The use of passwords helps to control the risk of unauthorised access to personal and WSU information. They are REALLY important. However, the use of public/shared computers or internet services presents a threat as usernames and passwords could be stored or shared inappropriately, sometimes without your knowledge.
While nothing can absolutely guarantee the security of passwords, the following advice increases password security and helps minimise this risk.
- You must use passwords/PINs as a first-line security control on ALL devices (e.g. PCs, laptops, smartphones) that are used for processing your and WSU information, and these details must not be shared with anyone.
- The IT Team will never ask for your password and neither should anyone else. If someone asks you for your password, you can legitimately say no.
- You must create passwords adhering to the following minimum password standard for WSU information and systems:
- A password unique for WSU system (i.e. not one which you use for other personal accounts) – this will minimise the risk to you personally if WSU systems or information are compromised.
- Easy to remember (i.e. doesn’t need to be written down) but difficult for others to guess – a ‘passphrase’ may be better than a password.
- Longer than 8 characters – the longer the better!
- Contain one character from the following: numbers, letters in uppercase, letters in lower case, symbols (£$%^&*)
- Changed every 60 days, and this cannot be traced back to an expired password (i.e. one you’ve already used).
- Changed immediately if you suspect someone knows it
For example, you ran a marathon in 1998, you could take the phrase “I ran the London Marathon in 1998”, and, taking just the first letters of each word and the numbers, turn it in to: irtlmi1998
Or simply have the whole phase or most of it without spaces.
Then for extra security, swap in some capital letters and special characters:
Passwords for files or devices
Where devices or files contain or can connect to personal or confidential data, these should be protected by a password or PIN as directed above.
- The password or PIN must not be sent with the file or device. You must communicate the password via another mechanism (e.g. by email, text or phone).
- Passwords for protected email attachments must never be sent in the same email as the attachment.