Sense and purpose of our password rules

Password rules usually seem complicated and elaborate. Many therefore ask themselves what all this is about, consider the measures to be sheer exaggeration and point out that you have nothing particularly worth protecting on your computer. However, password theft is not only about the specific data of the respective user, but also about unauthorised use of resources. Here we explain why our password policies are useful and necessary.

Why should sufficiently secure and long passwords be chosen?

The most commonly used method for authenticating users is the use of passwords. Their primary task is to protect against unauthorised access and misuse. In order for them to fulfil this task effectively, various rules must be observed, which you can also find in our password guidelines.
This is where you, as a user, are called upon. The majority of cases of misuse were and are (partly) caused by (authorised) users through ignorance or careless behaviour. For example, a single compromised university account is enough to severely disrupt the e-mail traffic of the entire university. We have published the necessary instructions for action in order to provide you with security.


Possible consequences of successful password theft

In the event of password theft, this may have the consequences mentioned here:

  • An unauthorised gain of information by reading your mails and documents,
  • Falsifying or deleting your data,
  • Changing your password, with the result that you no longer have access to the system.
  • The use of your access data to conceal your own identity in order to commit unauthorised or criminal acts, conceivable here:
    • The publication of illegal, offensive or obscene content by e-mail in your name
    • Accessing criminal content on the internet with your login
    • Downloading or exchanging works protected by copyright (music, software, electronic publications)
    • The introduction of viruses, worms and Trojan horses and thus the impairment of other users or external bodies, with possible damage to the university's image.
    • Sending spam and phishing emails
    • Fraudulent actions on trading platforms on the internet
    • Terrorist or extremist actions
    • ...
  • Deliberately placing illegal content in your directory with the granting of public access and simultaneously informing responsible authorities in order to deliberately harm you.
    The suspicion of the law enforcement authorities would automatically fall on you and you would have to prove that you did not commit the offences.


How can the password protection be overridden?

  1. By trial and error
    An attempt is made to gain access by entering a guessed password. The method is not very efficient and only offers a chance of success with easy-to-guess passwords and is therefore used less frequently. This method requires no technical know-how and no additional tools. This method can be sufficient, especially for less imaginative persons or persons who are hardly aware of the topic, in connection with a lack of technical restrictions.
  2. Through the use of password cracking programs
    More efficient and thus more likely is the use of freely available and easy-to-use password cracking programs that try to get at the encrypted password with various methods.
    • Dictionary attack
      Crack programs are used here that fall back on a word list in which many known words are stored. The program tries out the words one after the other. A powerful computer can work through even a very powerful list (a text file several MB in size) in a few hours and find all the passwords contained in the word list. It is also conceivable to string together known words in order to determine longer passwords that have been formed accordingly. Effective protection is achieved by not using known words and names.
    • Brute force attack
      In this procedure, all possible combinations of characters are tried out on the basis of a certain character set. The programme is theoretically able to find any password. The time required to achieve success depends on the length of the password and the character set used and can thus take an extremely long time. This is the reason why passwords at Bauhaus-Universität should be eight characters long and must contain at least one special character and one digit.
    • Combined dictionary and brute force attack
      The programs used here are called hybrid crackers. In addition to searching a word list, all combinations from a certain previously determined character set are prefixed or appended to the words. It is also possible to replace certain letters with numbers or special characters (for example "O" is changed to "0" or "E" is changed to "3"). It is therefore not sufficient to choose a known word or name as a password and append a digit and a special character.
  3. By using data from (published) data thefts
  4. As a result of the disclosure of confidential information by social engineering or phishing
  5. By spying on the password as it is entered or when it is visibly noted 
  6. ...

Where do our password rules originate?

The password guidelines that are binding at Bauhaus-Universität Weimar are based on the recommendations of the BSI and NIST.