Lock it down: Keep digital accounts secure with strong passwords

October is National Cybersecurity Awareness Month, and throughout the month Rice’s Office of Information Technology is sharing tips and information about how to stay safe and be a conscientious Internet user.

CybersecurityWhat would you do if you lost access to everything in your digital world? Consider this scenario: Your emails, contacts, documents and even photos are out of reach — or worse, being deleted. Your passwords to all your accounts have been changed. Your contacts are receiving unwanted or even harmful emails from you — or so they think.

If someone steals your password, it could happen.

Passwords have a single purpose: to protect a resource. Generally speaking, a password’s strength — its length and complexity — as well as how often it is changed should be directly related to the value of the resource it’s protecting.

In a single sign-on environment like Rice, where one password is used for everything — from checking email to accessing Rice’s virtual private network to using departmental shares — passwords should be strong. They should include numbers, symbols, capital and lowercase letters, and they should be changed periodically.

For some resources, another option is “multifactor authentication,” or MFA. This type of authentication can help protect accounts even if a password is stolen. Much like a bank ATM requires both a card and a PIN to access an account, MFA requires at least two forms of authentication before access is allowed. Rice Google accounts, for example, can be configured to use not only a password, but also a unique, one-time code sent to a user’s mobile phone. Google calls it “Google Two-Step.” If an attacker does steal a user’s password, the villain will not be able to log into the Google account; the attacker will not have the one-time, unique code sent to the user’s mobile phone. Twitter and Facebook have similar technologies that can be enabled for that extra layer of logon security.

“Rice is also looking at providing MFA to some sites on campus,” said Marc Scarborough, chief information security officer for Rice’s Office of Information Technology. “We are currently piloting technology similar to what Google and Facebook offer — a way to further enhance the logon security of some of our Web-based applications. We are partnering with Duo Security to provide MFA to these sites and services. As we move forward in our pilot and implementation, we will provide more information.”

Until then, Scarborough recommends these best practices:

  • Enable extra security options when available.
  • Enable Google Two-Step authentication on your Rice Google account.
  • Choose different passwords for different sites. Using the same password in multiple locations, even though convenient, lowers the security of those services. If one of them has a breach, then that stolen password will work everywhere it’s used.
  • If you have access to confidential and sensitive information, change your password at least once a year.

“Passwords are everywhere,” Scarborough said. “For every new service we use, we have to create a new password. It also seems as if we see a new service breach every time we read the news. Password theft, through phishing, stolen account databases and keystroke-logging malware, are becoming more common. As companies offer better tools to secure our accounts, we should take advantage of them.”

 

About Jennifer Evans

Jennifer Evans is a senior editor in the Rice's Office of Public Affairs.