never tell anyone what your password is.
Our Policy for Password Management and Multifactor Authentication encourages good password management to help you keep your accounts safe. We recognise that password expiration can cause inconvenience, so we support our need for security with pragmatic processes to minimise disruption as much as possible.
You may well feel that your password is secure and does not need to be changed unless you choose to do so, but there are wider concerns. Here are some of the questions that the IT Service Desk has received:
If someone gains access to your account, they can do far more than look at your personal files. For staff, this means access to e-mail and shared areas, for students, it means access to your student record, exam marks, coursework submission etc., as well as Portal and Moodle accounts. They could do everything that you can do on any computer to which they might have access (maybe by connecting as you across the network). Not only can they read your files, they can delete or alter them. They could send e-mail and post to newsgroups - messages that will appear to have come from you. They could download pornography onto your home area. They could breach most of the Rules and Regulations for the use of ICT, and several civil and criminal laws, and do so in your name.
Most people don't want to cause trouble for people they don't know. Unfortunately, others are simply malicious. It's very probable that none of these people would ever find out your password. But why take the risk?
For the reasons above, we insist that you change your password. This is to protect yourself and others. Once someone has broken into your account, they can inconvenience others in two ways:
And the culprit will appear to be you.
The 180 day change rule is broadly in line with most other Universities. If you follow the guidelines given on the managing university passwords section of this page, you should be able to create a memorable password without needing to write it down.
Your bank usually requires more than a single password to access your account. For this reason, it should not be necessary to change your banking passwords often.
Your account with your ISP allows you to connect to the Internet and maybe access an e-mail account with them. Universities are different in that they are relatively open organisations with a lot of high value resources (e-mail accounts to send spam, high bandwidth, open networks, computers allowing interactive login etc.). Your account also grants access to personal resources such as your student record, exam marks, submit coursework etc. which should remain private to you.
If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters, you force a hacker to continue trying every possible combination to find yours. If we assume that your password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better. Refer to the managing University passwords page for more information.
| Character Sets used in Password | Calculation | Possible Combinations |
|---|---|---|
| Dictionary words (in English): ~600,000 words. | — | 600,000 |
| Numbers Only | 10^8 | 100,000,000 |
| Lowercase Alpha Set only | 26^8 | 208,827,064,576 |
| Full Alpha Set | 52^8 | 53,459,728,531,456 |
| Full Alpha + Number Set | 62^8 | 218,340,105,584,896 |
| Full Set of allowed printable characters set | (10+26+26+19)^8 | 645,753,531,245,761 |
The longer your password the more secure it is. If we take the full set of allowed printable characters set (the last line above) and increase the password length, the possible combinations jump exponentially.
When we refer to character sets, they are typically numbers, upper and lowercase letters and a given set of symbols. For example:
| Characters | Number of Characters |
|---|---|
| 0123456789 | 10 |
| abcdefghijklmnopqrstuvwxyz | 26 |
| ABCDEFGHIJKLMNOPQRSTUVWXY | 26 |
| `~!@#$%^&-_=+[{]}. | 18 |
Using a weak password that can be easily guessed is not a sensible move. Remember, there are many applications that can generate and test millions of passwords per hour. Even strong passwords are not infallible, but they make things as difficult as possible for a hacker.
You can find more information on your University of Greenwich password construction and changing passwords here. For a visual representation of password strength, see The Password Meter.
Please do NOT use the ¬, | , £, €, & or # signs as several older University systems cannot currently support them in passwords.
A good password should be easy to remember but must be difficult to guess:
Is your password weak and easy to hack? Do you use strong passwords?
If you answer 'yes' to even one of the above questions you are giving an open invitation to hackers or bots to access your password-protected accounts and are making yourself a target for identity theft. Remember that you should never divulge your University of Greenwich passwords or use them for non-University accounts.
If you are doing all of the above, then you are using strong passwords and doing your best to prevent hackers from accessing your password-protected accounts- well done!
Every year password management firm SplashData complies a list of worst 25 passwords from the (in 2015) 2 million passwords leaked online. These passwords are the most commonly used. (comments in brackets are comparison to 2014)
The University password policy should exclude you from using any of the following passwords however, if you are using any of them (or very similar) for you own private accounts, it is strongly recommended that you change to a more complex password as soon as possible.
1) 123456 (unchanged)
2) password (unchanged)
3) 12345678 (up 1)
4) qwerty (up 1)
5) 12345 (down 2)
6) 123456789 (unchanged)
7) football (up 3)
8) 1234 (down 1)
9) 1234567 (up 2)
10) baseball (down 2)
11) welcome (new)
12) 1234567890 (new)
13) abc123 (up 1)
14) 111111 (up 1)
15) 1qaz2wsx (new)
16) dragon (down 7)
17) master (up 2)
18) monkey (down 6)
19) letmein (down 6)
20) login (new)
21) princess (new)
22) qwertyuiop (new)
23) solo (new)
24) passw0rd (new)
25) starwars (new)