Credentials - Baseline
What are Credentials?
A credential is used to verify a person's identity and ability to access something. A driver's license, birth certificate, or a passport are examples of paper credentials for citizenship. A computer system uses different credentials to identify the user. A computer system often has a username and one of three authentication methods:
- something you know, such as a password
- something you have, such as certificate, computer, or email address
- something you are, such as your fingerprint
There is often a subjective factor with paper credentials. For example, if you present an identification that has someone else's picture, it may not work. A computer system does not have subjectivity. For example, if a fraudulent user enters the correct username and password the computer will accept the credentials.
Why would attackers want your NetID and password?
The answer to this depends on your access to systems on campus. Your credentials could be used to create fraudulent transactions, access sensitive systems, or to trick other users into providing their credentials. Some examples could include:
- Access to MyUW, Human Resource System, or the campus accounting system.
- To use UW Email to distribute spam with a wisc.edu email address.
- Possibly to submit fraudulent transactions or documents.
How do attackers get your credentials?
There are various technical and non-technical means that can be used to obtain your credentials. A non-technical means include social engineering attacks where the attacker request your credentials via email, telephone, or a link requesting you log into a website.
The technical means are not much more sophisticated. There are computer programs that will guess commonly used passwords or dictionary words in a matter of minutes. A list of the most common passwords can be found here.
"Heartbleed" was a vulnerability where attackers potentially gained access to your NetID credentials. The lesson learned from this is to make sure you change your password frequently and whenever you are informed of these types of attacks.In addition, there are computer programs that will guess every possible password combination. The time it takes the program depends on the length and complexity of your password. Below is an example:
|Password Length||Upper and Lower Case Letters||Upper and Lower Case Letters with Numbers||Upper and Lower Case Letters, Numbers, and Special Characters|
|8||11 seconds||44 seconds||20 minutes|
|12||2 years||20 years||3,018 years|
|16||18,000,000 years||302,000,000 years|
|Note: For this exercise we used www.passwordstrengthcalculator.com which only provides an estimate for the password useful life. There are many variables such as attack speed, lockout timers, forced password changes, etc.|
Finally, cyber criminals often perform reconnaissance on a target to obtain information to conduct an attack. The University has a lot of publically accessible information including organizational charts, directories, position descriptions, and many more items. In addition, a lot of information can be obtained about an organization through Google searches and social media sites (Facebook, Twitter, Instagram, and many more.) This information can provide an attacker half the information needed (i.e. username) or potential passwords.
How to secure your credentials?
Some best practices for securing your password can be found in the Password Standard for UW-Madison. Remember, do not use passwords that include common names, dictionary words, or that follow common keyboard patterns (e.g. 123456, qwerty, asdfg). Never share your password with anybody or write the password down unless you can secure the paper document. Finally, password should include lower and upper case letters, numbers, and special characters.
It is your responsibility to ensure your NetID/password and other credentials are managed securely - Don’t be the weak link in this system.
Creating Strong Passwords
Review the following strong and weak password characteristics and then change your NetID password and other campus passwords that do not meet the standards.
Strong Password Characteristics
The criteria for the UW-Madison Baseline Password Standard are:
- At least eight alphanumeric characters long
- Contain at least three of the following four categories:
- Upper case characters (e.g., A-Z)
- Lower case characters (e.g., a-z)
- Digits (e.g., 0-9)
- Special characters ( e.g., !@#$%^&*)
- Do not contain a common proper name, login ID, email address, initials, first, middle or last name
Characteristics of a Weak Password
- Contain less than twelve characters
- Can be found in a dictionary (English or foreign) or a word in any language, slang, dialect, jargon, etc.
- Is the same as your user name or login name
- Is a common usage word such as names of family, pets, friends, computer terms, birthdays or other personal information, or number patterns like aaabbb, dddddd, qwerty, 123456, etc.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Password Management Best Practices
- Change your passwords at least twice a year. The reason we suggest changing your password this frequently is to protect against the threat of dictionary attacks.
- Avoid re-using or duplicating passwords between work and personal accounts (e.g. your online banking account or Facebook).
- Never provide your username and password to anyone else. No one should ask for your NetID and password, not even other staff. This includes via email, over the phone or in person. Similarly, do not ask anyone else for his or her NetID and password.
- Do not use your NetID/password for systems that do not officially support NetIDs. Personal related uses would include subscriptions, on-line banking, etc. Work related uses would include database accounts, file server accounts, etc. Your NetID/password should be used ONLY for authenticating to the systems for which that pair was designed.
- If you are responsible for managing many credentials, we recommend using a password manager. However, ensure that you are using an exceptionally strong password to protect the rest and periodically change that password. Password managers you may choose to use:
Multi-factor (Strong) Authentication
The problem with passwords is that they are quickly becoming dated. Even if you use strong passwords, with newer technologies, it is becoming easier for cyber attackers to crack the passwords or to collect credentials through social engineering or phishing. Multi-factor authentication is an enhanced way of authenticating using two out of three factors. These three factors are:
- something you know, such as a password,
- something you have, such as your passport, phone number or email address and
- something you are, such as your fingerprint.
An example of one of the first multi-factor authentication used at the University of Wisconsin is the Human Resource System (HRS). When using two factor authentication, a user presents a token with a 6-digit value showing (something you have) and enters a password or phase (something you know). In addition, the application must know how to validate the token/password information in order to grant access to the restricted data. This is similar to how an ATM card works.
Expect usage of multi-factor to increase as username/password pairs become too easy to break.
Use multi-factor authentication whenever possible, especially for critical services containing or storing sensitive or restricted data. Since criminals have to work much harder to try and compromise your credentials, multi-factor authentication goes much further in protecting than a simple username and password.
Updating Campus Password Recommendations
At UW-Madison, the Credential Policy Team has developed new password recommendations for campus. The University has adopted forms of strong authentication for select groups of users of specific services that contain high-risk data. Many other systems—including those maintained by the Institution’s distributed IT community—also contain significant amounts of high-risk data. Widespread use of strong authentication is more and more becoming the norm outside the University. Strong authentication alone doesn’t solve all of the University’s information security challenges, but it is a vital part of a broader solution. For more details regarding this project, view the Credential Policy wiki page.