1. Memorability: Passwords that are needed almost daily should be easy to remember. If they are not, passwords are often written down unencrypted on Post-Its or in cell phones. This makes disclosure to unauthorized people very likely.
    
2. Length: Passwords should be long! At the University of Graz, 12 to 20 characters are recommended.
    
3. Complexity: Apart from the most important property of password length, it is of course better if passwords are complex i.e. contain upper and lower case letters, numbers and special characters.
    
4. Password hygiene: If you use systems where your central uniACOUNT does not work, please use your own password for them - different from the passwords in other systems. Passwords are like paper tissues - always use a new one! A password that you use or have used for a system for a longer time should not be used anywhere else. Even similar ones should not be used.

Imagine a picture: Imagine a picture of a stork lying on a triangle and wearing a cap. It is best if these terms have nothing to do with each other. If you line up these terms you will get: TriangleStorkCap

Memorize a sentence: Memorize a sentence that is as abstract as possible e.g. DieSonneisstPudding

Elitespeak/Leetspeak (LS): Leetspeak is the process of replacing letters with similar symbols or numbers. Using the above examples, the following passwords are then created:

TriangleStorchCap -> [)reie(k$torchCap

TheSunisPudding -> The$onne1sstPudd1ng

Older IT systems require periodic password changes. Ideally, you change your password on your own:

• If you notice that you have entered your password on an insecure system.
• If you notice that you have transmitted your password on an insecure WLAN over unencrypted connections.
• If someone has looked over your shoulder while you were typing your password.
• If you have revealed your password to someone (hopefully unintentionally).

• If your password is a bit stale. Unfortunately, you can never assume that your password hasn't been spied on somewhere. Therefore, proactively changing it from time to time is recommended. Security-conscious people do this about every half year.

The uniIT is constantly working on improvements here.