Use secure passwords
Good account security practices help to keep us and our information safe.
If your UQ account or other online accounts are compromised by cyber criminals, this could have serious consequences like identity theft or breaches of UQ information and systems.
Good password management and account security practices can help to keep you and UQ secure.
UQ password guidelines
Use strong passwords or passphrases
A strong password is long, complex (difficult to guess) and unique. (A password manager application can generate and store strong passwords for you).
You can visit the Have I been pwned website to find out if any websites or services you have used are known to have been compromised and check if your password has been exposed in a data breach.
Strong passwords should:
- use a passphrase
- include at least 12 characters
- include upper and lower case letters, at least one number, and at least one special character
- be unique (not used for any other account). This is important because if one of your accounts is compromised, criminals will try using the stolen credentials to access other services.
What is a passphrase?
A 'passphrase' is a password created by combining whole words. This is a simple way to create long, strong passwords that are easy to remember (e.g. 2Book#Shoes%).
To create a passphrase:
- Select 2 or 3 random words.
- Add a special character between the words.
- Capitalise some of the letters.
- Add at least one number.
- Ensure the passphrase is at least 12 characters long.
When creating your password or passphrase, avoid using:
- anything too similar to your current password (e.g. don't just increase the number at the end of your current password)
- anything close to a common term or phrase.
- any identifying information (e.g. your name, phone number or date of birth)
- other personal information (e.g. car registration, maiden name or address).
- a password you have used before.
- duplicate characters or keyboard patterns (e.g. aaabbbccc or qwerty).
Password managers
The most secure place to store your password is your memory, but this can be difficult (remember, strong passwords are unique). We recommend you use a password manager.
Getting started with password managers
There are many personal password managers available. Basic functionality is usually free, additional features are sometimes available with a subscription or payment. Research options to ensure you choose a service that is reputable and meets your needs.
Recommended password managers include:
- 1Password
- Norton Password Manager.
When setting up a password manager:
- Use a strong, unique passphrase as your master password.
- Enable multi-factor authentication (MFA) if available
- Install the application on all your devices. Install browser plugins or extensions for any web browsers that you use.
- Begin storing passwords for your existing accounts in the password manager. You will usually be prompted to do this whenever you log in somewhere new.
- Once you have stored a password, you should delete it from any other location you have saved it (e.g. email, web browser).
Web browser password storage
Most web browsers contain built-in password managers and will offer to remember and automatically fill passwords for you. These are not recommended for the following reasons:
- Accessing your passwords from a specific browser is a significant limitation.
- Web browsers often permit access to stored passwords without requiring authentication or MFA. Somebody with remote or physical access to your device could gain unrestricted access to your saved passwords via the browser.
Apple 'iCloud Keychain'
Apple's 'iCloud Keychain' password manager is available on Apple devices and the Safari browser, unfortunately it does not support non-Apple platforms. Unless you use Apple devices exclusively, a standalone password manager that enables you to access your stored passwords on any device is recommended.
Sharing your password
Don’t share your passwords
Sharing passwords with others (even people you trust) exposes you to a range of risks and should be avoided. Never share your UQ account password.
- Once you have shared a password with others, you no longer have control of how the account may be used, or how securely the password will be stored.
- Methods used to transmit and store passwords are often insecure, e.g. email, text message, and paper
- Actions carried out using your account are linked to you (even if it was someone else). This can be problematic if unauthorised, inappropriate, or even illegal activity is associated with your account.
If you need to share information, or provide access to a particular service or resource, there are usually secure methods for doing this that don't require sharing of personal account passwords. Some password manager applications also allow you to share your account access without exposing your password.
Contact IT support if you would like assistance with sharing information securely, or providing others with access to a UQ platform.
Be careful of tactics used to gain unauthorised access to accounts
Cyber criminals use a variety of tactics to obtain information that can be exploited to gain unauthorised access to accounts. Some common tactics used include:
- Phishing attacks prompt you to log in to fake websites, browsing social media accounts to collect personal information, or even communicating with us directly.
- Multi-factor authentication (MFA) prompt bombing is another form of cyber attack where the objective is to gain access to an account that is protected by MFA. The hacker attempts to trick you into allowing them access to your account by repeatedly sending you MFA requests to your device. The strategy being that they will catch you off-guard or you will become irritated by the number of MFA requests and approve the request
Never enter your UQ password into a website or application which isn't provided by UQ.
Always consider whether requests for information are legitimate and learn more about sharing information and email scams.
Change or reset your password
Passwords should be changed regularly
There are often no signs or warnings when one of your accounts is compromised or a password has been stolen. Changing passwords regularly helps to ensure you retain control and can limit the time that an account is exposed if compromised.
You should regularly change the passwords for important accounts. Your UQ account password must be changed at least once every 12 months.
I want to change my password
Use the password change portal.
I can't remember my password
Reset your password using the password reset portal.
You will need to provide your contact details and correctly answer security questions in the my.UQ dashboard (UQ login required).
Report suspicious activity
It can be very difficult to recognise or detect when one of your accounts or devices has been compromised. Acting quickly can help to minimise the impact of security incidents. If you think you may have identified a security issue but aren't sure, it's always safest to contact IT support.
Any unusual behaviour or changes you don't recognise could indicate that there is a problem. For example:
- your password has changed
- files have appeared or disappeared
- your last login time is not what you expected
- other people have received communications from you that you did not send
- you receive an MFA authentication request for one of your accounts that you did not initiate.
If you suspect your UQ account may be compromised, immediately report the incident and change your account password to regain control of your account.
If you suspect one of your personal accounts has been compromised, change the password immediately. If you have used the same password anywhere else, change the passwords for those accounts too as they may also be vulnerable.