Managing Passwords

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of University's entire corporate network. As such, all University staff and students are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

General Password Construction

Passwords are used for various purposes at University, for example logging on at public PCs, opening email readers, logging back in from a screen saver, access to specialist systems; in most cases a common password is used for all access..

System administrators in departments require system-level access to further computer systems and network equipment and these must be treated in the same careful way as those that access central systems.

In all cases it is important that access is not gained to a facility by a third party being able to obtain or guess a password, so everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

  • The password contains less than eight characters
  • The password is a word found in a dictionary or atlas (English or foreign)
  • The password is a common usage word such as:
    • Names of family, pets, friends, co-workers, fantasy characters, etc.
    • Computer terms and names, commands, sites, companies, hardware, software.
    • The words "University", "aber", "ystwyth" or any derivation.
    • Birthdays and other personal information such as addresses, car number plates, and phone numbers.
    • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
    • Any of the above spelled backwards.
    • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters, e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
  • Are at least six alphanumeric characters long.
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.
  • Passwords should never be written down or stored on-line.

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember", and the password could be "TmB1w2R" or "Tmb1W>r~" or some other variation. Note: Do not use either of these examples as passwords !

Other Considerations

  • All user-level passwords including the main 'email' password must be changed at least every year.
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • Where a facility requires a password to be selected separately from the main 'email' password this must be different from that 'email' password and any further passwords the user has.

Password Protection Standards

Do not use the same password for University accounts as for non-University access such as a personal ISP account or a mail-order login. If you enter your University username and password on any external website your account will lock automatically.

Do not use the same password for various University accounts except where selecting the 'email' account also sets that password elsewhere.

Do not share University passwords with anyone, including administrative assistants or secretaries except in the case of generic accounts created for such working in which case it is important the password is kept within the defined group it is to be used by.

Here is a list of "don'ts":

  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message
  • Don't reveal a password to anyone in the University, including line managers and superiors
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms
  • Don't share a password with family members
  • Don't reveal a password to colleagues while you are on holiday

If someone demands a password, refer them to this document or have them contact Information Services.

Where possible, do not use the "Remember Password" feature of applications

Do not write passwords down and store them in your office. Do not store them in a file or any computer system without encryption.

If a password is suspected to have been compromised, report the incident to Information Services and change the password immediately.

Password Expiry

In order to maintain the security of the systems at AU, all users have to change their password annually. We realise that this is a nuisance, but the University Management Information Committee believes that this is good practice and must be adhered to.. 

Most universities and large commercial organisations enforce a similar policy. Software to guess passwords is getting ever more clever, and increasingly large dictionaries and other lists in many languages are being used to try and identify them. 

An annual password change is a good way to vet new passwords and to ensure that those that have become ‘crackable’ are retired. Further, although divulging passwords contravenes I.S. Rules and Regulations, and we warn users not to write down passwords or let anyone see them being typed in, it is pretty obvious that there is an amount of ‘leakage’ and a goodly number of passwords get known by other people. Regularly enforcing a change helps limit the danger this poses.

One month before the anniversary of a previous password change you will start to receive emails reminding you to change your password. If, after the month, the password has not been changed, the account will be frozen and it will be necessary to contact our Customer Service Desk to have it re-opened.

To Change Your Password

Go to: http://faqs.aber.ac.uk/178 (Logon required)

You are quite at liberty to change your password more frequently if you find that convenient - the rule is that it will be a year from the last change before you need to change your password again.