Passwords, PINs, & Co.

Things to know

  • A password needs a sufficient number of characters, at least 12.
    With today's computer technology, billions of password combinations per second can be used to try to guess a password. The number of possible combinations grows exponentially with each additional character. That is why only a long password is a secure password.
  • PINs should be as long as possible, four characters are not much. 

Do not select keyboard sequences such as "asdfghijkl" or "1234567890" or words that appear in a dictionary and are not or only minimally modified, e.g. "secret1" or "passw0rd".

These variants are found in so-called "rainbow tables" and are cracked in no time.

Do not use terms and numbers from your personal environment such as the date of birth of your daughter or the name of the cat.

A password safe or password manager stores passwords in an encrypted database. It is encrypted/decrypted with a so-called master password, which must be extremely secure.

Password managers can manage various attributes for each account.

With a built-in generator, secure passwords can be generated.

Advantages of a password manager:

  • The owner just has to remember one password: the master password
  • All passwords stored in the safe can be very long and complex, as they rarely have to be entered manually.
    In most cases "copy/paste" can be used.
  • All passwords are managed in one place and can also be retrieved with a mobile phone.

The IT Services recommend Keepass: Password manager recommendation for end users

A common way to  "remember" passwords is to save them within browsers. This involves risks:

  • These passwords are each encrypted with the login password for the computer. Anyone who knows the password of a computer can read out the passwords stored in the browser in plain text.
  • Attackers can try to steal these passwords with the help of malware.

Secure handling of passwords and PINs

The best password is of little use if you are careless with it.

It is recommended to choose different passwords or PINs for different user accounts, services or devices.

Because if your Facebook profile is hacked, you don't want to risk that your online banking is also left unprotected.

Never pass on passwords and PINs, neither to your assistants or to your team, nor to the IT supporter, not even to acquaintances and certainly not to strangers.

If you need to give other people access to data or processes in an application, make use of its delegation features.

Never write down your passwords and PINs in plain text.

If, in exceptional cases, it should nevertheless be necessary, they must be kept under lock and key and must only be accessible to authorised persons.

Avoid using the password memory of your browser if possible.

If you do want to use it, please note: Passwords that are stored in the password memory of the browser are encrypted with the login password of the computer. Therefore, use long and complex login passwords for your systems. Never give the device password to third parties, including IT support.

Use a password manager to securely manage your numerous passwords.

  • When choosing a password manager, make sure that the database containing the passwords is securely encrypted and you can define where the data is stored. ETH Zurich passwords must not be stored in the cloud.
  • Choose a very long, complex master password for your password manager.
  • If possible, protect your password manager with a second authentication factor.

If you know or fear that someone unauthorized has stolen your password:

  • Immediately change your password on https://www.password.ethz.ch/.
  • Contact your responsible IT support to clarify whether further measures are necessary.
  • If you use the same password for other accounts (which is of course not recommended), change the password for these accounts as well.

 

Creating and remembering passwords

Make your password unique and secure.

  • The longer and more unusual, the more secure is your password.
  • Passwords with 12 or more characters are safe.
  • Use at least 3 different types of characters:
    • capital letters (A-Z)
    • lower case letters (a-z)
    • numbers (0-9)
    • special characters (#, - . / : = ? @ [ ] { } etc.).
    • do not use umlauts, accents or spaces

To create a good password, you can do the following:

  • Take a sentence that you can remember easily, for example:
    In the summer of 2024, I probably will be completing my doctorate.
  • Form a password with the respective initial letters, special characters and numbers of the formulated sentence:
    Itso2024,Ipwbcmd

This will create a password from any string of characters, which you can easily remember or reconstruct from the underlying sentence.

You can also use a whole sentence as a password (passphrase): Iwanttoeat7Ooranges+3bananas!

JavaScript has been disabled in your browser