A credential is used to verify a person's identity and ability to access something. A driver's license, birth certificate, or a passport are examples of paper credentials for citizenship. A computer system uses different credentials to identify the user. A computer system often has a username and one of three authentication methods:
There is often a subjective factor with paper credentials. For example, if you present an identification that has someone else's picture, it may not work. A computer system does not have subjectivity. For example, if a fraudulent user enters the correct username and password the computer will accept the credentials.
The answer to this depends on your access to systems on campus. Your credentials could be used to create fraudulent transactions, access sensitive systems, or to trick other users into providing their credentials. Some examples could include:
There are various technical and non-technical means that can be used to obtain your credentials. A non-technical means include social engineering attacks where the attacker request your credentials via email, telephone, or a link requesting you log into a website.
The technical means are not much more sophisticated. There are computer programs that will guess commonly used passwords or dictionary words in a matter of minutes. A list of the most common passwords can be found here.
"Heartbleed" was a vulnerability where attackers potentially gained access to your NetID credentials. The lesson learned from this is to make sure you change your password frequently and whenever you are informed of these types of attacks.In addition, there are computer programs that will guess every possible password combination. The time it takes the program depends on the length and complexity of your password. Below is an example:
|Password Length||Upper and Lower Case Letters||Upper and Lower Case Letters with Numbers||Upper and Lower Case Letters, Numbers, and Special Characters|
|8||11 seconds||44 seconds||20 minutes|
|12||2 years||20 years||3,018 years|
|16||18,000,000 years||302,000,000 years|
|Note: For this exercise we used www.passwordstrengthcalculator.com which only provides an estimate for the password useful life. There are many variables such as attack speed, lockout timers, forced password changes, etc.|
Finally, cyber criminals often perform reconnaissance on a target to obtain information to conduct an attack. The University has a lot of publically accessible information including organizational charts, directories, position descriptions, and many more items. In addition, a lot of information can be obtained about an organization through Google searches and social media sites (Facebook, Twitter, Instagram, and many more.) This information can provide an attacker half the information needed (i.e. username) or potential passwords.
Some best practices for securing your password can be found in the Password Standard for UW-Madison. Remember, do not use passwords that include common names, dictionary words, or that follow common keyboard patterns (e.g. 123456, qwerty, asdfg). Never share your password with anybody or write the password down unless you can secure the paper document. Finally, password should include lower and upper case letters, numbers, and special characters.
It is your responsibility to ensure your NetID/password and other credentials are managed securely - Don’t be the weak link in this system.
Review the following strong and weak password characteristics and then change your NetID password and other campus passwords that do not meet the standards.
The criteria for the UW-Madison Baseline Password Standard are:
The problem with passwords is that they are quickly becoming dated. Even if you use strong passwords, with newer technologies, it is becoming easier for cyber attackers to crack the passwords or to collect credentials through social engineering or phishing. Multi-factor authentication is an enhanced way of authenticating using two out of three factors. These three factors are:
An example of one of the first multi-factor authentication used at the University of Wisconsin is the Human Resource System (HRS). When using two factor authentication, a user presents a token with a 6-digit value showing (something you have) and enters a password or phase (something you know). In addition, the application must know how to validate the token/password information in order to grant access to the restricted data. This is similar to how an ATM card works.
Expect usage of multi-factor to increase as username/password pairs become too easy to break.
Use multi-factor authentication whenever possible, especially for critical services containing or storing sensitive or restricted data. Since criminals have to work much harder to try and compromise your credentials, multi-factor authentication goes much further in protecting than a simple username and password.
At UW-Madison, the Credential Policy Team has developed new password recommendations for campus. The University has adopted forms of strong authentication for select groups of users of specific services that contain high-risk data. Many other systems—including those maintained by the Institution’s distributed IT community—also contain significant amounts of high-risk data. Widespread use of strong authentication is more and more becoming the norm outside the University. Strong authentication alone doesn’t solve all of the University’s information security challenges, but it is a vital part of a broader solution. For more details regarding this project, view the Credential Policy wiki page.