The Open University
Safe Computing Bulletin

Some advice about passwords

Category: [System] Medium: [Passwords] Platform: [Android, IOS, Linux, Mac OSX, Windows, Windows Mobile]

Bulletin Issued: [02/26/2014 10:24 AM GMT]
Unique Bulletin ID: [HKRI-9GPE8A]

We have noted some useful advice from Graham Cluley ('The perils of passwords' article linked below) about improving the strength of passwords which we think is worth sharing with you.

Just for the start have a look at a Sophos video which explains how to choose a strong password:

Bear in mind that even if you have the latest anti virus software installed on your computer, your passwords can be stolen: by phishing, by malware, by hacking or via unpatched vulnerabilities.

This advice should help you to stay out of trouble:
- Never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

- When a website or service offers you the option of two-factor authentication (2FA) do consider enabling the feature. Every time you login, a new one-time-password is required. Even if your regular password is guessed, cracked or stolen by hackers, it won’t be any use to the bad guys because they won’t know what your one-time-password is. If you use something like a mobile phone app to automatically generate your one-time-password then it’s always likely to be within easy reach, but a long way away from the hackers.

- In order to ensure their ongoing effectiveness, change passwords on a regular basis. How often one should change passwords really depends on the account. Online financial accounts should be changed every month or two. Corporate network passwords should be changed every 3-4 months. Microsoft recommends having users change their passwords every 30 to 90 days.

- Change passwords as close to the actual account as possible. For example, if it’s an ISP account, don’t telnet through three other machines to change that password. If it’s an office computer, users should be on that computer and not on a co-worker’s when changing it. Don’t let anybody watch while typing the old and new passwords. If at all possible, the password should be changed over a secure connection like a secure shell (SSH or SSL - look for the little 'padlock' icon in the browser).

- Do not store passwords online - even encrypted.

- Change passwords whenever there is suspicion they may have been compromised

- Make sure that operating system password and application passwords are different

- Never tell a password to anyone, including people who claim to be from customer service or security

- Never communicate a password by telephone, e-mail or instant messaging

- Never use online password generation tools

- Avoid using non-secure networks at places such as hotels, cafes, etc. to send private information. Using remote software, hackers can access your username, password, and other private information by tracking your keystrokes. You should change your password after using a public or internet cafe network the next time you are at a secure machine.

- Never store your password in a program, even if the program or browser asks you to. It is generally trivial for a hacker to recover your password from inside one of these programs

Related Links

Graham Cluley 'perils of passwords':
Two-factor authentication:
Password policy:
A Guide To Better Password Practices:
A lot of information related to passwords:
Sophos Video:

Subscribe to our email Bulletins:

OU Security-related courses, Security Inspection Tools and other links

Network Security Course T828:
Information Security Course M811:

World Community Computing Grid:
(The WCG harnesses the spare computing power on computers worldwide to assist in humanitarian research projects)

RSS Feed

Disclaimer: This bulletin is provided without any warranty from us as a free service, and the Open University cannot be held liable for the content, software updates and advice provided on external sites or by external agencies. If you use MS Windows, you are strongly advised to 'Create a System Restore point' using [Programs][Accessories][System Tools][System Restore] before applying any patches or upgrades to your PC.

Unique Bulletin ID: HKRI-9GPE8A