Guide Passwords

Passwords should protect your data from access by unauthorized persons. Not only reading protected data, but especially manipulating your data can put you in very unpleasant situations. This manual is intended to help you create secure passwords.

Guidelines for passwords for the kiz account

The identity management system which allows you to change the kiz account passwords for single or all subscribed services forces a minimum standard for passwords:

  • The password must have between 8 and 16 characters.
  • The password must not contain spaces.
  • The password must not contain the user name, your real name or your date of birth.
  • The password must contain three of the following four characteristics:
    • Capital letters (the first character does not count)
    • Lower case letters
    • Numbers
    • Special character

Tips for good passwords

A password should be easy for humans to remember and difficult for computers to guess. How a good password should look like is a matter of debate and cannot be answered unambiguously. Thus, there are two prevailing opinions and recommendations on secure passwords. According to this, a secure password fulfils at least one of the following two criteria:

  • preferably complex: it should consist of characters from a very large character set (for example "nmEnL7m-d:[a")
  • preferably long: the character set hardly plays a role here, the main thing is that the password is very long (bspw "correcthorsebatterystaple")

More important than the actual composition of the password, however, is that it is really randomly chosen and, above all, is only used once. Computers are very good at recognizing patterns. A password that follows simple patterns or that reflects personal characteristics or preferences (e.g. "I ride a bicycle") can be guessed very easily by a computer. If the password is also used in several services at the same time, computers can also find out very quickly, and the damage caused is huge.

So ist  beim Umgang mit Passwörtern vor allem folgendes zu beachten:

  • Passwörter sollen zufällig gewählt sein.
  • Passwörter sollten bei Verdacht der Kenntnisnahme Dritter geändert werden. 
  • Passwörter dürfen nicht doppelt benutzt werden. Für jeden Dienst muss ein einzigartiges Passwort gewählt werden.
  • Passwörter sind privat und geheim. Sie dürfen niemals mit anderen geteilt werden.

Im Folgenden finden Sie weitere Informationen über die Gestaltung und den Umgang mit Passwörtern.

Secure password: BSI recommendations

BSI tips for passwords:

  • A sufficient number of characters. At least 8, but 12 are recommended.
  • The character set should be used sufficiently. Upper and lower case letters, numbers and special characters.
  • Numbers at the end of the password should be avoided.
  • No words from dictionaries, names of friends/families or stars whose date of birth should be used.
    Simple character substitutions (e.g. "1" for "i", "3" for "e" etc.) in words are not sufficient.
  • Do not use keyboard patterns ("qwertz", "asdf", "yaqxsw", etc).

Examples of good passwords:

  •  <Uxe;1m64{;k
  •  r-i5o?-+>Y~-
  •  0Add*E%>'bcG

Examples of bad passwords:

  •  Pa$$w0rt:01/18 Word from the dictionary with simple substitutions, numbering and year.
  •  Hund3hü77e#1 Word from the dictionary with simple substitutions and numbering.

Secure password: NIST recommendations

The American National Institute of Science and Technology (NIST) puts the focus on usability. Thus, NIST focuses on long passphrases instead of short and complex passwords.

  •  several words strung together
  •  no known or easily guessed rates

Examples of good fits:

  •  thistle is landing chamber use
  •  intact resin glue ointment horse

Examples of bad fits:

  •  my car is grey
  •  I have a dog named Bello

Generate and check passwords

It is difficult for many people to create a good and above all random password themselves.  A computer usually creates better passwords. Password generators are a useful help in this respect.  You can also generate pseudo-random passwords in large quantities automatically in a short time.

If generators are used, it is important to ensure that the generator itself is trustworthy. Especially when using online generators, make sure that the page does not contain any advertising, does not download any content from third parties (Google API, Google Analytics), does not contain any social media buttons (Facebook like etc), and TSL is encrypted (look for the green lock next to the address).

For Smartphone Apps please pay attention to the conditions. A password app that displays advertising and requires Internet access is not trustworthy under any circumstances.

Many password managers also bring generators with them. So passwords can be generated and managed easily (see Remembering and managing passwords).

BSI compliant passwords

Local applications:

Online generators:

NIST Passport phrases

NIST-compliant passport phrases can be created simply by dicing with word lists. This procedure is called Diceware.

There are online generators for this as well:

Check password quality

How good a password is is actually difficult to check. The keyword here is the entropy of a password, in this context a measure of how many attempts it takes to guess a password. This is based solely on mathematical properties and usually ignores patterns in passwords and knowledge about the user. Professional attackers, however, take advantage of just such things. Unfortunately, we cannot recommend an online password meter/checker. All of them have privacy flaws and should not be used.

You should definitely check your password against a list of the most common passwords. If you find your password on such a list, it will be cracked faster than you can type it in (The 10,000 most common passwords).

Remember and manage passwords

For the normal user it is difficult to remember all passwords. Likewise, high demands on the many users are annoying. Passwords should therefore be stored or managed somewhere.

Saving in plain text on the computer or writing on notepads is of course not a suitable solution. Passwords must always be encrypted and stored securely from access by third parties.

The use of so-called password safes/managers, in which the access data is stored in encrypted form, can be a considerable relief if chosen appropriately and handled properly.

Password managers are available in many different versions and often differ significantly in their functional scope. Operating systems often come with a password manager (Mac keychain, Ubuntu Seahorse) and even the most common browsers have an integrated password manager ("Do you want to remember this password?").

Functionally, some password managers can create passwords

  • directly in form fields of the browser,
  • synchronize between devices,
  • generate according to definable quality characteristics
  • set an expiry date so that the need for a change is visually indicated.

If a tool is to be used to store passwords, the requirements described below must be observed:

  • It must not be possible to log in without entering a master password, e.g. the master password should not be "remembered".
  • After a specified period of inactivity, the logged-in user should be automatically logged out.
  • For encryption, a suitable encryption method with sufficient key length must be used.
  • Since access to the password safe itself must be very well secured, access with two-factor authentication should be possible.
  • The product should be trustworthy. Ideally, the source code should be freely available so that it can be examined by independent experts. Security relevant certifications are recommended. In particular, web-based password management services should only be used if the reliability of the service provider is in reasonable proportion to the protection requirements of the passwords managed with it.
  • Password managers may only be used on trustworthy IT systems.
  • The autofill function must be disabled, because scripts on websites can easily extract the stored access data from the password manager via hidden form fields and send them to remote servers, cf. [1].

[1] heise article "Tracking scripts steal e-mail addresses from web browsers" (01/2018), available online at
https://www.heise.de/security/meldung/Tracking-Skripte-klauen-E-Mail-Adressen-aus-Web-Browsern-3931772.html

Correct Authentication

How to register correctly

Do not let them look over your shoulder when entering passwords. Pay attention to your surroundings.

Check your computer regularly for malware. If you suspect that your computer may have been tampered with, check whether so-called keyloggers have been installed. These are small devices that are usually placed between the keyboard and the computer or in a USB port and record keystrokes.

Where to register

You should only enter your access data on trustworthy devices, never on public, uncontrollable systems such as Internet cafés or hotel lobbies.

To ensure that authentication information cannot be eavesdropped during entry or transmission to the target system, care must be taken to ensure secure transmission.

Public WLAN networks in particular carry the risk that attackers will eavesdrop on network traffic. Attackers could also use WLAN networks they have created themselves to misdirect users and record and manipulate their data ("man-in-the-middle attack"). Therefore, only enter your user data in trusted network environments.

For web services the login must always be encrypted. This is indicated by a closed lock and the prefix "https://" in the address line of the browser. When entering the address, also pay attention to spelling mistakes. Attackers often use addresses with typical spelling mistakes to spy on users (e.g. yuotube.com).

Ending a session

Even the best passwords are useless if computers are left carelessly and running sessions are left open unprotected.

End your session (logout) after you have finished your work. If you leave your computer / workstation, lock it, even if it is only a short absence. The lock should be set so that unlocking requires the entry of the password.

Some websites work with session cookies that have a certain runtime in which you remain logged in. If you are unable to log out on a website, you must close the browser completely to end the session and effectively log out.

Help I was hacked

If you feel that you have been "hacked", for example because unknown mails have been written from your account, or if someone has learned your password, you should change your password in any case.

Online services are subject to permanent attacks and it happens again and again that sensitive information such as names and passwords of user accounts are tricked. Such lists are then offered for sale on Darknet. You can check if they are on such a list.

https://haveibeenpwned.com/

If you are really on one of the lists, you should immediately change your passwords at the listed services. You should never use this password again with any service.

If you have any questions or problems, do not hesitate to contact the helpdesk of the kiz.

[Translate to english:] Password

Communication and Information Centre (kiz)

  • Helpdesk

    Please contact us if you have questions or problems related to the kiz services:

    Office hours
    Mon - Thu 8 a.m. - 6 p.m.
    Fri 8 a.m. - 4 p.m.

    Phone
    +49 (0) 731 / 50 - 30000

    Telefax
    +49 (0) 731 / 50 - 1230000

    Order a Callback
    helpdesk(at)uni-ulm.de
    Support Portal
    [more]

  • Service Points

    Service Points are locations where you can visit us personally.

    [more]

  • Identity Management

    Using self-service functions of the Identity Management System (IDM): Administer permissions, subscribe to services, change passwords.

    IDM Self Services
    [more]

  • Literature Search

  • kiz from A to Z

    With about 400 keywords you will get direct access to our services. If something isn't listed, please contact our Internet Editorial Office.

    A-Z List