Credentials and passwords

What can happen?

Usernames in combination with passwords, so-called credentials, are the most prevalent method to access restricted devices, e.g. a personal computer, or personal services, e.g. cloud storages, e-mail services or webshops. Credentials are very interesting for attackers as they can be for example used to

• purchase expensive goods or services at your expense.
• (de)register for exams on your behalf.
• attack your friends to damage your reputation.
• access or manipulate your files in cloud storages.
• read your e-mails or send e-mails on your behalf.

On the one hand criminals use malware, attacks on services or phishing to obtain credentials from other people (see Threats on the Internet). On the other hand they can figure out weak passwords by automatically trying to login with lists of known or often used passwords (brute force attacks).

Handling of credentials

Some basic but very important rules should be noted to keep your credentials safe:

• Always use different passwords for different services (e.g. WWU, Amazon, Google, eBay).
• Enter the password for your university access solely on websites from the university!
• Enter passwords only on encrypted (green lock in address bar/https instead of http at beginning of web address) and trustworthy (plausible web address) websites!
• Use your credentials only on trustworthy devices which are protected by the basic security measurements (antivirus and firewall)!
• Never share your passwords with anyone (not even employees from WWU or ZIV)! No legitimate company would ask you to submit your password by telephone or e-mail!
• Change default passwords immediately (for example in wi-fi routers or IoT-devices)!
• Never write your passwords down on notepads on your desk or in unencrypted text files!
• If you want to keep a list of your passwords for emergencies, store it in a secure place like a safe.
• If your password got leaked change it immediately or ask for locking your account temporarily. You can change your password in MyZIV or you can get your account locked either in person at our Servicecounter or via telephone at our Servicehotline.

Rules for a secure password

The following rules help to prevent successful brute force attacks and should be especially considered when choosing new passwords:

• Passwords should be at least 8 characters long (Exception: at least 20 characters for cipher methods, such as WPA2 for wi-fi access).
• Passwords should always contain lowercase and uppercase letters, numbers and symbols (?!%+…).
• Passwords should not contain words found in dictionaries.
• Names of family members, friends or favorite celebrities or other personal information, like your birthday, should not be used either.
• Passwords should not consist of repeated characters or keyboard patterns (e.g. 1234abcd, asdfgh, 1111aaaa).
• Simples changes like adding numbers or symbols at the beginning or end of a word are predictable and should not be used.

There are many ways to create and manage strong passwords. You can try some of these methods with our Password generator and get helpful hints on how a secure password should look like with a password checker.

Additional measures

Two-factor authentication

The use of two-factor authentication is another way to increase the safety of your accounts. More and more services already allow you to set up two-factor authentication, e.g. MyZIV, Google, Apple, Microsoft, Dropbox, Amazon. When set up, you will be prompted to enter a special code whenever you log into your account or just perform certain actions. These codes are only valid for a short time and will be delivered to you, for example by e-mail or SMS, when you try to access your account. You can get more information on two-factor authentication on Wikipedia for example.

Password manager

Since strong passwords often are hard to remember, a password manager, such as KeePass, can be used to store them safely. The password manager stores your passwords in an encrypted database resulting in only one strong password that has to be remembered to encrypt and decrypt the database. If you use a strong password, you can safely deposit your password database in cloud storages, like sciebo, to be able to access it from anywhere in the world.

Additional information

Services that allow you to check whether your credentials were compromised in a data breach:

• HPI Identity Leak Checker
• Have I Been Pwned

Download location for the password manager KeePass:

• Official KeePass Website