Protect your password
This article will help you choose a good password and use it securely.
A password for the university account is generated when the account is created and can be changed at any time after logging into the ServicePortal. A well-chosen password makes it more difficult for unauthorized persons to access your data and prevents misuse of your university account (viewing grades, false registration for courses, statements by e-mail in your name, ...).
A password for the university account must meet at least the following requirements:
- The password must be at least 8 characters long.
- The password must be no more than 25 characters long.
- At least one of the characters must be a digit (0-9).
- At least one of the characters must be a lowercase letter (a-z).
- At least one of the characters must be a special character (?,!;#. etc.).
- The password must not contain umlauts, accents, etc.!
You can find instructions on how to change your password in the article Changing the Password (german).
However, for your password to be secure, it depends on the selection and sequence of characters and how you handle the password.
Other security measures
- Do not use your university password for other accounts, especially external ones (Facebook, Google, ...).
- The password or parts of the password should not be found in dictionaries (Duden, Oxford etc.) and have no direct relation to you (no names of family members, pets or friends and no birthday data).
- Adding simple digits at the end of the password or one of the usual special characters $ ! ? # at the beginning or end of an otherwise simple password is also not recommended.
- Do not use repeat or keyboard patterns (asdf, 1234, etc.).
- Choose a password that cannot be associated with you or the service.
This makes it more difficult to guess the password by automated attacks, so called brute force, dictionary or rainbow table attacks.
Tips in dealing with passwords
- Do not write down your password.
- Most importantly: Do not keep the password near your computer (e.g. Post-It on the monitor).
- Make sure no one is watching you enter your password.
- Never give your password to anyone. Not even to friends or good acquaintances.
- Avoid saving the password on the computer (browser, mail client, etc.).
- Try to change passwords at certain intervals (6 months - 2 years).
- Do not send your password via e-mail or instant messaging (ICQ, Skype, WhatsApp, etc.).
|The IMT staff will NEVER ask you for your password. Do not answer questions about this over the phone or email|
One method of attack to obtain usernames and passwords are so-called phishing emails. Phishing refers to attempts to obtain an Internet user's data via fake websites, e-mail or short messages and thus commit identity theft. The aim of the scam is to use the data obtained, for example, to plunder the bank account and harm the relevant persons.
An example of a typical phishing e-mail:
Subject: Uni-Paderborn Email Login Warning Date: Thu, 16 Jan 2014 17:30:20 +0000 From: IMT Support Team <email@example.com> To: <firstname.lastname@example.org> University of Paderborn - The University of the Information Society We notice a login with valid password your Uni-Paderborn-email-account from a unknown device by Thursday, January 16, 2014 18:32 CET from Peru. You was? If yes, you can ignore the rest of this email. If is it you not, please REGISTER HERE account information [link removed] to protect your Uni-Paderborn-email-account and protect your Uni-Paderborn from potential future account compromittion. The Office of Inforamtion Security keep this actualised if information change, but we recommend all users run they updates after expected release of this patch. IMT Support Team Center for Information and Media Technologies (IMT) (05251) 60-5544 email@example.com <mailto:firstname.lastname@example.org> http://imt.uni-paderborn.de/unser-angebot/hilfe/ ------------------------- © 2014 University of Paderborn.
Pay particular attention to the correctness of links in an email. The URL specified in the text does not have to correspond to the link destination.
If we ask you to authenticate yourself on one of our websites, please pay attention to the following characteristics:
The address is in the form https://*.UNI-PADERBORN.DE/* and is identified by a valid security certificate. The first * indicates the service, e.g. https://webmail.uni-paderborn.de or https://benutzerverwaltung.uni-paderborn.de etc.
Further information and examples of phishing emails can be found at Notes on Phishing E-Mails.
Password managers make it easier to use, manage, and securely store your passwords. A password manager stores and encrypts passwords and associated accounts using a master password or key file, and helps keep your account data secure. This simplifies the use of, for example, particularly long and/or randomly generated passwords and thus increases security.
A well-known and frequently used open source password manager is KeePass. Instructions on how to install and use it can be found at Managing passwords with KeePass.
Please note that passwords stored in apps are also at risk!
Mobile applications in standard smartphones are very popular. However, they do not disclose how they handle your credentials. In the worst case, they are transmitted in clear text between the application, app server and university. In the best case, encryption takes place, storing only encoded hash values with the app provider. Unfortunately, even these hash values can be used for attacks if an attacker can get at them.
We therefore generally advise against storing access data with "mobile apps".
Password length and security
The length of a password is crucial when assessing its security. If an attacker manages to get hold of the encrypted hash values of your password, he can try to crack it offline, i.e. without having to log in anywhere with it.
In an article from 2009, the author Dirk Fox has impressively shown the connection between the length of a password and its security. The full article can be found here or at (Fox, D. DuD (2009) 33: 620. doi:10.1007/s11623-009-0161-9).
|Password length||Letters only (52 characters)||Letters, numbers & special characters (84 characters)|
|6||0,2 s||3,5 s|
|8||8.75 min||6.7 hrs.|
|10||16.4 days||5.4 years|
|12||122 years||38.147 years|
The speeds were calculated on a standard computer from 2009 with a good graphics card and an open source program.
- Information Security (german) - Overview of all articles