What are Credentials?
A credential is used to verify a person's identity and ability to access something. A driver's license, birth certificate, or a passport are examples of paper credentials for citizenship. A computer system uses different credentials to identify the user. A computer system often has a username and one of three authentication methods:
- something you know, such as a password
- something you have, such as certificate, computer, or email address
- something you are, such as your fingerprint
There is often a subjective factor with paper credentials. For example, if you present an identification that has someone else's picture, it may not work. A computer system does not have subjectivity. For example, if a fraudulent user enters the correct username and password the computer will accept the credentials.
Why would attackers want your Campus credentials?
The answer to this depends on your access to systems on campus. Your credentials could be used to create fraudulent transactions, access sensitive systems, or to trick other users into providing their credentials. Some examples could include:
- Access to the Human Resource system, which houses a large number of sensitive and restricted data.
- To use UW Email to distribute spam with a .edu email address.
- To submit fraudulent transactions or documents.
How do attackers get your credentials?
There are various technical and non-technical means that can be used to obtain your credentials. A non-technical means include social engineering attacks where the attacker request your credentials via email, telephone, or a link requesting you log into a website.
The technical means are much more sophisticated. There are computer programs that will guess commonly used passwords or dictionary words in a matter of minutes. A list of the most common passwords can be found here. In addition, there are also computer programs that will guess every possible password combination. The time it takes the program depends on the length and complexity of your password. Below is an example:
|Password Length||Upper and Lower Case Letters||Upper and Lower Case Letters with Numbers||Upper and Lower Case Letters, Numbers, and Special Characters|
|8||11 seconds||44 seconds||20 minutes|
|12||2 years||20 years||3,018 years|
|16||18,000,000 years||302,000,000 years|
|Note: For this exercise we used www.passwordstrengthcalculator.com which only provides an estimate for the password useful life. There are many variables such as attack speed, lockout timers, forced password changes, etc.|
Finally, cyber criminals often perform reconnaissance on a target to obtain information to conduct an attack. The University has a lot of publicly accessible information including organizational charts, directories, position descriptions, and many more items. In addition, a lot of information can be obtained about an organization through Google searches and social media sites (Facebook, Twitter, Instagram, and many more.) This information can provide an attacker half the information needed (i.e. username) or potential passwords.
How to secure your credentials?
Remember, do not use passwords that include common names, dictionary words, or that follow common keyboard patterns. Never share your password with anybody or write the password down unless you can secure the paper document. Finally, passwords should include lower and upper case letters, numbers, and special characters.
It is your responsibility to ensure your Campus/password and other credentials are managed securely - Don’t be the weak link in this system.
Creating Strong Passwords
Review the following strong and weak password characteristics and then change your passwords that do not meet the standards.
Strong Password Characteristics
The criteria for creating a strong password are as follows:
- The password standard requires passwords to be at least eight alphanumeric characters long. However, the length of passwords greatly increases the difficulty to crack them. Due to the increase in computing capabilities to crack passwords, the Office of Cybersecurity recommends at least twelve characters.
- Contain at least three of the following four categories:
- Upper case characters (e.g., A-Z)
- Lower case characters (e.g., a-z)
- Digits (e.g., 0-9)
- Special characters ( e.g., !@#$%^&*)
- Do not contain a common proper name, login ID, email address, initials, first, middle or last name
Characteristics of a Weak Password
- Contain less than eight characters
- Can be found in a dictionary (English or foreign) or a word in any language, slang, dialect, jargon, etc.
- Is the same as your user name or login name
- Is a common usage word such as names of family, pets, friends, computer terms, birthdays or other personal information, or number patterns like aaabbb, dddddd, qwerty, 123456, etc.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Password Management Best Practices
- Change your passwords at least twice a year. The reason we suggest changing your password this frequently is to protect against the threat of dictionary attacks.
- Avoid re-using or duplicating passwords between work and personal accounts (e.g. your online banking account or Facebook).
- Never provide your username and password to anyone else. No one should ask for your password, not even other staff. This includes via email, over the phone or in person. Similarly, do not ask anyone else for his or her password.
- If you are responsible for managing many credentials, we recommend using a password manager. However, ensure that you are using an exceptionally strong password to protect the rest and periodically change that password. Some examples of password managers are: KeePass, OSX Keychain, PasswordSafe, Lastpass and Dashlane.
- Do not use your campus username/password for systems that do not officially support them. Personal related uses would include subscriptions, on-line banking, etc. Work related uses would include database accounts, file server accounts, etc. Your campus username/password should be used ONLY for authenticating to the systems for which that pair as designed.
Multi-factor (Strong) Authentication
The problem with passwords is that they are quickly becoming dated. Even if you use strong passwords, with newer technologies, it is becoming easier for cyber attackers to crack the passwords or to collect credentials through social engineering or phishing. Multi-factor authentication is an enhanced way of authenticating using two out of three factors. These three factors are:
- something you know, such as a password,
- something you have, such as your passport, phone number or email address and
- something you are, such as your fingerprint.
Due to the increased abilities to compromise passwords listed above Multi Factor Authentication makes it much harder for an attacker to compromise your credentials. With this increase in Security though you should not let your guard down and you should be diligent about keeping and maintain strong passwords. This is a good practice as the password is still used in the process as well as the only authentication method for a lot of other systems in use.
Always make sure to keep your device on you or in a securely locked area when not using it. If you use the phone app make sure you have a strong password or swipe combination and is kept locked when not in use. Also keep in mind when using a swipe combination to keep your screen clean on a regular basis. For easier swipe combinations its easy to figure out what they are by tilting your phone on an angle in where you can see what the swipe pattern is (this is why a clean screen is important).
There are tools designed to help you manage your credentials:
- KeePass, PasswordSafe and Lastpass are a few of the password managers out there.
- If you cannot install these yourself, contact your IT department to find out if they can install a password manager for you.
- Apple Mac users may request KeePass or use the built-in Keychain application to store your credentials.
Create a strong password for the password manager and store and organize all your userid/password pairs in an encrypted database. With such a tool reusing passwords across systems should no longer occur.
If you have any further questions regarding password managers for professional or personal use, please contact the UW-Madison Office of Cyber Security Team at firstname.lastname@example.org. The Security Team would be willing to attend group meetings to instruct your entire staff on their use and best practices.
Heartbleed - What was that all about?
In April of last year, many of you heard about "heartbleed" where attackers potentially gained access to your campus credentials. The lesson learned from this is to make sure you change your password frequently and whenever you are informed of these types of attacks.
Remember, someone who stole your password could:
- Access the site they stole it from with your username and password
- Try that password and likely usernames on other websites, like Facebook, or Twitter, and take over your online life
- Do the same thing with bank websites and take over your financial life
You can help protect your online account from this type of attack by:
- Using different usernames and passwords for each different website you use that requires a login. A password manager can help you create good passwords and not forget them.
- Turning on what is commonly called 2-factor or multi-factor authentication for any web service that uses it. One of the more common multi-factor systems used now is when a website has you login with a username/password combination, but also sends you a code to enter via text message as part of the login process.
- Changing the passwords you use for important sites, like HRS or online banking, semi-regularly. Password managers can help you remember to do this by letting you set an expiration time for passwords you store in them.
Want to know more about how heartbleed leaked information out of websites? Check out this XKCD cartoon.