Protecting your account username and password is fundamental to good security practices. This is especially true of your University credentials, which provide access to an array of online services.
The theft of account information is one of the biggest threats facing the University – here is what you need to know to help protect yourself:
If your account credentials are stolen, the following could happen:
- Your personal and financial information may be used for fraud.
- Sensitive University data may be compromised, resulting in breaches and potential litigation.
- Unsolicited emails may be sent using your University account advertising dubious or illegal activities.
- Your personal and work-related communications may be read, including emails, chat and private messages.
These things really do happen, and far too often.
There are many techniques that can be used to steal someone's account username and password. Some common techniques include:
Social engineering and phishing scams
Phishing scams are a major source of compromise for University credentials. They are a form of social engineering attacks used to trick the unsuspecting user into revealing their account information. These scams can be perpetrated by phone, email, or text message.
Most commonly, a phishing scam is initiated by an email that has the appearance of official business, requesting that you perform an urgent action, such as logging into your account to confirm your password.
The email will often contain a link to a fraudulent login page, where your credentials are captured for future compromise. Or the link takes you to a web page where malicious software is silently installed on your computer to capture your credentials.
For more information about how to identify and protect yourself from phishing scams, visit the Phishing Resources section.
Dictionary or brute-force attacks
Dictionary attacks are a technique of breaking into an account by guessing a password from a dictionary, or a list of commonly used passwords. Also known as a brute-force attack, passwords that are poorly generated are the most susceptible (e.g. passwords containing common words, pet's name, etc.)
Using public kiosks or other untrusted devices
Your credentials are at especially high risk when you enter them on untrusted devices such as:
- Public kiosks or terminals (e.g. hotels, libraries, airports, coffee shops).
- Borrowing a friend or colleague's computer or mobile device.
These untrusted devices may have already been compromised by malware installed to capture your credentials. Further, if you forget to properly logout and close the web browser, someone can hijack your account afterwards.
A technique whereby the attacker simply observes someone while they type their password. Shoulder Surfing is especially a risk in libraries, computer labs and other public areas.
Other techniques include
- Attackers that have successfully stolen credentials from one website will attempt to use them on other sites, exploiting the fact that many victims reuse passwords across multiple online services.
- Attackers will often install software or hardware devices known as keyloggers to capture the input from the keyboard.
- Attackers can intercept credentials by monitoring unencrypted network traffic (also known as sniffing). This happens most often on open wireless networks and when credentials are sent in cleartext through email or unsecured web connections (e.g. URL links beginning with http:// instead of https://).
Now that you know how your password can be stolen, here are some tips for good password security.
Use a long password
The University’s minimum password length is eight (8) characters containing a mix of different character types - letters (upper and lower case), numbers and special characters. However, a longer password is recommended – as they provide a significantly higher level of protection.
A good strong password can be generated from a quote, poem or lyric that is easy for you to remember - but are much harder to be cracked by common brute-force techniques or to be observed by shoulder surfing.
Do not reuse passwords
It is extremely important to not reuse passwords across multiple accounts. If one account is compromised, then all accounts sharing that set of credentials are at risk!
This is especially critical for accounts requiring the highest level of security, such as your UNI-ID account, email, and financial websites -- use a distinct password for each account.
Check that the site is secure
When logging into websites, email, or other services, check that the site is secure and your credentials are encrypted. A secure URL for a website starts with https:// and your browser will display a lock icon in the address bar.
Also be sure that the site is authentic - beware when the browser displays a red slash through the lock icon or gives certificate warnings.
If the website does not offer a secure login, be aware that the password you use could be intercepted.
Avoid phishing scams - think before you click
If you receive an email containing an attachment or link that is not expected, even if it's from a trusted source, use these tips to verify whether the email is a phishing scam. When in doubt, ask.
If you think you may have fallen for a phishing scam, change your password immediately! Then contact the IT Service Desk for instructions regarding next steps.
Password dos and don'ts
- Don't give your password to ANYONE. A University system administrator can reset your password if necessary and should NEVER request it by email or over the phone.
- Don't use a password containing information about you, such as your birthday or favourite movie, that someone who knows you could guess.
- Don't type your password while using someone else's computer. This may sound a bit paranoid, but it is relatively easy to steal someone's password by installing a keylogger on a computer and then letting someone else use it.
- Look out for shoulder surfers when typing your password as much as you would do when typing your PIN at an ATM.
- Use anti-virus software, to protect your computer from software keyloggers.