Choosing a secure password

IT Services will soon be deploying a new system for changing and resetting passwords which will be accompanied by updated guidelines for choosing secure passwords. This post outlines some of the thinking behind these new password guidelines and we welcome feedback.

Three steps to better passwords

  1. Size Matters – three or four random words is much better than 8 random characters
  2. Don’t use your Edge Hill password anywhere else
  3. Never share your password with anyone else or on a non-Edge Hill website

Let’s look at these recommendations in more detail.

Size Matters

When it comes to making passwords secure and hard to guess, the most important thing is that they are long. Historically, many websites and organisations have insisted on choosing a password containing a mixture of upper and lowercase letters, number and special characters but this just makes passwords that are hard to remember and hard to type.

It is much better to choose a longer password of three or more random words that someone wouldn’t be able to guess, even if they know you. This is better because there are more combinations of words to pick from in the English language (and you could choose a foreign or made up word!) than there are shorter passwords made up of letters, numbers and special characters.

This difference was summed up by the web comic xkcd several years ago:

There are many ways to pick some random words but one idea is to picture yourself sitting somewhere you know well – like your kitchen – and choose things you can visualise as you “look” from left to right… “toaster espresso saucepan stool”. Even if someone knew you’d based your password on things in your kitchen they’d still need to guess your combination of how you see things.

Don’t reuse passwords

After choosing really basic passwords like “password” or “letmein”, the most common cause of an account being broken into is reusing the same password in different places. This is because when a company is hacked and their list of passwords stolen, these will be used to break into other accounts either of the same person, or just trying them against any username.

For this reason you must never reuse your Edge Hill password for any other website or service. When you change your password you should also never reuse an old password, either directly or by changing it just a bit (don’t just add “1” to the end of the password!)

You can test your choice of password against lists of compromised passwords on the Have I Been Pwned website – this shows that “everton1!” has been seen over 30 times in breached websites.

Remembering a different (secure!) password for every website is very hard so you could make use of a password manager. This is a piece of software running on your computer and phone, or a web service, that will securely store all your passwords. You’ll only be able to access them after you’ve entered a master password.

Read more about password managers on the Which? website.

Never share your password

You are responsible for actions when logged in with your account so never share your password with anyone else.

It is against the University IT Acceptable Use Policy to share your password with anyone else. If you suspect someone else knows your password or you are issued with a temporary password by IT Services, you must change it straight away.

Staff in IT Services will never ask you for your current password so don’t tell anyone purporting to need it. If you need assistance, IT Services can either take remote control of your Edge Hill computer where you can enter passwords yourself or they will reset your password and issue a new temporary once they have finished.

You should only enter your username and password into websites you trust to belong to Edge Hill. Look in the address bar to ensure it’s a secure connection on an edgehill.ac.uk site. Be on the lookout for disguised phishing websites, for example:

https://login.edgehill.ac.uk.secure.phising-website.university/

Note the missing slash after edgehill.ac.uk which means it’s not our website. If you come across a phishing website or email do not enter your password and inform the IT Service Desk.


This is still very much work in progress so please leave any comments below.

[If this sounds familiar, it’s because this is basically what I’ve recommended for the last 7 years]

Join the Conversation

3 Comments

  1. I absolutely agree and the requirement to change passwords regularly is something of a legacy of previous “best practice”. I was planning to write another post about some additional changes we’re considering so I don’t want to spoil the surprise but a change to the password expiry period is definitely something we’re considering. It’s worth noting that while the NCSC (and NIST in the US) now recommend against regular password rotation, they do suggest implementing a range of other measures to detect unusual activity and notify users of login attempts and report any they weren’t responsible for – it’s fair to say we have a bit more work to do on this. We are also testing multi factor authentication solutions which provide an additional layer of security and – when combined with a strong password – could tip the balance in favour of reducing or removing the password rotation requirements.

Leave a comment

Your email address will not be published. Required fields are marked *