Skip to main content

Use a different password for each website

Using the same password across different websites – especially non-institutional ones – puts both your personal security and the University’s digital environment at risk.

This is not a theoretical risk: this behaviour has already caused real problems for many colleagues.

Protect your digital identity

  • Never use your University password on other websites
  • Immediately change your password if you think you’ve used it elsewhere
  • Enable two-factor authentication (2FA) wherever possible
  • Check if your email has been involved in data breaches at haveibeenpwned.com 

A secure password protects you, your work, and the entire University community.

Why using the same password everywhere is risky

It is common for institutional credentials (email and @units.it password) to be used to register on external services, such as cloud platforms, social networks, or online applications (like Dropbox, LinkedIn, or even smaller websites).

This habit exposes users to a real risk: if one of these external services is breached, the stolen credentials could be reused to unlawfully access the user's institutional account.

Possible consequences

Unauthorised access to the University email account could:

  • compromise the security of personal and professional data;
  • allow the sending of fraudulent emails in the user's name;
  • trigger the temporary suspension of the mailbox or, in more serious cases, the entire University email service;
  • require urgent intervention from ICT technicians, diverting time and resources from essential services for the university community.

The damage is not just technical

The institutional account is not just any account: it is linked to official activities with legal significance, such as:

  • the recording of exam results
  • the registration of official documents
  • formal communication with colleagues, students, and external organisations

Misuse of credentials could damage one’s personal and professional reputation, as well as lead to embarrassing or harmful consequences.

For support, questions, comments, and queries

Have you experienced a cyberattack? Unsure about phishing, malware, or vulnerabilities?

Contact the Cybersecurity Team of the ICT Services Area for reports, questions, or technical support:

Remember: better one report too many than one too few!
Even a doubt or suspicious behaviour can make a difference. Your contribution helps keep the University’s digital environment safe.

FAQ

You can use dedicated software called a password manager, which acts as a secure wallet for all your passwords.

University-provided computers for technical and administrative staff come with the LastPass programme pre-installed.

For personal devices, you can contact the Cybersecurity Team for support in choosing a suitable password manager, using the contact details provided on this page.

No, the password was stolen following a breach of non-University servers, together with hundreds of thousands of passwords belonging to other users with no connection to our University.

Fraudulent access to University email accounts occurred because the legitimate account holders had used the same password for other websites as they did for their institutional email.

There is no evidence to suggest that passwords were stolen from University servers.

The password was stolen as a result of a breach in non-university servers, along with hundreds of thousands of other passwords.
There is no evidence to suggest that it was specifically stolen from its rightful owner or that the owner's devices are affected by malware.

A researcher maintains a specialised website as a service to the community (https://haveibeenpwned.com/). This site consists of a database containing email addresses and usernames involved in breaches that are discussed on hacker forums. The database does not contain passwords. Anyone can check, instantly and free of charge, whether an email address or username is present in the database.

Anyone can check, instantly and free of charge, whether their email address or username is present in the database and, if so, on which site the breach occurred.
To carry out the check, you must enter your email address (e.g. rossi@units.it, bianchi@amm.units.it, etc.) on the Haveibeenpwned website.
If you have multiple email addresses, make sure to check them all.
Checking using your student ID number (e.g. 1234) is of no use.
You can also ask the site to remember your email address. If, in the future, that email address appears in the database following a credentials breach, the site will automatically send you an email notification (using the 'Notify me' feature).

It is not necessary, but it is useful. The check can be carried out as described in the previous point.

If you use that same password on other websites, then it is extremely important to change it, at least on the most important sites.
It is essential not to use that same password on university websites.
If you are certain that you do not use that same password on other sites, then you do not need to do anything (apart from changing the password on the site from which it was stolen).
If you do not remember what that password was, then perhaps you do not usually reuse the same password across multiple sites.

If you use a different password for your university email, then this breach is irrelevant.
In any case, when we have evidence of fraudulent access, we immediately block the email account and notify the owner.

We have evidence of fraudulent access to some email accounts with addresses in the form @units.it that are included in the aforementioned database.

Last update: