Information Security is the practice of defending information from unauthorized access, use, disclosure, modification or destruction. In today’s world, the proliferation of electronic media has brought a new level of awareness of both the plethora of available information and the dangers associated with not protecting it.
The Fitchburg State IT department is always looking for tools to safeguard student and employee information. It takes a village, however, and our goal is to be a partner in the mission to both protect data and educate our community to be responsible for the information and data (personal and business-related) with which we come in contact every day.
Why do I have to change my password every 90 days?
The main reason for regular password changes is to limit your account's exposure to misuse. Whenever you type your password, it is at risk of compromise - by someone looking over your shoulder, through interception as it travels across the network, and possibly through a Phishing scam. Have you ever shared your password with a friend or family member? If so, you might be inadvertently putting your information in unintended hands.
Every day, all types of ‘Brute Force Attacks' - using a computer to attempt every possible combination of characters to work out a password by trial and error - are launched by hackers. However, Brute Force Attacks take time, especially for longer passwords. Regularly resetting passwords may prevent this kind of attack, or at least make it less attractive, given that the process will need to be repeated time and again.
If a hacker gets your password either by guessing or stealing it, he can access your network or account for as long as your password is valid. Updating your password every quarter significantly limits the utility of that password to an attacker.
At Fitchburg State we are required to enforce password controls because:
- We strive to meet Massachusetts State and Payment Card Industry Standards so that we can do business! Many regulations and standards set the password and account guidelines with which we comply so that we can, for instance, accept a credit card tuition payment.
- It helps identify inactive or overactive accounts, and some that may have already been compromised. For instance, when a user unwittingly answers a Phishing email (possibly providing a username and password to a hacking group) a password change can stop malware from being distributed in our network.
If it is so important, why doesn’t my bank make me change my password every 90 days?
Organizations recognize the pitfalls of forcing password changes. Namely, the more often you force people to change passwords, the more likely they are to forget them (or to use simple passwords that are easy to hack). Imagine the support system needed to respond to hundreds of thousands of bank customers calling for password resets! Banks use complicated login procedures instead. You may have noticed that there are several steps to log into online banking. You enter a login name, and then probably corroborate an image that you selected to verify your identity. If you log into the bank’s site from a computer different than the one you usually use (or last used), you may be challenged with a question. This is called multi-factor authentication. So in general: you don't need to regularly change the password to your online financial accounts (including accounts at retail sites). However, you really should change your corporate login password occasionally, for all the same reasons you are required to do it at work.
And you need to take a good hard look at your friends, relatives, and paparazzi before deciding how often to change your Facebook (or Social Media) passwords. Certainly, if you break up with someone with whom you've shared a computer, change them all!
At home remember: it's far more convenient to choose a good password in the first place than it is to change it. You can write your passwords down and keep them in a safe location, or use a program like Password Safe.
Security experts always tell you to choose a long, complicated password, which preferably contains numbers and punctuation characters rather than just letters. Because a password, which consists of a combination of entries from a 26-character repertoire (a-z), is much easier to crack than if the range of characters is 52 (a-z and A-Z) or 62 (including digits too).
If you've ever wondered just how secure your favorite password is, here's a simple website that will tell you. Just go to How Secure is My Password and start typing. As you type, the indicator is updated after every character to tell you, approximately, how long a desktop PC would typically take to crack it.
Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.
In many cases, the smishing message will come from a "5000" number instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.
Recently we have seen “Smishing” messages being sent to alumni groups. Do not respond to smishing messages.