Skip to main content
News

How secure is your password?

18 March 2013

Whilst preparing for the launch of the Cardiff People Programme many questions have been raised around online security. This is particularly important when staff consider they will have access to HR and payroll information via the online system that they haven't been able to access historically. Here staff from Governance and Compliance – Information Security Programme and Information Services remind us of the importance of online security in all aspects of daily lives.

What do you keep safe with your password?

Your banking details? Access to your email account? Photos, music or documents you wouldn't want to lose? How about access to your absence record and appraisals?

In a phased roll out starting later this month Cardiff People will make it possible for you, from any web enabled device, to access your personal HR record including the capability to view:

  • your pay slip
  • the banking details for your pay (and update these yourself)
  • HR information about staff who report to you
  • your probation and appraisal information

This sort of functionality is a real benefit for staff in the University, but would you want someone else to be able to access your data without your consent or knowledge?


Just how good is my password?

Hopefully it's not one of the ones in the picture above.

Try putting your password into this SECURE password strength checker

If your password rating is anything less than strong, it could be cracked in seconds using a basic computer and software freely available on the Internet.

Read on for simple steps to set a strong memorable password and protect your information.


Information Security Framework

The Information Security Framework Programme previously featured in Blas has been set up to deliver improvements to the security of information held by the University.

How you behave when choosing a password and in keeping it secret is critical when it comes to protecting the security of data held at the University, as well as for your other online services.


Passwords

The image at the top of this article shows the 1000 most frequently used passwords found in the leaked password databases available online (largest font = most used).

As you can see, the passwords could easily be guessed without any password cracking software and evidence shows people often use the same passwords across multiple accounts. This means that once one account is compromised e.g. Facebook, the door may be open to your iTunes, LinkedIn, Amazon, Ebay, Paypal, Banking, Twitter, Email and other accounts.


Password tips

See below for some simple do's and don'ts for setting and remembering a strong password:

It is better to have a strong password you've written down and stored safely, than to have a weak password you can't remember.


Do

  • Use eight characters or more 12 characters is the limit at Cardiff University.
  • Change your passwords regularly.
  • Use a greater variety of characters in your password. However bear in mind, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."
  • Use the entire keyboard. Not just the letters and characters you use or see most often.

Don't

  • Use a dictionary word as your password. If you must, then string several together into a pass phrase.
  • Use standard number substitutions. P455w0rd is not a good password.
  • Use a short password no matter how unique you think it is.
  • Use words spelled backwards, common misspellings, and abbreviations.
  • Use Sequences or repeated characters. E.g. 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
  • Use numeric sequences based on well known numbers. Such as 314159 ( Π )  or 27182... (e)
  • Use words with numbers appended: password1, deer2000, john1234, etc., can be easily cracked.
  • Keep default passwords: password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.
  • Use personal information: license plate number, National Insurance number, current or past telephone numbers, student ID, current address, previous addresses, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.
  • Use the same password for everything. Cybercriminals steal passwords on websites with very little security, and then they try to use that same password and user name in more secure environments, such as banking websites.

Change your password

To change your password either press and hold down Ctrl, Alt and Delete on your keyboard and select the 'Change Password' menu option. Or visit http://portal.cardiff.ac.uk and select change password. You can also add security questions which will help make resetting your password safer and easier in the future.


How can I remember a different password for each site?

Try adding letters from the site name at either end of your password e.g. If my password is 'B0ri$thEc*t' then to make it unique but memorable, I add the first couple of letters of the site to the front of the password so: Amazon = AMB0ri$thEc*t, Work = WOB0ri$thEc*t, Ebay = EBB0ri$thEc*t


Security and Virus Protection

As well as a strong password you also need strong Security and Virus Protection. Whilst the University takes care of computers on campus, your personal computer and mobile devices are your responsibility to secure. To help you do this Cardiff University have made Anti-virus software available under a Cardiff University site license. This is available free of charge for staff and students only across Microsoft, Apple and Linux operating systems.

The page linked above also carries practical advice on securing and protecting home, laptop, student and campus computer systems. In addition you can check you are aware of the types of software based protection you should have as well as learn about the various and increasingly sophisticated scams which you may come across.

REMEMBER - No matter how strong your password, if you put it into a fraudulent website having fallen for a phishing email you're hacked!


Other useful information

The INSRV IT Security Team Wiki is also a goldmine of useful information on the sorts of topics listed below:

How not to get a virus, Protecting Sensitive Information on Laptops, Unencrypted Devices Pose 'Unnecessary Risk' for Sensitive Data, Security of Laptop and PDAs, Computer Security and Virus Protection Guides, Stay Safe Online – University guidance pages, Protecting your smartphone, iPhone, Blackberry, Android and Windows phone.

Contacts

For information on the Information Security Framework Programme please contact Gareth Jenkins on 02920876844

If you experience problems with your password, please contact insrvConnect, the Information Services service desk, on (029) 2087 4487 or by email, insrvConnect@Cardiff.ac.uk

Share this story