Password Security

First a reminder:

We will never email, text or otherwise contact HEP account holders asking them to type in, 'verify' or otherwise divulge their login details. (Neither will CSD or any legitimate business). If you receive such a communication ignore it. If you're unsure contact the HEP admins in person or by phone. Never click a link in an email to contact us. If there is an issue with your account we will contact you directly where possible.

Protecting yourself from Phishing Attempts

Phishing is the act of tricking someone into revealing their login or secret details by pretending to be from a legitimate source eg University or a Bank.

The most secure password in the world is of no use if you accidentally reveal it to someone.

Many phishing attempts are easy to spot:

• Obvious spelling and grammar mistakes
• Poorly formatted email layout
• Sender name doesn't match email address (eg "Halifax Bank" "someguy@unrelated-business.com")
• Web links that don't match the URL, if you hover over the link but don't click it should show you where it's actually going (eg text says "Liverpool University Servicedesk" but hover URL says "www.dodgybros.org/nogood.html")
• Does the email greet you by name "eg Dear Your Full Name" or include part of a customer number, or just "Dear 'your email address'"
• Asking for passwords, customer details, etc to 'verify' or 'unlock' your account. No legitimate business should ever do this.
• Appearing unexpectedly with vague threats about accounts being locked or hacked.

If at all unsure about an email contact the organisation directly, don't click any link or open any attachment in the email.

Creating Secure Passwords

There is plenty of guidance on the web about secure passwords but a little bit of effort and common sense will go a long way. The main things to remember are:

1. Don't reuse the same password across different sites or institutions. Particularly email accounts, University accounts and online banking.
2. Don't use words or personal information in the password, try to make it random and unique. Any fancy tricks or substitutions you can think of will have already been thought of by hackers.
3. Use a password of at least 8 characters with a mixture of letters (UPPER and lower case), numbers and symbols where possible. There are still some systems that can't handle very long passwords or symbols but most local systems are fine.
4. Store the passwords securely. Don't leave written passwords on a monitor or desk. Don't store passwords in text files in your home directory. Try not to send passwords to people via email, do it over the phone or some other physically secure channel.

This is an example of a good password: DgyPaQ9EiwZdDf

This is an example of a very good password: CN+'VxBgRXC2m\R!

The easy answer to all of the above points is to use a password safe, such as KeePassXC. A password safe makes it easy to create random, unique passwords for all your accounts and store them in a very secure way that can easily be transferred, synced, shared and backed up. All you have to do is remember one good master password to access it.

Storing Passwords

Our recommended and supported password store is Keepass. There are a number of clients available across multiple platforms. The keepass databases should be compatible across all clients. If using an unsupported client try to ensure it supports Keepass database format v2.

For desktops we recommend KeePassXC which is fully featured and has clients for all major operating systems. This is preinstalled on Centos7 desktops. Currently SL6 only supports KeePassX2, very similar but not quite as advanced.

Our recommended Android client is Keepass2Android. This can access Keepass databases directly from cloud storage such as WISP, but we're investigating the most secure options. For now you can copy the database file to your Android device for local access.

Sharing Password Databases

Personal

The Keepass database uses strong encryption and hashing technologies (currently AES and SHA-256). The key for the encryption can be a password, a key stored on an external storage device (eg USB stick), or both. If you have a strong master password it should safe from attacks that try to brute-force access. There are currently no known weaknesses in the encryption used by the database.

If properly secured with a strong master password or external key it should be safe to copy the database to multiple devices. The easiest option to do this and keep the database synced across all devices is to use a cloud storage service such as WISP or Dropbox. Some clients reload the database if it changes but we recommend not having more than one client running at a time.

Even though the database is encrypted, it's best if you don't allow other people access to the database as much as possible and when using a password safe make sure it's closed or auto-locks when you're not actively using it.

If you suspect your database has been compromised you should reset all the passwords stored in it (and keep the database secure while you're doing so). At least you have a list of the accounts that will need to be reset.

Group

Groups may wish to use a password safe for various reasons eg to allow shared access to systems managed by the group, to ensure that admin passwords are available if a member leaves or is unavailable for some reason.

The applicability and use of a password safe will depend on the circumstances and requirements. We recommend contacting the HEP admins if your group wants to explore these options.

Comments