Password management

Aims and objectives

This module will:

  • provide information and guidance on account security
  • explore the use and benefits of password managers
  • outline common security issues

After completing this module, you will be able to:

  • create passwords that are harder to guess and crack
  • understand how accounts are hacked and ways to reduce your risk
  • practice proper account and password management

3. How hacking happens

Data Breach

A data breach happens when personal information is accessed, disclosed without authorisation or is lost.
Data breaches by Office of the Australian Information Commissioner.

Data breaches can occur in a variety of ways, but the common element is someone gains access to a database of user information and either steals or copies and then sells/releases the data. A recent breach occured with the PageUp system used by many organisations in Australia to handle job applications. The types of information that were accessed included contact (name, email, address & phone), biographical (gender, date of birth, middle name & nationality) and employment details.

Stopping data breaches

An individual cannot stop a data breach, it is up to an organisation to reduce the risk of data breaches occuring. For some information and tips on reducing the chance of your data being breached, see Data breaches: How they occur and how to prevent them.

As an individual, you can reduce the impact a data breach will have by practising sound password and account management such as using secure passwords and two-factor authentication (this is covered later in the module).

Brute force

Brute forcing in its simplest form is someone typing in a password of aaaa, aaab, aaac etc until they find the right combination. With today’s technology, a computer can check over 1 million password combinations a second. A lot of websites restrict how many passwords can be tried in a certain time frame before the account is locked or temporarily suspended until you can try more passwords.

When hackers breach a collection of users’ information, what they find and steal usually isn't stored in plain text on the system. Instead, the cache of passwords is often converted into cryptographic hashes, random strings of characters into which the passwords have been transformed to prevent them from being misused. It is these hashes that are bering brute forced to reveal your username and password.

Stopping brute force attacks

You can make it take longer to brute force your password by increasing the length and complexity of your password. ‘Abcdefghijklmnopqrstuvwxyz’ may be long, but it is not complex. Most password cracking software uses what's known as a dictionary attack to check popular words or phrases first, such as abc123, trustno1, drowssap, password123 etc

Social engineering

Social engineering can be an effective method for determined individuals to access a variety of accounts. Social engineering is the manipulation of people so they give up personal information about themselves or others. This personal information is then used to access systems the person uses.

What is Social Engineering? (YouTube, 2m4s)

How to avoid social engineering

Avoid having all your eggs in one basket (or the dreaded "single point of failure"):
Do not use the same email address for every site or service you use online. The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you. For example, don't use your Gmail address for every service's password recovery option.

Use different logins for each service: 
Never use the same password more than once. And make sure your passwords are strong.

Use two-factor authentication: 
After you have entered in a correct username and password you are prompted to confirm your identity in another way

Get creative with security questions: 
The additional security questions websites ask you to fill in are supposed to be another line of defence, but often these questions are easily guessed or discoverable. You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers, for example pordwass.

Frequently monitor your accounts and personal data: 
To be on the lookout for both identity theft and credit card fraud, check in with your account balances. You can use Google Alerts to check if your details have been posted online anywhere.

Avoid falling victim to phishing emails: 
Phishing emails are becoming harder to detect, and easier to fall victim to. See the Internet essentials module for more information about phishing emails

Duration:   Approximately 20 minutes

Graduate attributes

Knowledge and skills you can gain to contribute to your Graduate attributes:

 Critical judgement

 Ethical and social understanding

Check your knowledge

Check what you know about this topic:

Take the quiz

Support at UQ

Access UQ services to assist you with personal or study-related issues.