Securing Your Account
Your account is your identity, and your password is the key that gives you access to your data. Keeping your account and password secure is important, because if someone else has access to your password they will be able to have access to everything that you do, or abuse it for spreading spam and virus.
Because the University of Adelaide no longer enforces password expiration your password will need to be stronger and satisfy the following requirements:
- It must be equal to or longer than 11 characters
- It must contain both an upper and lower-case letter (no need to include numbers or symbols)
Choose a long, complex password
There are two popular approaches to creating a strong yet memorable password: sentence contraction and passphrase. In both instances, the key to password strength is in the length.
Method 1: Sentence contraction Method 2: Passphrase
- Step 1: Compose a memorable sentence such as "When I was six I went skiing and broke my leg"
- Step 2: Contract the sentence, while adding random mutations and/or numbers. It could end up looking like "WhIw6Skii&BML" (13 characters, takes 4 million years to crack!)
- Step 1: Choose 4 random words from dictionary (the larger the dictionary, the better). For example, "sentence credits raid flaky"
- Step 2: Add random mutations and/or numbers, like sentence creDits raid flaky" (27 characters, takes 700 years to crack, even with passphrase cracker)
Avoid bad password practices
The strength of your password can be further increased by avoiding these common mistakes.
Avoid making only minor changes to your password when it requires changing Some people increment a number at the end of our password each time it requires changing. For instance mittens01, mittens02, mittens03. This practice significantly decreases the security of your passwords and should be avoided. Should a hacker ever gain access to any of your previous passwords, it won’t take them long to work out your current password! Avoid using information that’s easily obtained about you The advent of social media has made personal information more accessible than ever before. Information previously considered private - birth dates, pet names, phone numbers, etc. – are now readily available for those willing to find it. Using (easily obtained) personal information in your password should be avoided. Avoid the top commonly used passwords Years of data breaches have given us insight into thousands of commonly-used passwords. Malicious hackers use such a dictionary of common passwords as an effective tool for cracking passwords quickly. We must avoid these at all costs! Check out the most common passwords used over the last few years in this Wikipedia article. Avoid re-using passwords across different services Data breaches happen to even the large companies like Google, Yahoo!, and DropBox. When malicious hackers get their hands on a bunch of usernames and passwords what do they do? They try it on other services to see if the same credentials are used. This is why it's very important that you choose a unique password for each service, and in particular, do not re-use your University password for other internet services. Don't share your password and avoid writing them down Your password is yours and yours alone. Never disclose your password – even to friends or family. Also avoid writing them down on post-it notes and avoid typing your password in front of others.
Use a password manager
- You only need to ever remember one password--the password to your vault.
- The password manager can generate random passwords and store them securely.
- Auto-fills your login credentials in websites requiring authentication.
- Performs a "health check" on your passwords and highlights weaknesses.
- Helps to detect fake login sites.
We often recommend LastPass due to its ease of installation and use. The free version is sufficient for most use cases, and even the premium version is only $2 per month. It can be daunting in the beginning, but once you get the hang of it, you will wonder how you ever managed without it! This LifeHacker article (The Beginner's Guide To Setting Up LastPass) explains the installation and signup process.
Use two-factor authentication
"Single factor" authentication relies on your username and password. Once your password is stolen, you are exposed to unauthorised access. Two-factor authentication relies on two pieces of information for authentication: something you know (your password), and something you have (typically a trust mobile phone or a hardware token). Many popular services like Gmail, iTunes Store, and online banks offer two-factor authentication. The University of Adelaide also requires two-factor authentication for VPN remote access (see our two-factor authentication page for details).
You are encouraged to opt-in to use two-factor authentication whenever possible as it is a very effective way to prevent identity theft.
Register your emails with "Have I Been Pwned"
Have I Been Pwned is a free service that can tell you if your email address has been involved in past known data breaches. You can also register your email address and be notified when data breaches of services/accounts associated with your email become public.