Password Security Requirements

Universities worldwide are being attacked via the network. This leads to data loss and interruptions in services. Entry points for attackers are user accounts and computers that are poorly secured.

If you connect private devices to the university network - even via VPN from home - it is important that these personal devices are up-to-date in terms of software and that you use good passwords, especially for users with administrator rights. For daily work, an account without administrator rights should be used.

You can be sure that our network is constantly scanned for vulnerabilities. If your computer, as part of the university network, is poorly secured, it will be found sooner or later and can serve as a gateway for attacks on the university network.

The University requires that we increase the complexity of our passwords and asks everyone who has not already done so to change their campus account password at https://ktools.unibe.ch/ to a minimum 12-digit, complex password that is not used anywhere else.

After changing the campus account password, make sure that it is also changed on all devices on which this password is stored. It has been our experience that smartphones that have repeatedly retrieved emails with outdated passwords have led to the temporary blocking of accounts. Also think of possibly saved passwords in Teams, Adobe Creative Cloud and OneDrive!

The password for the SWITCH edu-ID can, but does not have to be changed.

7. Password Information

Secure use of the campus account password protects the network, systems and data integrity. It also prevents unauthorised access to personal data. A compromised campus account password can lead to a threat to the entire IT infrastructure of the University of Bern

If the loss of a notebook or other mobile device (smartphone, tablet) that was used to access IT resources of the University of Bern is detected, the campus account password must be changed immediately.

7.1 Criteria for a Password

A password consists of at least 12 characters and contains characters from at least three categories. Detailed information on the categories can be found at https://ktools.unibe.ch.

After 10 failed password attempts, the account will be blocked for a period of 15 minutes

7.2 Instructions for Choosing a Secure Password

• No trivial passwords such as user name, surname, first name, date of birth, telephone number, etc
• The password does not contain the whole or any part of the above. A part is defined as 3 or more consecutive alphanumeric characters
• Do not use names or words from a dictionary
• Do not replace letters with similar looking numbers (e.g. gr34t_p4ssw0rd)
• Do not use strings on the keyboard (e.g. QWERTY)
• A new password is clearly different from previous passwords
• Numbers and special characters should be placed in the middle of the password.

A combination of letters, numbers and special characters is more secure, as the possible combinations increase many times over. The method of forming a password from a sentence has proven itself. The following password can be formed from "I finally! need a secure password, for the next 2 years": "If!n1sP,ftn2Y".

7.3 Rules of Conduct

• Passwords are personal and must not be passed on.
• If unauthorised persons are suspected of knowing a password, it must be changed immediately.
• Passwords must not be written down, transmitted unencrypted or stored, neither on workstations nor on servers, notebooks, tablets or smartphones.
• The password for the campus account must be different to one used for services offered outside the university, such as email or social networks
• If other persons are in the vicinity, appropriate care must be taken when entering the password.
• It is recommended to change the password after one year at the latest

7.4 Passing on the Password

The campus account password is personal and non-transferable. If the IT Services discover that the password has been passed on to third parties, the password will be reset immediately without notice and sent to the owner by letter post.