From lab computers to laptops: how strong passwords protect the university

IT security | Students

Higher education institutions are increasingly becoming targets for cyberattacks. Password security is therefore more than just a formality; it serves to protect the entire institution. This is where good password habits, password managers and multi-factor authentication come into play.

Illustration by Storyset

Why strong passwords are essential

Cyberattacks are now fully automated: that’s why it’s important that passwords aren’t found in a dictionary and don’t follow any recognisable pattern, such as a date of birth.

One example shows how deceptive security can appear: Summer2026! looks secure at first glance – letters, numbers, special characters. In reality, it is a classic: a common word plus the current year. Attackers have long been aware of such patterns. A password like Summer‑Soup20:Lake!Battery24 is quite different. It is long, combines several unrelated words and uses upper and lower case letters, numbers and special characters. Even more secure are purely random character strings such as QvXr2pKZ!f7m3daN.

Therefore, the rule is: a strong password is random, long and cannot be deduced from personal information, for example.

Equally important: do not use the same password for multiple services. This is a common mistake that opens the door to attackers, as the following scenario illustrates: A user registers on a fitness forum – conveniently using the same password as for their u:account. Months later, the forum is hacked and all login details end up in a publicly accessible list. Cybercriminals automatically test this data against major services or institutions such as the University of Vienna – an attack known as credential stuffing. And indeed: they gain access to the university e-mail account, read internal messages, download documents and may even gain access to other systems. An unintended but seemingly harmless disclosure triggers a dangerous chain reaction.

The interception of personal login details via e-mail also poses a significant risk: phishing. In phishing e-mails, users are asked to log in to linked web pages and online forms. These pretend to be legitimate web pages or forms. On the ZID web pages, you can find out how to spot phishing e-mails and deal with them correctly.

Test your knowledge of password security with our quiz.

Go to the password quiz

 

Why password managers are helpful

Hardly anyone can remember 30 or more complex, unique passwords – and you don’t have to.

A password manager provides the solution. It performs several functions at once:

  • creates strong, random passwords
  • saves them securely encrypted
  • fills in online forms automatically
  • synchronises them across multiple devices if desired

This allows you to use a separate, complex password for every service – without the hassle of paper notes or reusing passwords. For IT, this means less support work and a significantly more robust security foundation. In short: a password manager strengthens the entire security chain – and that chain is only as strong as its weakest link.

Browsers such as Chrome, Firefox, Edge or Safari offer built-in password managers that store passwords and automatically fill them in when needed. They are convenient, free and can be used across platforms. Many browsers also generate secure passwords, check saved logins for security issues and synchronise data across devices. However, work-related passwords should not be synchronised on personal devices, especially if these are used by several people. 

For university use, standalone password managers such as KeePass or KeePassXC are therefore often the better choice. They store passwords locally or on a secure network drive, offer greater control and can also be used for PINs, recovery keys or other confidential information.

The pros and cons of built-in and standalone password managers

 

How a password manager works

At its core, a password manager is an encrypted data vault. It can only be opened with a single key – the master password. This should be particularly strong, as it protects all other login details.

The process is simple:

  1. When first launched, an encrypted data vault is set up.
  2. The master password serves as the key to open it.
  3. New passwords are automatically generated and saved.
  4. When you log in, the password manager recognises the web page or application and enters the relevant login details.
  5. Optionally, the data can be saved between devices in encrypted form.

This means: even if someone steals the password file, it remains worthless without the master password.

In the video (in German), you’ll learn how to create a secure password and protect it.

Why multi-factor authentication is effective

A password alone is often no longer enough. It can be stolen, guessed or made public through data breaches. Multi-factor authentication (MFA) adds an additional barrier that remains effective even if a password has been compromised. To gain access, you need two pieces of independent information – a password and a second factor. This could be a one-time code generated via a mobile phone app, for example. An attacker who only has the password will be locked out – even if it is entered correctly. Some of the University of Vienna’s IT services already use MFA, including the VPN service and Microsoft 365.

 

Conclusion

  • Use a unique, strong password for each service – ideally generated and managed by a password manager – or follow the password tips.
  • Enable multi-factor authentication wherever possible.
  • Change your passwords immediately if a device is lost, a virus is detected, or you suspect that someone knows one of your passwords.
  • You can check whether your e-mail address has been affected by a data breach via the website Have I Been Pwned.
  • Stay up to date on how to spot fraudulent e-mails.

You can find more tips on the ZID web page using IT securely.

Related News

Back