Protect your password

What you need to do

• Ensure your university network password is a minimum of 12 characters, but it can be longer. A longer password is a stronger password. 
• Try combining at least 3 random words to make a strong but easy to remember password. 
• Make it complex by including upper and lower case letters, numbers and special characters in between the random words 
• Avoid words or numbers that can be easily guessed or connected to you. 
• Make it significantly different to any previous passwords. 
• Always use a different password for different accounts, including admin accounts. 
• Keep your password private, avoid sharing it with anyone. 
• Change it immediately if you suspect that your password has been compromised. 

See below for more detail on these top tips:

Password length

The minimum number of characters in a password is twelve characters. Every additional character makes a password harder to guess.  

Combine at least three random words to create a password that’s ‘long enough and strong enough’ to be secure, but also easy for you to remember. An example might be applevaderbiro (the fruit, the Star Wars character, something you can see on your desk).  

The key idea here is 'random'. Three connected words, like marioluigipeach, could be easily crackable. 

Password complexity

Make your password 'complex' by including upper and lower case, numbers and special characters symbols between the words.  

Examples of special characters are # $ % & ' ( ) * + - / : ; < = > ? @ [ \ ] ^ _ ` { | }.  

Use random letters and numbers, or even misspell words and add capitalisation in the middle of a word. So the password above could become @ppelvAderb!r0 

Choosing a password

Simple passwords with a single noun are easy to remember but also the easiest to crack. While your pet’s name might be easier to remember it would be easy to guess if people know you. Passwords such as Thomas14, LeedsBeckett123, or Fluffy999 would not last long against a hacking programme. 

Don’t use your username, actual name or business name. These can be found on your student and staff ID, social media accounts or email signatures and are easy to guess. 

Numbers should be random and have no relation to another number in your life, such as birthdays, phone numbers or home address numbers. Also don’t use sequential numbers such as 123 or 5678. 

You may love Leeds United Football Club or the Rhinos Rugby Team, but they make better sports teams than passwords. Hackers will look on social media to find out more about targets and use that information to guess passwords. So ‘Leedsunited55’ or ‘Rhinos123’ are not good choices.   

Some systems, including the university network, have protections that will help you set a good password by rejecting ones that are known to be really bad, that may have been used in an old cyber attack, or that don't meet the minimum complexity requirements. 

When you change your password, take a few minutes to commit it to memory, repeating it in your head a few times. You should never write down your password or keep it saved anywhere except in your memory, unless using a secure depository such as a password manager. 

Unique passwords

Always use a different password for different accounts. If your TikTok account password falls into the wrong hands, you don’t want them to have access to your bank or university network account as well.  

Privileged or administrator accounts must have different passwords to standard user accounts within the same service.  

Make any new password significantly different to any you have previously used. For example avoid reusing old passwords with a different number on the end. 

Password protection

Never share your password with anyone, even if they are a colleague, friend, or family member. The information that your account provides access to must be protected from accidental or deliberate misuse by others, and you need to protect yourself from the impact of that happening. 

Hackers will also try to lure people into providing passwords and other log-in details in response to emails, Teams messages, or on social media messages that appear to be from legitimate senders. A legitimate company like Microsoft will never threaten you with being locked out of an account if you don’t urgently confirm your password.  

Always be suspicious if you receive messages that ask you to visit a webpage to change or confirm your password. 

Need help with your passwords?

If you're a student contact the Library and Student IT Advice team with help with passwords. You can also unlock your account and reset your own password if you have registered for multi-factor authentication.