Safe use of passwords

You are personally responsible for the use of your passwords, so take appropriate care of the security of your passwords and minimise information security risks in accordance with the following principles:

Minimising the human element in information security risks:

  • Never give your password to another person. The administrators of online services will never need your password for anything. This also applies to the University of Helsinki (the system administrators do not need your password to do their job).

Minimising physical information security risks:

Never use the same password in more than one service. By using a different password in each service, you can minimise the damage caused by potential breaches to information security. The password for the University of Helsinki user account should not be used in other online services outside the university, because many of the services have insufficient information security.

What makes up a good password?

A good password is easy to remember but difficult to guess. The basic idea of coming up with a good password is that the password should never be a single word in any language. If you decided to have a word in one of the natural languages – such as football or cat – as a password, the password could be guessed through a dictionary attack: criminals might crack your password by mechanically trying all words in a dictionary.

It takes 12 seconds for a computer to find out all the possible combinations for a password consisting of five minor-case letters. For six letters, the time is five minutes, and even a password of eight letters can be cracked in only 2.5 days. However, for nine letters, the guessing period increases to two months! This is why few systems accept passwords that are too short.

Combinations of words

You can make your password stronger by combining several words, but to keep yourself safe from dictionary attacks and other good guesses, be creative and add other characters in your password besides letters! For example, “CaptainAmerica” is not yet a safe password – especially if it is your favourite character or the name of your favourite bar. Instead, a combination such as “Docile29Cadence” is much harder to crack.

Alternatively, you can create a good password by using several unconnected words, like the popular XKCD comic recommends.

Strings of characters

One possibility is to come up with a password using a phrase that you can remember easily. The phrase should contain proper nouns beginning with capital letters, as well as numbers. After this, you take the first letter from each word in order to create the password.

Example: Raimo thinks back to the time he spent with his ex-girlfriend, and comes up with a rather safe phrase, described below.

I lived with Paula for 5 years at 15 Main Street = IlwPf5ya15MS

Shared first part

It can be difficult to remember dozens of different passwords, but you can make it easier by coming up with a part of the password that is the same for all your passwords and that can be combined with a unique ending.

Below, you can see Raymond’s list of passwords demonstrating how passwords can be divided into parts. As you can see, Raymond makes use of the password he came up with in the earlier paragraph.

Complete password Shared first part Different second parts Service
IlwPf5bb68 IlwPf5 bb68 A dating service Raymond uses
IlwPf5i9z4 IlwPf5 i9z4 The free e-mail service Åmail Raymond uses
IlwPf5b6yz IlwPf5 b6yz A free stock market service Raymond uses

Improving your security with a password manager

It can be quite impossible to remember all the different usernames and passwords required for different services, especially if you are doing it right and trying not to use the same password for every service. Password managers are programs designed to assist in this. Typically, their operation principle is that they save strong user-generated or automatically generated passwords locally on each device in strictly encrypted format. The only way to decrypt these passwords is to use a master password, which is also often available as a physical key file that the user should keep in a safe place separate from his or her devices. There are also programs that synchronise password files via the Web to the user’s devices.

LastPass, 1Password and KeePass are examples of popular password managers that have been proven secure.

One of the most popular password managers is the free open-source software KeePass. The university’s Helpdesk site has clear instructions on how to use it.

At their best, password managers improve both information security and usability. The stored passwords are so well encrypted that in practice, the only risk involves losing the master password.

The safe use and storage of passwords

Often people think that a password that is hard to guess and safely stored is guarantee enough for the safety of the password. This is not the case, as the safety of password use is further affected by the following factors:

  • Somebody might see your password as you are typing it.
  • Somebody might install a keylogger on your computer to monitor what you are typing.
  • If the wireless network you are using is not secured, somebody might sniff your connection.

You should pay special attention when using passwords while connected to a public wi-fi available in cafes or public transport: even if you are using a secure connection (more on this in the next chapter) to read your e-mail or any other activities, your computer might be unsafe!

Many web browsers offer the possibility of saving usernames and passwords. The function is very handy, but it also entails some security risks. If you do not pay attention to the pop-up messages displayed by the browser, you might accidentally save your password in the browser. This is particularly unfortunate if the computer you are using is not your own! The picture below shows a browser pop-up window that asks you if you would like your browser to remember your password.

Saving your password in the browser also involves other risks. If you accidentally leave your computer on or you share your computer with members of your family, they may be able to read your password if they have access to your browser settings and you have not used a master password to protect your passwords. The picture below demonstrates how it is possible to read passwords saved in a browser in plain language through the settings of the Firefox browser.

On a private computer, you can protect the passwords that your browser remembers by setting up a master password. For more information (including instructions for how to delete the information described above), see the page Privacy in browser use.