Wayne Connect Powered by Microsoft is almost here

In late April I blogged about the new email/calendaring/collaboration system that was going to replace our current Wayne Connect email and calendar system based on Zimbra.

As of this week the new software is gradually being implemented across campus, so this is a good time to remind everyone about what to expect. The most important point is that you don’t need to do anything to implement this new email system–it will happen automatically. In fact, if you get a message telling you to ‘click here’ to upgrade your email, delete the message immediately, and, whatever you do, don’t clickit’s a scam (there have been several phishing messages with this theme over the past couple of weeks).

There are a few things you should do, but they are all essentially ‘back-up’ procedures. Although all your email, calendar entries and address book data will be transferred automatically, your signature won’t be, so you’ll need to recreate it. You can either make a copy of the wording (and images, if you use them) or just wait till after the transfer and look for some email you’ve sent (all the ‘Sent’ messages will be in the ‘Sent Items’ folder) and just you can just copy it from an earlier message to the Signature section of the ‘Options’ page. You can find the ‘Options’ button by looking for the little gear symbol in the upper right hand corner.

Although everyone uses Signatures, there are a few other things that won’t transfer but that only affect some people. If you use Filters in Wayne Connect, they will need to be recreated in the new system. They are easy to make–right click on a message you want to be the basis of a Rule (say, anything that comes from that email address) and choose ‘Inbox Rules’, then follow the instructions. If your old filters are complicated, you might want to note them down so that you can implement with the Microsoft system, where they are called ‘Rules’.  Also, Tags won’t transfer, so if you tag your mail, that will also need to be rewritten. Tags are called ‘Categories’ and are based on colors.

Remember that, if you have been using the Wayne Connect Notebook, the files in there will be transferred to your OneDrive area.

Log in more safely

Starting today you’ll see a new log-in screen when you go to the web-based version of Wayne Connect. This is part of a long-term project to unify the log-in screens of all of Wayne’s major services, Blackboard, Academica, and Wayne Connect. Although there are esthetic (and ‘branding’) advantages, the main reason is to help all WSU users make sure they are on the right page for logging in. This is crucial because of the innumerable phishing attempts we seem to be getting these days, all of which encourage us to log in to fake WSU pages.
You don’t actually need to do anything different. The log in process is identical—put in your AccessID and password as before. But if you’re worried, look to see that the address bar in your browser is green, it says https, and that there’s a padlock symbol visible. These are the signals that you are actually connecting to Wayne State, and not a sketchy phishing site in Lower Slobbovia.
Here’s what to look for:

Chrome Log-in

 

Another advantage to this system is that our security office will be able to recognize hacking attempts more easily and will be able to recognize when people have forgotten their passwords and therefore help them in a secure fashion.

The new log-in screen now shows up when you go to Academica and Wayne Connect, and will be phased in for Blackboard and other systems shortly.

Don’t share passwords, even with yourself…

You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.

In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.

We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.

Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.

The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.

While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.

So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.

First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:

Facebook: $uzyFB2015
Bank: $uzymybankJune15
Amazon: $uzyBooks15
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.

Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….

Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:

Lastpass https://lastpass.com/
Keepass http://keepass.info/ (this one is free)
PC Magazine recently rated a number of premium managers.

Finally, here’s XKCD’s thoughts on the matter:

http://xkcd.com/792/