IT Security Newsletter

Why IT security?

Everyone uses them every day - whether in the office, working from home or on their smartphone while travelling: digital services and processes. In an increasingly digitalised and networked world, working without them has become unthinkable for most people. Although this development makes processes easier, it also brings with it new risks that are unfortunately all too often underestimated. Even seemingly harmless actions such as opening emails, clicking on links or using weak passwords can give attackers access to digital information and systems. This information and systems form the backbone of almost all business processes - from administration and communication to research and teaching. Even minor negligence can significantly impair or even completely prevent the operation of the university, which makes effective IT security essential.

Goals of IT security

IT security has the task of permanently ensuring the confidentiality, integrity and availability of information and IT systems. It encompasses all technical, organisational and personnel measures with the aim of protecting information and IT systems from unauthorised access, manipulation and failure. This is necessary to ensure that digital services and business processes function reliably and trustworthily.

What threats are lurking?

Cyber criminals usually pursue clear objectives: financial gain, espionage or sabotage. They steal or modify sensitive information such as research data, personal information or access data in order to use it for their own purposes, sell it or make ransom demands. Others simply want to damage the reputation of an institution or obstruct work processes, whether for political, economic or ideological reasons. What all attacks have in common is the search for weak points, usually favoured by carelessness in everyday life.

What can I do to protect myself and the University of Würzburg?

IT security is no longer an issue that exclusively concerns IT departments and experts, but rather a personal responsibility that each individual shares through prudent behaviour in everyday life.

Use strong passwords that are different for different services, check emails and links critically and carefully before opening them and always keep software and operating systems up to date. These and other measures can be found in the 11 golden rules for increasing IT security on the JMU website.

Probably the most important and most effective measure is awareness and conscious action. Many attacks do not succeed due to technical weaknesses, but through careless and uninformed use.

Published: 28.07.2025

Why (secure) passwords?

Despite the increasing use of additional security procedures such as multi-factor authentication (MFA) or FIDO standards, passwords are still often the first and, unfortunately, all too often the only security measure against unauthorized access to systems and data. In the same way that a physical key secures access to a room or safe, a password protects access to digital resources. Only those who have the corresponding key or know the password can access the protected content. As with keys, it is therefore extremely important that passwords do not fall into the wrong hands.

For that reason, it is essential to keep passwords safe and choose them in such a way that they cannot easily be guessed. This is because weak passwords are particularly vulnerable to the brute force method, wherein a large number of combinations are tried automatically over a short period of time in an attempt to guess the correct password. Once compromised, passwords often serve as a gateway for further cyberattacks and therefore pose a serious security threat.

What makes a password secure?

To prevent passwords from being easily cracked, they should always be chosen to be as complex as possible. For high complexity, passwords should contain a combination of different types of characters: numbers [0-9], upper- and lower-case letters [A-Z; a-z], as well as special characters [e.g., !, +, =, $, &, etc.]. Simple patterns such as names, common words, or dates should be avoided.

The length of the password is also crucial for security. Longer passwords are much harder to guess and provide significantly greater protection. Each additional character increases the time required to successfully guess the password many times over. We recommend using passwords with a minimum length of 12 characters – passwords with 16 or more characters are even more secure.

It is only by combining complexity and length that a high level of security can be achieved. A long but simple password as well as a complex but short password can be quickly determined through a brute force attack.

Furthermore, every password should be unique. Using different passwords for different services or accounts significantly reduces the potential damage if one of them were to be compromised. After all, you wouldn't use the same key for all your doors and safes. Losing that key would also have serious consequences.

Storing credentials

Remembering a secure password for each of your accounts can be challenging for most people. To still meet the requirements for secure passwords, you should therefore store your passwords in a secure place. For this purpose, we recommend using a password manager (also known as 'password safe').

A password manager is a tool that enables you to manage your credentials securely and efficiently. They are protected by strong encryption within the password manager, meaning that only those who know the master password are able to access them. This means you can use a unique, secure password for each service without having to remember them all. You only need to remember the master password for the password manager itself. Of course, the master password must meet at least the same security requirements as all your other passwords. Please note that, although some browsers offer similar features, they do not meet the security standards of a dedicated password manager.

Find out which password manager best suits your needs here.

Published: 04.11.2025

What is multi-factor authentication?

Passwords have long been the standard for securing access, but in the face of increasing computing capacity and modern attack methods, such as phishing, they are proving increasingly inadequate as the sole means of protection against today’s security threats.

To prevent a compromised password from granting unauthorized users immediate access to systems and data, more and more services require at least one additional, independent layer of authentication alongside the password, such as authorization via an authenticator app. This is referred to as two-factor authentication (2FA), with the password forming the first factor and the authenticator app the second factor. If two or more factors are required, this is generally referred to as multi-factor authentication (MFA). It is, however, essential that the factors used are independent of one another and belong to different categories.

Categories of authentication factors

The factors used in multi-factor authentication can generally be divided into three categories: knowledge, possession and inherence.

A knowledge factor (‘Something you know’) is based on information that is not publicly known and, ideally, is known only to the user, such as a password, a pattern or a PIN. The level of security provided depends largely on the secrecy and complexity of the information used (see newsletter: Secure passwords and password managers). In practice, however, these factors are particularly vulnerable to attacks such as social engineering or brute-force attacks.

A possession factor (“Something you have”) requires the possession of, or access to, a physical or digital authentication method, such as a smartphone or a hardware token. So-called one-time passwords (OTP) are frequently used here. These are randomly generated numerical codes or alphanumeric keys that are valid for a single login or transaction only and are usually sent to the user unencrypted via text message or email. A more secure variant of one-time passwords is the time-based one-time password (TOTP), where the code is generated locally on the user’s device (using an authenticator app or hardware token), thereby eliminating the need for transmission. Similarly, an authenticator app can be used to authorize a login or transaction directly via a push notification, either through confirmation or a numerical match (“Number Matching”). The highest level of security is provided by hardware tokens, with modern models (e.g., YubiKey) replacing outdated OTP variants. Thanks to current standards (e.g., FIDO2), they enable secure, and in some cases password-less, authentication through cryptographic methods. To enhance security, hardware tokens and authenticator apps are often secured with an additional factor, such as a PIN, password or fingerprint scan.

The inherence factor (“Something you are”) is based on unique personal characteristics of a user, which are verified, for example, through fingerprint scans, facial recognition or the comparison of other biometric features. These personal characteristics are, by their very nature, non-transferable and particularly difficult to forge, and therefore offer a very high level of security and usability.

Use and application of multi-factor authentication

The use of MFA creates additional barriers for attackers, as a successful attack requires overcoming two or more different factors simultaneously. This provides significantly enhanced protection against attackers, as a compromised factor, such as a leaked password, does not immediately lead to unauthorized access.

It should also be noted that not all authentication factors offer the same level of security. You should therefore choose your factors so that each factor on its own already provides an adequate level of protection. Avoid weak factors such as insecure passwords and OTPs sent via SMS or email, and instead rely (in addition to a secure password) on more secure methods such as authenticator apps and hardware tokens.

The use of MFA requires, depending on the factors chosen, certain hardware (a smartphone or hardware token) or software (an authenticator app). The loss of this hardware – and thus of the factor – can, in the worst-case scenario, prevent you from accessing services or accounts. A secure process for restoring or resetting the factor should therefore be established. This could involve either backing up the factor or the underlying factor secret or setting up an additional (alternative) factor that can be used in place of the lost one. Alternatively, when setting up MFA, some services offer the option to generate backup or recovery codes, which can then be used once for recovery in the event of factor loss. It is important that factor backups and recovery codes are stored reliably and securely – ideally in a password manager.

MFA in the context of a comprehensive security strategy

Although the use of MFA significantly enhances security, it is important to note that even MFA does not offer absolute protection against all attack vectors. When considered individually, the authentication factors used are not infallible and, depending on their nature, may under certain circumstances be lost, stolen, intercepted, forged or otherwise bypassed. The combination of several independent factors within multi-factor authentication creates additional and significantly higher barriers for attackers, thereby considerably reducing the risk of successful attacks. However, MFA alone cannot generally guarantee complete protection, which is why MFA should always be viewed as part of a multi-layered and comprehensive security strategy. The use of MFA therefore does not replace the need for responsible and security-conscious use of digital systems.

The IT security landscape is constantly evolving, giving rise to new methods and opportunities for attacks, which in turn require continuously adapted and refined protective measures. With the introduction of multi-factor authentication, the JMU is taking an important step, together with its users, towards further strengthening information security.

Published: 19.03.2026