uog logo
School of Physics and Astronomy – computing
phas it logo

Contents

Guidance on passwords and passphrases

Passwords are important. They protect access to your stuff.

But it's not just about your stuff, since if you have a weak password, and if someone with malevolent intent gets into the system that way, and then uses that privileged position to attack the system from inside, and then playfuly deletes everyone's data, it's you that left the door open to them. We try quite hard to set up other obstacles to such bad behaviour, but if we can stop the baddies from coming in the front door, that helps a lot.

Passwords are important, but how do you choose a good password? That advice is what this page is about.

Also: you don't have to be a VIP to make your password important. Criminals attempt to crack passwords on an industrial scale, so if your username and password is disclosed in a data breach from an online service, they'll try to crack the lot, without targeting anyone in particular. If a cracked password means they can get inside any sort of interesting instutition (such as a university) that gives them a good starting point for more targeted attacks. If it turns out that a cracked password points to a bank account – payday!

There are a few bullet-points below, and a password generator at the bottom. No, of course I can't resist expanding on the bullet-points, but you can skip that.

The advice here is supplemental to our general IT security advice, but the general remarks about passwords are not just specific to here. We hope this is good password advice for your non-GU life, too.

Our advice is, we believe, compatible with the advice offered by the UK National Cyber Security Centre.

Advice §

Online, it's easy to find lots of bad advice about passwords. Here is some bad advice about passwords:

Here is some good advice about passwords:


Expanding on those points in turn...

Use multiple passwords, and keep them in a password manager

As a general rule, you should have a different password for every online service that you use. If you routinely repeat passwords, and a criminal learns one of them, by whatever means, then they have a chance of getting access to multiple accounts. Marketers and criminals both have an interest in learning about your multiple identities – knowing that fred.bloggs@glasgow.ac.uk and fluffybunny99@yahoo are the same person – and information about this does tend to leak onto the internet. Password reuse is probably a bigger problem, in security terms, than weak passwords.

Ideally, no-one will know any of your passwords. But if they do, then having multiple passwords will limit the spread of the damage.

Your OS or your web browser might have a password manager built in, or you can use one of a small selection of third-party managers. A notebook in a locked drawer does count as an adequate password manager, too.

Long is better than complicated – multiple words

A password like pas5w0rd! looks complicated – it's got numbers and a non-alphabetic symbol, and everything! – but those characters are predictable, and appear in very predictable places, so it's a rubbish password, even if it does satisfy your bank's nonsense ‘password complexity’ rules.

A good password is random: that's the beginning and end of it. Sixteen randomly chosen letters-and-numbers is about as good as you can get within reason. But that's hard to memorise, so either (i) use this, but put it in a password manager (good plan!), or (ii) use random words rather than random letters. The advantage of option (ii) is that it's a lot easier to remember random words.

Random words are also easier to type than random gibberish, which means it's reasonable to have a long password without wearing out your fingers. See below for a password generator.

Humans are bad at randomness

...so generate your passwords. There's a password generator below. Some OSs (eg, macOS) and some web browsers (eg, Firefox) will offer to generate passwords and save the result in a password manager, when they see a likely-looking box in a web form; this is a fine plan. You can even roll dice if you're keen. Generating passwords with something like the generator below, and storing them in a third-party password manager, is what I do, though.

Use password-enhancements

The point of multi-factor authentication (MFA) is that it combines ‘something you know’ (the password) with ‘something you have’ (such as your phone). Even if someone manages to get your password, somehow, the idea of MFA is that it won't do them any good if they don't have (in the most typical case) your phone as well.

When you log into an account, such as a bank account, that sends you an SMS message with a confirmation code, that's a sort of poor-man's MFA.

MFA is now mandated for GU accounts, but the underlying scheme (confusingly called TOTP, which has nothing to do with TOTP) is a standard, and is used by multiple other online services, notably including github and HMRC.

If you're in the habit of using ssh to connect to school computers, then you can save yourself a lot of typing by using ssh keys (see the note at the bottom of that page).

Your email password is important

If you're locked out of your GU account, then you can recover it with the help of the campus IT helpdesk. For most other servies, the password reset will depend on an email message sent to your personal ameil address.

That means that, even in the unlikely case there's nothing confidential in your email, it's not far off being a master key to lots of other services you use. So it needs a good password, which is definitely different from other ones.

Some maths! §

And now the fun bit! (OK, you can skip this if you really want to..., but where's the giggles in that?)

Password strength is quoted in terms of the ‘entropy’ of the password – the number of possible alternative passwords that someone would have to try to ‘brute-force’ cover all of the possibilities.

A four-digit PIN has 10000 possibilities. If we write that as 10000=213.3, then this can be said to have 13.2 ‘bits’ of entropy. An eight-character lowercase password has 268 possibilities, if it's selected truly randomly, or 237.6. Thirty-something bits of entropy is probably... OK for a low-value password, and would mean that this password would not be amongst the first to fall out of a password-cracking too (the NCSC suggestion of three random words is in this area). Going upwards, 80 or 90 bits of entropy is genuinely very secure, ehough that if someone actually seriously wanted your password they'd try other means of obtaining it, in preference to melting a computer try all of the possibilities in turn.

That's way over the top for most applications, but if your password manager offers to generate passwords for you, the ones it generates will probably be in this cheerfully way-more-secure-than-necessary domain. And that's fine.

Generating passwords §

These passwords are generated in your browser. Generate a few and see if there's one set of words that prompts a memorable image in your mind's eye.

Generate random words!

Password
Number of words
Password space

Or if you prefer extreme concision:

Generate compact passwords!


Norman