The UU is constantly working on the security of (personal) data. On this page you will find all the information you need to work safely, and the latest developments.
A secure password...
- is long (consider using a phrase);
- isn't used anywhere else;
- is known only to you;
- can't be guessed (so it can't be a catchphrase you're known for);
- contains upper-case letters, lower-case letters and symbols.
The minimum password requirements will guide you whenever you change your password.
How do i come up with a secure password?
Coming up with a secure password can be tricky, particularly if you have to imagine one on the spot. A phrase may be easier to both think of and remember, and is often more secure as well. Click here for password tips.
How do I change my Solis password?
You can do this in the MySolisid portal. You'll be guided through the process step by step.
You use passwords everywhere you go on the internet, often different ones (because it's safest that way). This can make it a challenge to remember them all. Fortunately, help is at hand in the shape of a passport manager.
What is a password manager?
A passport manager is a digital vault than can be accessed through an app on your smartphone or through software on your computer. You use it to store the passwords you use for different services. To view all these passwords, you only need a single (very strong) master password.
Easy peasy: all you need to do is remember your master password!
Which one should I use?
There are many different password managers. Some of them are free, others you need to pay for. Their functionality varies per app. Simply choose the one that you prefer.
Things to remember before you start
You can't access the password manager without your master password. If you forget, the ICT Service Desk won't be able to retrieve it for you. You should therefore learn it by heart and keep it safe (read more about choosing a secure password here). After all, this password gives access to all other passwords!
Take your pick
Here are some examples of password managers. The ICT Service Desk currently offers no password manager support.
LastPass (for Windows, Mac, Linux and smartphone)
KeePass (for Windows, Mac and Linux [can only be accessed locally, not through a browser])
Dashlane (for Windows, Mac and smartphone)
StickyPassword (voor Windows, Mac en smartphone)
These apps (with the exception of KeyPass) are also available for your mobile phone. Download them onto your phone from the App Store or Google Play.
With two-factor authentication (2FA), you need two 'keys' to access your information and data. This is because you log in using:
- something you know (your Solis password); and
- something you possess (e.g. your smartphone).
How does it work?
Usually, we only use a password to access our data. However, if someone cracks or guesses it, your data can be accessed by others. The 2FA system adds a security layer in addition to your password: something you possess. This could be a single-use code on your phone or a text message. You must enter this code after you've entered your password, so it's an additional security measure. Banks have been using 2FA for some time (e.g. a TAN or an identifier).
In these videos, we show you:
You only have to configure it once
Just like your password, you only need to set up two-factor authentication once. For example, if you are using an application for which you have already set up two-factor authentication, and a few months later you get another application that also requires two-factor authentication, you don't need to set up two-factor authentication again. You then use the same token (one-time code, SMS, etc.) as for the first application. So it works Just like your Solis password for all UU services.
How do I set it up?
visit mysolisid.uu.nl (UU's Solis ID portal). Here you'll be taken through setting up 2FA for your account step by step. The number of services compatible with 2FA is still limited at the moment, but this is growing all the time.
Frequently asked questions and help
Set an access code
Of course, nobody wants to lose their mobile phone. However, many people forget that, besides the costs and fuss involved, their information could be accessed too. Avoid this by setting an access code (consisting of six figures), a pattern or your finger print! This will stop anyone being able to get to your information.
You can update the security settings on your phone via the settings menu. Need help? Go along to an IT desk!
Encrypt your device
If you are unlucky enough to lose your mobile phone, anyone who gets their hands on it could access the memory card in your phone. So, it’s vital to encrypt your mobile device.
- If you have an iPhone or iPad, don’t worry: these are already encrypted as standard.
- If you have an Android device (Samsung, for example): activate encryption for your memory card manually. Look for 'Encrypt SD Card' in the settings menu.
Remote search or wipe
If you lose your phone, you will want to locate it as soon as possible – and maybe even wipe it clean (and lock it down). There’s no time to waste in situations like this. Read on for instructions on how to do all of the above, because you’ll need to change some of the settings on your phone.
Proceed as follows if you have an iPhone:
- First: activate the Find My iPhone function
- If you lose your iPhone, click here and follow the instructions provided
Proceed as follows if you have an Android phone
USB sticks and portable hard drives are usually a quick and convenient way to transport data or share files, but they also have drawbacks.
The consequences can be severe
Using USB sticks and portable hard drives is not without risk. They are:
- vulnerable to damage and/or have a short lifespan;
- easily misplaced;
- at a high risk of being stolen (as they're small and valuable);
- hampered by the lack of an automatic backup facility.
All of these may cause your data to become permanently lost. Alternatively, data may fall into the hands of a third party. Even if their intentions are honourable, this still constitutes a data breach if it involves personal data. The consequences are no laughing matter!
We recommended UU-managed storage options
If you store data at a location managed by UU, you can be certain that they are secure and will be backed up. If you believe your security demands exceed the available options or if you require advice, you can contact one of our experts with no obligation.
Need to store data somewhere else? Here's how to mitigate the risks
In addition to making regular backups (consider scheduling a recurring event in your diary), you should ensure that you encrypt your data when storing them to prevent them being accessible to others. There are two ways to do this.
Option 1: choose a ready-made solution
Use a USB stick or portable hard drive with built-in hardware encryption. All you have to do is set up a code (once only). This requires no technical expertise.
USB-stick with a code:
To use a USB stick (many different storage capacities are available), you set up a PIN code once only. You must enter this code before you can use it and then plug it into your computer to access your data. The stick works on Mac, Windows and Linux. Read the manual for the Kingston DataTraveler 2000 here.
Portable hard drive with a code:
To use a portable hard drive, you set up a PIN code once only. You must enter this code before you can use it and then plug it into your computer to access your data. The hard drive works on Mac, Windows and Linux. To order one, contact your ICT contact person. Read the manual for the Ewent EW7040 here.
Option 2: encrypt your portable drive or USB stick yourself
If you already own a USB stick or portable hard drive and a ready-made model (as described above) is not an option, you can encrypt it yourself. The ICT Service Desk offers no support for this.
If you are using Windows you can use Bitlocker to encrypt your own USB-sticks and drives. Please note that while encrypted with Bitlocker, the USB-stick can't be used on a Mac (without extra software).
If you are using a Mac, you can use FireVault to encrypt your external drives and sticks.
When using the above tools for your own USB stick or hard drive, you must choose and remember a password of your own. When using a ready-made solution, you must remember your code. NB: nobody can retrieve the password/code if you forget it, so make sure you don't!
Many security measures have already been taken on a UU-PC. You have that responsibility on your own PC. This is very important if you are working with UU-data. If you have a virus on your private PC, it is possible that all your own and all your UU data is encrypted.
This way you minimize the risks
- All measures as for a UU managed workplace
- Install a virus scanner like McAfee or Kaspersky. They also provide protection for browsing the Internet and your email. SURFspot (log in with your Solis-id) gives you a discount as an student.
- Update your operating system (enable automatic updates)
- Put a password on your own PC and/or laptop
- Use a VPN to encrypt your data traffic when connecting to public Wi-Fi
Free Wi-Fi on the train or on holiday – how convenient! The less you use your data bundle, the better. But beware: this isn't always secure. What should you bear in mind?
Be careful with public Wi-Fi networks
Public wifi can be useful when you don't have mobile internet (3G/4G) at your disposal or when it is very expensive. Still, it can happen that someone is watching with you. This allows your (login) data to be eavesdropped on and personal data to be captured.
Eduroam is always secure. Consult the map to see where Eduroam is available.
A few key points for attention
When connecting to public Wi-Fi
- Consult a VPN. This sets up a 'tunnel' that encrypts all data transmitted through the Wi-Fi connection, so nobody can spy on you.
- Be aware that someone in your vicinity may set up a fake free Wi-Fi hotspot. For example, when you see 'Free airport Wi-Fi' at an airport, this may be someone with a laptop sitting next to you who is trying to entrap people. Always find out the name of the real Wi-Fi network.
- Remember that Wi-Fi networks that require you to log in with a personal user name and a password are more secure than the ones that don't ask for credentials. Criminals may set up a duplicate of an existing Wi-Fi network. This is much easier to do if you've set up your device to connect automatically.
Don't just make a copy of your passport
With a copy of your passport (or ID-certificate) someone can pretend to be you. Think of buying stuff (without paying), or taking out a subscription under your name. Almost a third of identity fraud started with having a copy made of the passport. Online you may also be asked to send a copy of your passport (e.g. when booking, registering or signing a rental contract). Never do this just like that!
Still need a copy? Use the special app of the national government to make a copy (Dutch).
Do not share your username and password
Whether it's from your email, Solis-id, or bank: never share your password with anyone. Store them securely and use two-factor authentication (2FA) where possible.
Check if a website is safe and genuine
Sometimes you have to log in to a site or enter your personal details. Think of internet banking, online shopping, etc. Always check if:
you have a secure connection (often recognizable by a green lock)
whether you are on the right website (URL) (e.g. are you on www.uu.nl and not on www.uu-nl.nl?)
at webshops: follow the checklist for safe online shopping (Dutch)
E-mails or phone calls that try to lure you to fake websites (e.g. from a bank or the Solis login) to let you - unsuspectingly - log in there with your login name and password or credit card number. With all the consequences that entails. Are you falling for it?
How do they work?
- First they send you a fake email that seems to come from your bank, energy company, IT department, etc. They often respond to an urgent situation, such as..: "You are going on a trip but your credit card needs to be verified. Prevent payment problems and do this immediately!"
- Clicking on the link in the email will take you to a fake website, which is an exact copy of the original.
- Here they try to take away your personal information such as passwords or credit card numbers or they try to have your virus software (called ransomware) installed.
Once they have compromised your passwords or credit card details, they will have access to your data and/or banking.
Would you fall for it?
We all regularly receive phishing emails (examples). Where they used to be recognizable by bad design and language, they are nowadays:
- Very credible in appearance, complete with logo and layout of the company;
- The language is formal and correct;
- The date on which you receive the mail is tactically chosen: just when you go on holiday there is something wrong with your credit card;
- Often there is an insistence on a quick handling to supposedly prevent something from going wrong. The tone can even appear threatening.
How do you know if an e-mail is sincere or not?
1. No honest person will ask for your password, credit card number, or PIN to do anything. If they do, it's fake.
2. Make sure that the sender of the message is who he/she claims to be. Check if the e-mail address (from/from-field) is correct. Always check messages coming from your bank or, for example, your IT department.
3. Click with care on links in an e-mail. Check them and copy & paste them into your browser (provided you trust the sender). Never open an attachment if you don't trust the sender. Attached files (often in a zip-file) with the extension .exe or Office files with macros are the most dangerous.
What to do if you are a victim
- Is it your Solis-id and password that have been compromised somewhere? Contact CERT. They will help you immediately.
- Does it concern banking matters, such as your PIN or credit card number? Inform your bank in order to block your account (or pass).
- General advice: Immediately change all your passwords on all websites where you have used the username and password in question. You can also report this to the police.
Any suspicions of phishing?
Do you suspect that you have received a phishing email? Would you like some advice? Contact the IT Service Desk.
found USB stick or device may look innocent enough. However, it may be used by someone to hack or eavesdrop on you without you noticing. In some cases, it may even damage your computer.
A found USB stick or cable
If you find a USB stick on the street or in a building (at UU or elsewhere), you may be tempted to insert it into your computer to find out the owner or because you're curious to see what's on it.
Did you know such a USB stick could be dangerous? Once you connect such a stick, it could:
- Automatically install a virus on your computer
- Delete or encrypt all of your data (including on your hard drive, U drive, SURFdrive, OneDrive, etc.)
- Set up its own Wi-Fi network, so that someone can access your data at their leisure
- Emit high-voltage (220 V) jolts of electricity to physically blow up your computer
- Eavesdrop on you through a tiny microphone (connected to a 3G network)
You never know whether a USB stick has been left behind on purpose. Connecting a USB stick that you've found lying around should therefore be as off-limits as eating from the floor: you just don't.
Want to find out how this works?
Hacked USB sticks often pretend they're keyboards. Computers trust these peripherals automatically. Other devices, such as mouses or cables, can also be hacked. A number of examples are shown below. These videos, which were not created by UU, allow you to see how these hacks work with your own eyes.
- View how your computer can be accessed and controlled remotely
- or how your computer can be blown up with a jolt of electricity
- or how someone can hack or eavesdrop on you using a USB cable
What to do if you find one?
Found USB Flash Drives can be dropped off at the reception. It will be noted where and when it was found. If the owner contacts the reception desk, he or she can pick it up.
The university undertakes numerous steps to guarantee safe online studying. In regard to this the university has an agreement with staff and students. This is laid down in the university information security policy. You can read in our IT regulations to which rules students and staff have to comply.
ALTERNATIVES TO SITES AND APPS
On the site https://switching.software you will find a wide range of responsible, privacy supporting services, from social media to operating systems.