Picture this: sticky notes on every screen. And if there are none on the monitor, lift up the keyboard. Nothing there? Try opening the pencil drawer.
Unfortunately, it’s not hard for the wrong person to find these notes, and it’s the passwords written on these innocuous slips of paper that worry IT administrators at every college and university. With all the breaches of institutional networks that have occurred, a crackdown is underway: Come up with stronger passwords and find better ways to secure them.
The future of password security at universities and colleges is now. And if you have yet to hear statements like the following from the IT department, just wait a day or two. You will.
1. “Single-word passwords are no longer allowed. But easy-to-remember, hard-to-hack pass phrases are.”
Data breaches persist at a rapid pace because users continue to choose birthdays, “password,” “12345,” and other easily guessed passwords, say experts. That’s a big reason IT administrators might announce a strong policy such as the above.
Ron King, president of CampusGuard, a Texas-based company focused on compliance and security for higher education, says single-word passwords will always be allowed, but that password phrases are the trend in cybersecurity. Still, he adds, additional creativity in crafting a password is a good idea.
Here’s how King suggests working “I love the Dallas Cowboys” into a password using letters, numbers and symbols: iL0v3the8alla$(0Wboyz. King says users should not share the pass phrase with anyone, adding that it’s also a good idea to choose a new one every 90 days.
Why campuses need password protectors
Financial aid fraud:
- 82%: Increase in student aid recipients potentially participating in fraud rings from 2009 to 2012
- $187 million: Estimated loss of federal student aid during that time period
—SOURCE: “Office of Inspector General Semiannual Report to Congress.”
Lots of log-ins:
- 12: The number of different sites the average business user signs into each day (hopefully with 12 different passwords)
—SOURCE: Cid Ferrara, LastPass
Security breaches happening frequently:
- “You lose real dollars as a result of a breach in a system that can be fixed with software that is downright cheap.” —Quinn Shamblin, Boston University
Much to manage—Account management of information systems involves the “four A’s”:
- Authentication: Are users who they say they are?
- Authorization: Is the user allowed into this particular system?
- Audit logging: Who is doing what and when? (So any problems can be traced back to their source)
- Account management: When a staffer leaves,are systems access and accounts disabled?
—SOURCE: Lysa Myers, ESET
2. “Getting into the system will, from now on, require two steps.”
Two-factor authentication takes advantage of the ubiquity of smartphones to keep sign-ins secure.
Here’s how this kind of authentication works: After a user’s name and password are entered, a text message arrives on that user’s smart phone. The text contains a code the user must enter to proceed with sign-in. These codes can also be sent by phone call, email or through a separate, small “dongle,” a device that generates such codes. The latter option requires carrying an extra piece of equipment.
“Mobile phones will become the center of the universe,” says Benjamin Wyricki, vice president of North America sales and business operations for VASCO Data Security Inc., an authentication and security company based in Chicago.
“More security controls will be built around that platform, using it to authenticate the user. You will be carrying your ID in your phone.”
3. “Try using the cloud to store encrypted passwords.”
In a time when computer users typically access 12 different password-protected sites every day, having to remember just one seems to be a luxury. But that is how you operate a password vault—which is unlocked with just one master password.
Encrypted passwords are available to enter (without having to memorize 20 characters, numbers and letters) for every site users visit, as long as they visit via that password vault. The vault remembers and automatically fills usernames and passwords; or, if the user doesn’t want an auto-fill option, the vault stores password information in a secured note.
Fairfax, Virginia-based LastPass is one of those password manager companies. “LastPass stores only an encrypted ‘blob’ of information, not the actual passwords,” says Cid Ferrara, sales manager at LastPass. “So even if the host gets breached, hackers only see that encrypted blob.”
The system was tested when the company was breached in June 2015, but everything worked as it was supposed to work, and no one’s personally identifiable information (known in IT circles as PII) was accessed.
The growth of higher ed clients she has seen over the past two years is “proof positive that they understand the critical nature of the subject, the security risks and the huge amount of lost productivity in keeping track of passwords,” Ferrara says.
4. “ We’re not looking to frustrate you as you try to access your work.”
Users adapt to new security processes as long as they can get their work done, says Lysa Myers, a researcher at San Diego-based ESET, a cybersecurity company. So she advises IT administrators to “give everyone the feeling that they are winning with the solution offered,” noting that confidential student information and financial data are being protected.
These protections are ever more critical now that students—and many staff—are bringing their own devices to campus.
The IT department’s view of security is changing, says Steve Edwards, security operations manager at Duo Security, a two-factor authentication company based in Ann Arbor, Michigan. “The focus has shifted to user-enablement—to work with our community to help them do what they need to do in a safe and efficient way.”
5. “We’re moving to biometrics.”
Biometric identification, which uses fingerprints and eye scans to authenticate users, is also becoming more prevalent. And while adding biometric hardware to large systems may be cost prohibitive, there is now software that authenticates users based on “gesture biometrics.”
This is another form of multifactor authentication, explains Jeff Maynard, CEO of Biosig-ID, a biometric authentication software company in Lewisville, Texas. “In addition to signing in with a password, users have to sign in with a gesture drawn on their device screen.”
That gesture is unique to every user. In as few as four characters you draw on your screen, Biosig-ID can authenticate a user, or in the case of educational environments, that students are really the students they say they are, adds Maynard. The software measures the ways a student moves a mouse, stylus or finger on a touch-screen.
This type of authentication becomes increasingly important as virtual learning becomes a bigger part of higher education. New standards from the government require stricter controls for authenticating students.
These new regulations will be tied to disbursement of Title IV funding. It will not be enough to “just” take attendance, as Maynard puts it—remote students will have to authenticate themselves at enrollment, throughout attendance and at test taking time.
Some biometrics software gives administrators information such as what device is being used and for what class, and the accuracy of the answers being given. Schools may be able to identify patterns of academic fraud using this information.
6. “All staff and students: Register for the required training program on ‘good password hygiene.’ ”
Even for colleges that aren’t yet offering training on password habits to the campus community, IT can regularly remind users of common-sense do’s and don’ts.
Quinn Shamblin, executive director of information security at Boston University, urges users to update software as soon as security patches are issued. This is when is when hackers are trying most aggressively to exploit the very problems being patched.
He’ll also remind them not to use the same passwords on several sites, and to use strong passwords (long, with numbers, characters, uppercase and lowercase letters) where the most sensitive activity takes place: banking sites, social media and email.
Students and staff are more willing than ever to adopt good password security habits, Shamblin says. “People are tired of learning about breached accounts, of phishing, of the hackers,” he says. “They want to stop worrying.”
7. “We’re now practicing the ‘Principle of Least Privilege’ on our campus— so unfortunately you no longer have access to that system.”
ESET’s Myers describes the rule like this: “You lock things down so no one person, system or network has more access than they actually need.” Administrative access is strictly controlled and given to only those who really need it.
Research teams from different universities who are working together also need a secure method for sharing files.
Vince Spiars, administrative user services manager at Wesleyan University in Connecticut, explains that the school uses “subnets” to limit users’ access. “Students are on their own subnet, and that is how we keep them from getting into administration subnets,” he says.
Wesleyan uses subnets in all its systems, so you can only log on to a certain level of security depending you your level of clearance. “You can talk down to subnets, but you cannot talk up to subnets with greater security clearance requirements,” he says. And if one level is compromised, levels above that are not compromised.
8. “Better, stronger passwords are a fact of life because of increased regulations.”
Colleges and universities will need security controls to meet compliance for funding, accreditation and business practices.
Accounting offices now work with banks to allow online tuition and other payments. This means the school’s security must be as strict as the bank’s, CampusGuard’s King says.
Most contracts allow the banks to fine schools that don’t maintain the required level of security.
Institutions can’t delay implementing better, stronger information security systems if they want to stay compliant with new and changing regulations—and if officials want to give staff and students the confidence that their personal information is protected.
“In the past it has been difficult to get the user community to care about information security at the university, but as more and more breaches of businesses and universities have been making the news, these users have become more excited to take whatever action they can in order to be safe online,” says Duo’s Edwards. “We just need to give them the tools and training necessary to do that.”
Barb Freda is a Charlotte, North Carolina-based technology writer and editor.