Safe Computing

PASSWORD SECURITY

Keeping your usernames and passwords secure is key to your privacy and your ability to access the resources you need not just at S&T, but all over the internet.

S&T Computing Resources

At S&T your username allows you access to so many resources, and it is important that S&T IT can verify that you are authorized to use a given resource. The computing resources listed below can be accessed by your SINGLE, campus-provided username, and password.

  • Email
  • Login to campus-standard installed systems on campus (Windows or Mac)
  • Remote connections to campus Unix/Linux machines
  • The campus Virtual Private Network (VPN)
  • Network file storage
  • PeopleSoft
  • Canvas
  • The UM System MIS Web tools
  • The Help Desk Ticket Request System

NOTE: Not every user will have access to all of the resources listed.

Why do passwords need to be so complicated?

It is important to use passwords that are difficult to guess by someone trying to gain unauthorized access to your account.  Many malicious actors use complex techniques to access your account.

Some of the techniques used by malicious actors include:

  • Using computers to generate all character combinations possible for a given password length.
  • Using dictionaries to generate possible passwords lists.
  • Using lists of passwords that are known to be used because they show up in past successful break-ins.

To help combat these techniques sites adopt guidelines on password strength.  The guidelines are designed to make your password complex enough that the computer-assisted guessing techniques used by malicious actors will take so much effort that they will possibly give up.

A strong password when combined with Multi-Factor Authentication, makes traditional computer-assisted guessing techniques ineffective.

Strong Password Requirements

Here is a example of a strong password requirement; it is the one we use here at S&T.

  • 8 - 26 characters long
    • With eight characters, there are approximately 4 quadrillion possible passwords.
    • Each additional character makes the password more difficult to guess.
  • Contain characters from each of the following four groups:
    • uppercase letters (A, B, C, ...)
    • lowercase letters (a, b, c, ...)
    • numbers (0 - 9)
    • symbols (? . , _ - ~ + = $ ! ) -- only these symbols are allowed.
  • Be significantly different from any previous passwords (don't use sequential passwords)
    • If your previous password that was uncovered during a previous break-in to be BadPassword03, it does not take an S&T Student level genius to realized your next one might be BadPassword04.
  • Not contain any part of your name or username
    • The more randomness you can put into your password, the more secure it becomes.
    • There is a tradeoff however, a completely random string is difficult to remember.
  • Not a common word or name
    • Most password-cracking tools can quickly scan through the dictionary to try all words in the English language or even other languages. Avoid foreign words for the same reason.

Best Practices

DO NOT REUSE PASSWORDS

Your password selection is not limited to what you have used on any one particular site.  If the same password is used for multiple accounts - like your banking, social media, and commerce accounts - then exposure of the password at any one of these sites means exposure for all accounts that use it.

Because there are lists of passwords that have been acquired during past breakings, it is never a good idea to reuse a password or part of a password.  This will definitely mean you could have lots of passwords to remember.  It is a good idea to select a good password manager to help you protect against malicious actors.

Do not use default passwords

A default password is a standard pre-configured password for a device that is usually provided when setting up a new device, such as a wireless router or streaming video receiver. Default passwords serve as a placeholder until the end-user customizes the device or service and sets a new password. Unfortunately, all too often the end-user is either not aware that a default password exists or they do not understand the risk.

THE RISK

Possible devices and services at risk for default password use include:

    • Network infrastructure such as routers, switches, and wireless access points
    • Network devices such as printers, scanners, and terminals
    • Web applications and services
    • Databases
    • Any service that listens on the network for connections

THE SOLUTION

    • Always change default passwords during the initial setup or deployment of a device.
    • Do not succumb to the temptation to set "temporary" passwords that are weak, they are likely to become permanent.
    • Using a password generator takes the guesswork out of creating a strong password.
    • Using a password manager to record the password ensures that it will not be forgotten.

By allowing a default password to remain in place, it is easy for unauthorized access to occur.

What to do if you think you think your account has been compromised

Breaches are a fact of life and even strong passwords do not hold up against skilled attackers.

If you think someone has your password, immediately change your password, and report the incident to your site's customer support.  If you think your S&T account has been compromised, change your password by going to password.umsystem.edu and then Report the Incident.