Since 2004, the President of the United States and Congress have declared October Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace.
The key to solid security begins with your password.
One of the simplest ways to protect yourself and the University is to use secure passwords for your accounts. Think of your password as the lock on the front door of your home. You want a robust and secure deadbolt to keep out any intruders.
- The University of Rochester provides a free password tool (LastPass) to help securely store and even create a complex password for you. LastPass stores passwords in an encrypted vault accessible to you through desktop/laptop / mobile applications, all linked and protected by one “master” password.
- If you don’t use a password management tool, you can still create a complex yet easy-to-remember password using a long passphrase rather than a standard password. A passphrase can be a favorite lyric or movie quote. Including spaces and capitalization makes a 14+ character password easy to remember.
- You may have heard of Multi-Factor Authentication (MFA) or Two-Factor Authentication, such as the Duo software used by the University. MFA protects accounts against compromise even if a hacker obtains a password. By requiring a second step in the login process, the account is safe even if the password was compromised. Many businesses now offer MFA for online account access. Use them whenever possible.
- Simple passwords may be easy to remember but are also easy to hack. Microsoft maintains a common password list, a list of 500 passwords that Microsoft has seen used in malicious login attempts to accounts in their authentication platform. The list contains common variations on this list as well. For example, the list will contain “password,” so “P@ssw0rd” and “Pa55word!” etc., are all variations on this theme and are also blocked. The inclusion of variations means that although the Microsoft list is currently the top 500 passwords, there is password protection for over a million variations of the most commonly known, used, and hacked passwords. Using a new tool provided by Microsoft, we can now scan the digital signature of passwords and compare them against the list. (Passwords are never seen, a digital comparison of their fingerprint is made against the database.) When found, individuals will be contacted by University IT and asked to change their password to a more complex password.
- Later this month, University IT will kick off an annual password change requirement. This newly enforced policy requires that all individuals change their password at least once every 12 months. This yearly change matches the policy currently in place at URMC. More on this will be coming out soon.