{"id":389,"date":"2018-05-24T08:29:31","date_gmt":"2018-05-24T12:29:31","guid":{"rendered":"http:\/\/blog.uvm.edu\/whysecurity\/?p=389"},"modified":"2018-05-24T09:25:44","modified_gmt":"2018-05-24T13:25:44","slug":"protecting-your-netid-password","status":"publish","type":"post","link":"https:\/\/blog.uvm.edu\/whysecurity\/2018\/05\/24\/protecting-your-netid-password\/","title":{"rendered":"Protecting Your NetID Password"},"content":{"rendered":"<p>You&#8217;ve probably heard by now that UVM has been subject to a computer system intrusion that has the potential to result in the malicious use of UVM NetIDs and passwords. Here&#8217;s the crux of the announcement:<\/p>\n<blockquote><p>The University has no indication that personally identifiable information has been accessed or compromised. Nonetheless, the University is taking the proactive step of requiring that\u00a0<strong><u>ALL passwords be changed immediately and no later than 4:30 PM on Thursday, May 24<\/u><\/strong>.\u00a0\u00a0Accounts with passwords that have not been changed by this time will receive an additional notification, will have their passwords expired, and a change will be required before the account can be used again.<\/p>\n<p>Ongoing monitoring of the University\u2019s computer systems resulted in early detection of this system intrusion, which improved our ability to implement protection and mitigation strategies.\u00a0The University continues to work with law enforcement and information security experts to investigate and address the intrusion.\u00a0\u00a0Users are asked to be extra vigilant with their computer use and report any suspicious activity to\u00a0<a style=\"font-weight: 400\" href=\"mailto:abuse@uvm.edu\">abuse@uvm.edu<\/a>.<\/p><\/blockquote>\n<p>For more information you can read the <a href=\"http:\/\/www.uvm.edu\/it\/?Page=news&amp;storyID=26068&amp;category=etsspotlight\">full announcement<\/a> and an <a href=\"https:\/\/go.uvm.edu\/pwchange\">up-to-date FAQ<\/a>.<\/p>\n<p>While no one likes maintaining passwords, they remain an important part of the security infrastructure at UVM and our peer institutions. We&#8217;ve recently implemented <a href=\"https:\/\/www.uvm.edu\/it\/security\/mfa.html\">Multifactor Authentication<\/a> for access to our most sensitive services, such as PeopleSoft, VPN (Virtual Private Network), and Virtual Desktop Infrastructure, and we may protect more systems with MFA in the future. Even with MFA in place and our strong password standards, you can help protect yourself and the University by following these guidelines:<\/p>\n<ol class=\"tall_list\">\n<li>The\u00a0<b><u>longer<\/u><\/b>\u00a0the password, the more difficult it will be to crack. UVM NetID passwords are required to be at least 12 characters long, but longer is better. You can use even use a phrase, or a string of random words, e.g. &#8216;owls are my favorite flying Things.&#8217;, or &#8216;house caterpillar verify peanut&#8217;.<\/li>\n<li>The\u00a0<b><u>more character sets<\/u><\/b>\u00a0used, the more secure the password. Different character sets include:\n<ul class=\"normal_list\">\n<li>upper case letters (A B C D)<\/li>\n<li>lower case letters (a b c d)<\/li>\n<li>numbers (1 2 3 4)<\/li>\n<li>punctuation or other symbols (! @ # $)<\/li>\n<\/ul>\n<p>UVM NetID passwords require at least two different character sets, but more is better.<\/li>\n<li>The\u00a0<b><u>more complex<\/u><\/b>\u00a0a password is, the more difficult to guess. Complex passwords are:\n<ul class=\"normal_list\">\n<li><b>not<\/b>\u00a0based on single words found in the dictionary, in any language<\/li>\n<li><b>not<\/b>\u00a0words spelled backwards, common misspellings or abbreviations<\/li>\n<li><b>not<\/b>\u00a0sequences (12345678) or repeated characters (22222222)<\/li>\n<li><b>not<\/b>\u00a0common mathematic sequences and series like Fibonacci numbers, Pi, or prime numbers<\/li>\n<li><b>not<\/b>\u00a0keyboard layout sequences (QWERTYPOIU, qazwsxedc or similar)<\/li>\n<li><b>not<\/b>\u00a0dates like birthdays or anniversaries<\/li>\n<li><b>not<\/b>\u00a0personal information like names of friends, relatives, pets or children<\/li>\n<li><b>not<\/b>\u00a0another unique identifier like your Social Security Number, student ID number, bank PIN, driver&#8217;s license number or passport number<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>An ideal password is one that is easy for you to remember, impossible for a human to guess, and more difficult for a computer to crack. While UVM stores passwords in a strongly encrypted form, attackers could potentially leverage the computational power of botnets and modern supercomputers to crack weaker passwords with relative ease.<\/p>\n<p>Using a string of random words is a great alternative to remembering a string of gibberish (or choosing a weak password):<\/p>\n<p><a href=\"http:\/\/blog.uvm.edu\/whysecurity\/files\/2018\/05\/password_strength.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-394\" src=\"http:\/\/blog.uvm.edu\/whysecurity\/files\/2018\/05\/password_strength.png\" alt=\"\" width=\"740\" height=\"601\" srcset=\"https:\/\/blog.uvm.edu\/whysecurity\/files\/2018\/05\/password_strength.png 740w, https:\/\/blog.uvm.edu\/whysecurity\/files\/2018\/05\/password_strength-300x244.png 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/a><\/p>\n<p>Image:\u00a0<a href=\"http:\/\/xkcd.com\/936\/\" target=\"_blank\" rel=\"noopener\">xkcd\u2014a webcomic of romance, sarcasm, math, and language<\/a>\u00a0(<a href=\"http:\/\/creativecommons.org\/licenses\/by-nc\/2.5\/\" target=\"_blank\" rel=\"noopener\">Creative Commons BY-NC 2.5<\/a>)<\/p>\n<p>A few other tips:<\/p>\n<ol>\n<li>Use a password keeper. You&#8217;ll only need to remember your master password, and most password keepers can generate strong passwords for you that you won&#8217;t need to remember. Many password keepers integrate with your web browser so you don&#8217;t even need to type the passwords to use them. Among the password keepers used by IT staff at UVM are LastPass, Dashlane, KeePass, and 1Password. While we don&#8217;t support or endorse a specific password keeper at this point, they represent a mature technology that is reliable, secure, and convenient.<\/li>\n<li>Don&#8217;t use your UVM password anywhere else. This is the main reason we require annual password changes- if another password database has been breached (such as those at Yahoo!, eBay, and Adobe) and users have used the same password there that they do at UVM, eventually the attackers will discover that they have working UVM credentials.<\/li>\n<li>\u00a0No passwords on sticky notes! (No, really. It&#8217;s 2018.)<\/li>\n<li>Take steps to protect yourself from <a href=\"https:\/\/en.wikipedia.org\/wiki\/Malware\">malware<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Phishing\">phishing scams<\/a>. Keylogger malware, which captures your keystrokes and passes them along to malicious actors, is a common source of compromised credentials. Keep your antivirus software up to date and don&#8217;t visit any dubious websites. Be sure to check the URL bar of your browser any time you&#8217;re entering your UVM credentials into a website (even if it looks familiar); make sure you&#8217;re always at uvm.edu\/.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You&#8217;ve probably heard by now that UVM has been subject to a computer system intrusion that has the potential to result in the malicious use of UVM NetIDs and passwords. Here&#8217;s the crux of the announcement: The University has no indication that personally identifiable information has been accessed or compromised. Nonetheless, the University is taking &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.uvm.edu\/whysecurity\/2018\/05\/24\/protecting-your-netid-password\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Protecting Your NetID Password&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3505,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[351618,45786],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-mfa","tag-passwords","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"jdphilli","author_link":"https:\/\/blog.uvm.edu\/whysecurity\/author\/jdphilli\/"},"_links":{"self":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/users\/3505"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/comments?post=389"}],"version-history":[{"count":6,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/389\/revisions"}],"predecessor-version":[{"id":396,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/posts\/389\/revisions\/396"}],"wp:attachment":[{"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/media?parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/categories?post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.uvm.edu\/whysecurity\/wp-json\/wp\/v2\/tags?post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}