IT Services: Keeping old passwords puts you at risk
April 25, 2017
As Iowa State students take on their final exams and projects this week, the only concerns most of them have are studying and fantasizing about a much-needed summer break. But Iowa State’s IT Services department hopes that students will add one more item to their end-of-year checklists: password security.
IT Services says that there are numerous attempts to penetrate Iowa State’s cyber defenses, with over 136,000 attacks from nearly 6,000 locations, 260,000 spam emails with malicious intent and approximately one compromised Net ID every day.
Individuals who do not frequently change their online passwords are putting their personal information and online data at risk, according to David Cotton, chief information security officer at IT Services.
“We want you to change [your password] regularly because the reality is people sometimes use the same credentials for different things,” said Cotton, a retired Air Force brigadier general.
Cotton and IT services believe that students should change their passwords at least every six months, especially if they are using their Iowa State email address and password for other online platforms like LinkedIn or anything that requires you to log in.
Their reasoning is that if the password is compromised, a six-month window reduces the risk of other accounts becoming infiltrated by online threats.
“While Iowa State may be secure and protected, and doesn’t divulge or breach your password or user ID, someone else might,” Cotton said, “and we’re pushing to have [people change their passwords] on a six-month basis.”
Cotton says this is especially important for individuals with “elevated” access to information that normal users do not have.
For those who have trouble remembering even one password, let alone multiple new passwords every few months, IT Services advocates the use of a password manager application.
“I personally use one and it’s very convenient, in fact, my whole family uses it,” Cotton said.
Cotton said that these types of applications are helpful for those who have trouble keeping track of all their passwords because after you enter in all your credentials, you only need to remember one password — for the app itself. Most password manager apps have browser plug-ins that will auto-fill password fields for the user.
By using different passwords for different accounts and changing them frequently, Cotton said that it makes it harder for a bot or program to attempt to break into your account by repeating different sequences of passwords.
Cotton says that one of the most popular techniques used by people or entities to obtain personal information is through phishing emails that try to coerce a user into entering log-in credentials through suspicious links in the messages themselves.
“If you hover over that button that they want you to click — please don’t — you’ll see it may say ‘iastate’ somewhere in there, but it’s to some site that isn’t an Iowa State site,” said Cotton.
“In some cases, the bad guys, or criminals, have actually copied our log-in pages for Iowa State and in the little box where they want you to type in your username and password, they send that information back to the server they want it to go to.”
Andrew Albinger, director of distributed information security operations, says that in his position he sees people fall victim to phishing emails “too often.”
IT Services is rolling out a new program, called Okta, which adds multi-level authentication to the log-in process. This means that when logging in to a site, you may be sent a text message or some other type of authentication prompt to increase security.
“It’s still in the initial stages and we’re still testing it to see which sites and programs we would use it on,” Albinger said.
Albinger also said that IT Services is looking at reducing the amount of information necessary to enter Iowa State websites and programs.
“There isn’t really a need to have someone’s out-of-session address in the directory,” said Albinger.
Cotton agrees, saying that apart from password security, the best way to keep personal information safe online is by limiting the amount of information that you publish online.
“Don’t share it, at all, keep it to yourself, always privately,” Cotton said, “Be a vigilant user — if it doesn’t seem right then send it to [email protected], which goes to the cybersecurity directorate where we have some very talented people.”
As an institution that’s been around for over 150 years, Iowa State is an information-rich target. IT Services is hoping that students will remember to strengthen their passwords and reinforce their online security before they begin their summer plans.
For more information about what IT Services is doing to keep the Iowa State community secure, visit their website.