With institutional networks at continuous risk of a data breach (and no shortage of campus employees who have a habit of attaching sticky notes with password reminders to their monitors), IT administrators are cracking down on password protection. The aims: Educate employees about creating stronger passwords and find better ways to secure them.
If you haven’t yet heard the following statements from your IT department, just wait—you will.
1. “Single-word passwords are no longer allowed. But easy-to-remember, hard-to-hack passphrases are.”
Data breaches persist at a rapid pace because users continue to choose birthday dates, words such as “password,” number combinations such as “12345,” and other easily guessed passwords. That’s a big reason for a strong policy such as the above.
Consider changing some of a passphrase’s letters into symbols or numbers for even more security. For example, “I love the Dallas Cowboys” could become “iL0v3the8alla$(0Wboyz.”
2. “Getting into the system will require two steps.”
Two-factor authentication takes advantage of the ubiquity of smartphones to keep sign-ins secure. After entering a name and password, a user will receive a text message, email or call containing a code needed to sign in.
3. “Try using the cloud to store encrypted passwords.”
A password vault, which users unlock with just one master password, remembers and automatically fills in usernames and passwords. As an alternative to autofill, a vault could store password information in a secured note. A hacked host would only show an encrypted blob of information rather than actual passwords.
4. “We’re not looking to frustrate you as you try to access your work.”
IT administrators should help campus users to see the solution is there to help, protecting confidential student information and financial data. Access to work must be as safe as it is efficient.
5. “We’re moving to biometrics.”
Biometric identification uses fingerprints and eye scans to authenticate users. Software can authenticate users based on “gesture biometrics,” which, for example, can track a user’s unique hand movement as it follows a moving circle or draws characters on a screen.
This type of authentication becomes increasingly important with virtual learning and government standards requiring strict controls for authenticating students. It can be used during enrollment, for class attendance, and at test-taking time.
In addition, biometrics software offers administrators information on what devices are being used for what classes, and the accuracy of the answers being provided. Such information helps in identifying patterns of academic fraud.
6. “All staff and students: Register for our required training program on ‘good password hygiene.’”
Even for colleges that aren’t yet offering training on password habits to the campus community, IT can regularly remind users of commonsense do’s and don’ts.
These include updating software immediately when security patches are issued, not using the same password for several sites, and using the strongest passwords for systems with the most sensitive activity, namely banking, social media and email.
7. “We’re now practicing the ‘Principle of Least Privilege’ on our campus—so unfortunately, you no longer have access to that system.”
No one person, system or network should have more access than they need. One option is using a subnet to limit users’ access, with students on one subnet and administrators on another. If one level is compromised, levels above that are not.
8. “Better, stronger passwords are a fact of life because of increased regulations.”
Colleges need security controls to meet compliance for funding, accreditation and business practices.
So institutions can’t delay implementing better, stronger information security systems if they want to keep up with new and changing regulations—and if officials want to give staff and students the confidence that their personal information is protected.
The original version of this article, written by Barb Freda, appeared in the October 2015 issue of University Business and can be viewed here.
Password protection resources
- Duo Security (part of Cisco)