Password security

image

Protecting your password is a key responsibility at RMIT.

As more and more of our lives are conducted online, the threat of being compromised or falling victim to a cyber attack becomes ever greater. Identity theft and online fraud incidents often begin with a simple password being accessed, so it’s important to understand the dangers and what you can do to improve your password security.

Your RMIT password unlocks a wide range of systems and applications that provide access to research data, intellectual property and confidential information. Access to this kind of information puts universities at increased risk of a malicious attack. Keeping your password secure and well managed is the first line of defence in preventing this.

How can my password be compromised?

Today’s cyber criminals are particularly sophisticated and will employ a number of tactics to gain access to your password. Common methods include:

  • Phishing

Phishing emails look like they come from a trusted source but are used by fraudsters as a way of obtaining login details. Typically, phishing emails ask you to click on a link to verify your username or password. The link takes you to a fake webpage that’s designed to look just like the real thing. Any details you submit on the page are captured and able to be used by an attacker.

  • Keylogging

This method attempts to trick users into downloading malicious software or spyware onto their device. Once downloaded, the programs are capable of covertly recording the keystrokes made on your keyboard, including your password, and passing that information on without your knowledge.

  • Brute force attack

This is where an attacker already knows the User ID of a target and is systematically trying to hack the password using every possible combination. Dictionaries are generally consulted as a source. A strong password is the best defence in these instances.

  • Special knowledge or access attack

This is where an attacker may know information about you and tries to guess your password based on this knowledge. It also covers shoulder surfing: looking over someone’s shoulder as they type their password.

Password rules

When you start out at RMIT you’re provided with a default password. The sooner you change this to something unique, the more secure you’ll be.

Standard RMIT passwords must:

  • Be 8-25 characters in length
  • Contain a mix of uppercase, lowercase, numeric characters and/or symbols
  • Not include part of your name or username
  • Be significantly different to any previously used password
  • Be changed every 180 days

Remember you must not disclose your password to anyone or write it down and leave it where others might see it.

Making it more secure (and remembering it)

The easiest way to make a password more secure is to make it longer. The problem is that generally, the longer, more secure and unique you make them - the harder they are to remember! Using a passphrase is one way to get around this issue.

So what’s a passphrase? It’s where you take a personally memorable sentence or phrase and turn it into a password using the letter of each word and a different mix of characters. The idea is to create something that makes sense to you but looks totally random.

For instance, a phrase like “The Roos will win the Grand Final by 10 goals!” might become “tRooswwtGFb10Gs!”. It’s an easy to remember 16 character password that’s hard to crack.

Other tips to remember:

  • Don’t use single dictionary words or names in your passwords. Hackers can attempt a brute force attack on your password by using common name and dictionary word combinations. If you must use dictionary words, use three or four completely random ones like “absolute-camel-frame-motor”
  • Avoid predictable password patterns, such as an upper-case character at the start and a numeric at the end.
  • Be aware what information is available about you in the public domain, online or on social media. Hackers will research to gain an advantage so don’t overshare important details and make it easy for them.
  • Remember to set up your RMIT self service details online. It means you’ll be able to reset your password if you ever forget it, from anywhere on any device.

How many do we really need?

The idea that we need to have a completely unique password for every online application and website is losing ground in favour of retaining a small number of strong passwords that are better managed and remembered.

Maintaining about four very strong passwords that cover different areas of your online activity is a good guide for most people. For example, you might have:

  • One for use at RMIT
  • One for conducting banking and finance
  • One dedicated to your personal email account
  • One for social media and everything else

Note that it is particularly important to have a separate, strong password for your personal email account. Why? It’s because of how organisations deal with forgotten password requests. If you report a forgotten password, chances are they’ll send the reset information straight to your email address. This means that if a hacker has access to your email account, they could potentially report a forgotten password for all the systems, apps and websites you access, and gain control by using the reset details sent to your inbox.

Storing passwords

If you must write down your password or access it from a written source, it needs to be placed in a safe place. Please don’t just write it down on paper and place it under your keyboard, in your wallet or in an unlocked drawer. Also remember to:

  • Leave out some of the easily remembered characters, and insert them when you need to use it.
  • Never write down the name of the service or system the password is used to access.
  • Once you have committed the password to memory, be sure to destroy all evidence of it.

A more secure method of storage is by using a reputable password manager or even an encrypted USB stick. An encrypted USB allows you to record all the passwords you are using, encrypted behind the security of a master password. Of course this method of storing passwords is only as secure as the master password you have created - and the safe possession of your USB.