In two previous posts, we discussed the necessity and some of the problems associated with passwords. As mentioned in those articles, passwords are a needed defense against those that would attempt to steal or damage our electronic information. With the increased likelihood of passwords being compromised, there is yet another approach, which I will discuss here and expand over the remainder of this academic year, that provides the best protection we have against unwanted attacks against our information systems: two-factor authentication (2FA).
Using two-factor involves using a second method to verify a logon activity. When you open an application in your web browser, you typically supply a username and password. That is referred to as single-factor authentication because it has one method for gaining access to your account, a username and password. If we add one more step in the process before allowing access to your account, that is two-factor authentication, because you had to supply two things to gain access to your account.
The implementation of 2FA involves “something you know” and “something you have” for access. When you visit an ATM, one authentication factor is the physical ATM card (“something you have”). The second factor is your PIN (“something you know”). Many of you already use modern two-factor for other wesbites, such as your bank. When you log into a 2FA-protected website with your username and password (“something you know”), you receive a text message or a phone call on your cellular device (“something you have”) that requires your interaction before you can successfully log into the website.
In the coming months, we will begin the process of adding 2FA to some of our institutional applications. Keep an eye on these posts for more information.
The simple truth is that passwords are a pain. It is also true that password are necessary to protect the digital information of Sul Ross and your own personal information.
Passwords are your first line of defense against break-ins to your online accounts, computers, smart phones and tablets. Poorly crafted passwords, those that are used on multiple accounts, and those seldom changed are more susceptible for being compromised. This situation can leave the technology resources and information on those devices, whether owned by the university or on your own personal devices, at higher risk of being stolen or damaged. The best antidote available against the cyber criminals and others that are intent on stealing or damaging your devices and information is better password management.
Poorly Crafted Passwords
One reason for poorly crafted passwords is they fall into recognizable patterns. This usually occurs because these patterns are more easily remembered than some ambiguous string of characters. These patterns are often in the form of someone’s name, a date, a memorable place, or they follow keyboard patterns such as “123456” and “qwerty.” These kinds of patterns are highly predictable and easy to crack. Rather than an obvious pattern for a password, try a short sentence or phrase. You’ll have the upper case and lower case characters that are needed and a password that is much easier to remember. Using an abbreviation for one of the words provides an extra level of complexity that helps keep your password safe. Also, to ensure you password complies with all password requirements of SRSU, simply change one of the letters to a number and one of the letters to a special character and you’re finished. For example, take the phrase, “Change is good!” Applying the rules we just covered, our phrase can be modified to Chg 1s g@@d!, which meets all our password requirements and is easier to remember than kjhdSDj34@nS.
Having our email address and password compromised because of a weak or easy to guess password is bad enough. While having your email account compromised isn’t ideal, if you use the same account ID to access your financial institution, social network, and other sites, the potential for impact on your wallet and your reputation can be painful. Many of our accounts today use our email address as the ID for the account. Using the same password heightens the risk for any account using the same ID/password combination. When you have to use your email address for an account ID on another system, always ensure that a different password is used to access that other system.
The longer an account password is not changed, the longer a compromised password can be used by cyber criminals. Changing an account password on a regular basis limits a hacker’s ability to gain access to your account and “listen in” without you knowing they are there.
How to Survive
With all the accounts, for all the systems, and all those passwords, how is one to survive the security requirements and not simply write all the passwords down on a sticky note and paste it to our monitor? The answer is a password manager. A password manager is a piece of software that allows you to store the plethora of passwords needed in your life (business and personal), that are all hidden behind a specific account ID and password.
These tools give you the ability to record all your passwords in a single, strongly encrypted location. Of course, you still need a password in order to gain access to the password manager, so make sure this system uses a complex password, is not used anywhere else, and is changed with some regularity.
Sul Ross OIT has been using Lastpass for password management for some time now. This password management software allows us to store passwords away safely and access them when needed across all our devices. If you want to take advantage of this opportunity, reach out to LTAC and have them set up a Lastpass account for you and your department.
In the end, all computer security is about mitigating the risk inherent in your devices that are connected to the world around us. There is no way for anyone to be 100% secure. All you can do is lower the risk of being hacked. Complex passwords that are used on only one system, are changed on a regular basis, and are stored in an appropriate password manager lowers your risk.
It is National Cybersecurity Awareness Month so I’ll share a few cybersecurity messages with you. In this initial post, I want to make you aware of two methods hackers use to gain access to your work and personal computing systems and what you can do about it.
Some of the most common problems/vulnerabilities with the passwords we use involves password spray and password replay, two terms commonly used in the cybersecurity world.
Password spray simply means automatically testing combinations of common passwords and known usernames on a system. You know how poor the most popular passwords are these days—those are lists that attackers keep close on hand. This is a straight numbers game.
By contrast, password replay attacks exploit our fondness for reusing the same passwords on different systems. Made much worse when people reuse passwords from their personal accounts on their work ones.
Two solutions to prevent this from happening to you:
Don’t use common words or terms for your passwords, such as P@ssword1, MyD0ghasFle@s, etc. These are primary targets for the lists hackers keep and use constantly to gain access to systems
Don’t use the same password for multiple services, i.e. work, school, bank, etc. Doing so allows a hacker to gain access to all your confidential and sensitive data once they determine one of your passwords.
Which means we have to create and remember multiple passwords for different systems. How are you supposed to do that?
The answer is by using a password manager. Stay tuned for the next installment of this series on passwords, where I will cover one solution we already are licensed for and use at Sul Ross.