Password Tips

There is a separate policy for centrally managed passwords, but here are some tips, including how to use passwords in external services.

Multiple Use

It is known that users like to use the same access data on different systems, because then they only have to remember 1 combination of username and password ("Password Recycling" or also called "Password Reuse").

We strongly advise against this and it is forbidden to do this with TU Graz access data, because we do not know how secure other systems (including TU Graz) are!
With leaked passwords there are also very often so-called "credential stuffing attacks", where automated attempts are made to penetrate other accounts of the persons concerned with these passwords.
Read the article "Dangers of reusing passwords – Know why is it bad and how you can avoid it".

If you want to store (many) passwords (not only in the browser): Why not use our data vault, which also allows secure sharing of information!

If you want to check if your password already appears in password databases, there is a trusted service for that.

top

Tips for a Secure Password

To create a single secure password, you can, for example, take a nursery rhyme, use only the first letters of it, and garnish the result with special characters and numbers; for example, the well-known "Mary had a little lamb, whose fleece was white as snow." then becomes Mhall,wfwwas. (acronymization method).
Another variant that is easy to remember are rhymed passwords.

To be able to remember many passwords, it is advisable, for example, to follow a certain scheme that looks random but is not, so you could choose a part of the password fixed and take a part from the page where you want to log in - example: 2nd and penultimate letter of the system combined with fixed and variable elements:

Amazon: "This is my new password for Amazon" thus results in "Timnpfmo" and with some l33t-speak "T!mnp4mo".
Leet-speak alone does not make passwords more secure, many attack tools now take this into account!

Analogously, the password "T!mnp4ol" would result for Google.

Even a forgotten password can be reconstructed if you remember the scheme used!

Another method how to quickly remember a new, really randomly (e. g. with a password generator) created password:
Set this password for your screen saver, set the screen lock timeout to 1 minute and you have to enter the new password so often that you can type it blindly after 2, 3 days.
You should then use this password as master password in the browser or in your password safe (or our data safe) or adapt it to other services, example: the master password: ":xT9/qwB" becomes ":3xT9/qawBe" with the service password part "3ae" for eBay (length-1, 3rd and 1st letter) and with the service password part "7nL" for LinkedIn results in ":7xT9/qnwBL".

top

Password Reset Tips

With many providers there is an option for password reset to answer a (preset) question.

Since the real answers are often easy to figure out through social engineering, you should lie for these answers, you just have to remember how you lied - e. g. you could answer the question about your mother's maiden name with a female character from your favorite novel, or from a movie, etc. - Example: Marjorie Jacqueline "Marge" Simpson's maiden name is Bouvier.

top

2-Factor Authentication

Even more secure than a secure password is the use of a 2FA at least for your webmail accesses. Many providers (Google, Microsoft, web.de, …) now offer login with a 2nd factor.
The most secure method is the use of a hardware token according to the FIDO2 standard, the weakest variant are TANs by SMS, in between there are soft tokens (smartphone apps) like Google Authenticator.
When using 2-factor solutions, however, you must make sure that you do not lock yourself out if your phone number changes (SMS TANs) or if you can no longer access the software token on the smartphone or the hardware token because the smartphone or hardware token is defective or has been stolen.
In case of software token it is recommended to install it e. g. still on a 2nd device, alternatively you should either print out the QR code or the secret by which the random numbers are generated, so that a new device can be initialized again right away, some solutions also offer backups, but this reduces the security, because if someone gets access to this backup, then the 2nd factor is cracked.

2-factor authentication at TU Graz.
top