Happy Data Privacy Day!

Keep your messages safe!

January 28 is Data Privacy Day! To honor the day, I thought I would give a little tip to all of you Warriors.

If you are like me, I’m going to guess that you receive countless numbers of email per day. It is likely the most utilized tool for your daily tasks. Statista reported that 269 billion emails were sent and received each day in 2017 and that 293.6 billion will be sent per day in 2019 (Daily number of e-mails worldwide 2017 | Statistic). Though it is an amazingly helpful tool, it needs to be used in the best way possible. More than once, I have learned of personal data via email through the university’s email systems, which sends chills of fear up my spine. Though it may seem like your message goes straight from your computer to whomever will be receiving it, email is far from private.

The best analogy that I can give you to understand the security of email is by posing this question: Would you take your social security number, your date of birth, your contact information, and information for a couple of bank accounts; write it onto a post card; and drop it into a mailbox to be sent to a trusted friend?

I seriously doubt it. Email can easily be intercepted by the least experienced of hackers. Never give any personal, financial, or important information to someone via a regular email message.

You may ask, “So, how can I get this information to someone privately?” Use encrypted messaging!

Our IT Team has set it up so that sending a message using our Outlook service is absolutely simple. Here’s what you do:

  1. Write your message as you normally would.
  2. In your subject line add this before your message’s subject: #secure
  3. Send it!

That’s it! You are done. The recipient will receive an email that has special instructions as to how they can get to the message. Via their browser, they will be sent to a page in WSU’s Outlook account.

Data Privacy Day Bonus!

This is really a reminder for anyone who missed the message I posted for last year’s Data Privacy Day.
You can now never change your WSU password again.

Currently, every six months, you receive a message that informs you that you must change your password to access all the WSU systems (Academica, Wayne Connect, Canvas, STARS, etc.). Then, you rack your brain to come up with something you know you will remember and haven’t used before—blending that perfect amount of lower and upper case letters, numbers, and special characters.

You can now make a password for yourself and never have to do it again.

How, you ask?  Simple. Using the same requirements but make a password that has 15 or more characters in it. If you do that, you’ll never be asked to change your password again.

You ask, “How will I remember a password with 15 characters?”

I suggest choosing random words that are easy for you to remember, add a number and a character. Security experts have learned that using multiple random words (three and up is best) provides a great balance between usability and security.  These types of passwords are actually difficult for hackers to determine.

Next time you are asked to make a password, make one with fifteen characters. It will save you time because you will never have to do it again.

Happy National Cybersecurity Awareness Month 2018! Police your Password

It’s October! This means that—along with all those ever-important holidays like “Global Handwashing Day,” “National Feral Cat Day,” and “International Day of the Nacho“—it is National Cybersecurity Awareness Month! Unlike “Sweetest Day” (which I had honestly never heard of until I moved to Michigan), you do not have to buy someone candy to show your affections, you simply need to make certain that you are taking care to protect your online privacy.

As part of NCSAM, I thought that I would talk a bit about something we do not consider much: the password. Many of us realize that they are unavoidable, but consider them a nuisance that has to be worked around in order to do the things we want or need to do.

The average person spends eleven hours connected to the internet every day. From banking to chatting with friends, uploading a paper on Canvas to registering for classes, there is really no limit to the things we do on a daily basis online. Almost every single resource we use—from Facebook to Wayne Connect—is secured with a password. You may choose to better secure yourself using two-factor authentication (which I covered last year for NCSAM) but the first line of defense is always our password.

Sadly, most of the population is really bad at creating passwords. For example, this past week, I happened to watch the first episode of the Murphy Brown reboot, in which Candice Bergen’s character instructs her son to use “password” as the password for a new Twitter account. Amazingly, the IRS was actually discovered to be using “password” for a password for secure systems in 2015.

I find it interesting that we still have lists of worst passwords. In 2017, Time Magazine reported this list of the top ten worst passwords:

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou

These few statistics point out exactly why we cannot take risks with simple passwords:

  • 10,000 of the most common passwords (such as 12345, qwerty, or 123456) can access 98% of accounts.
  • 90% of passwords generated by users are vulnerable to hacking.
  • The average user has around 26 online profiles or accounts, yet they only use five passwords for all of them.
  • In 2014, five million Gmail passwords were hacked and released online.
  • In 2017, Yahoo admitted that the data breach that had occurred three years earlier reached three million accounts.

So, what is important in creating a password?

  1. Make it unique. Do not use the same password for more than one account. If a hacker gains access to one account, they will have access to every account using that password.
  2. Make it long. Longer passwords are simply more secure. You should be using at least eight characters.
  3. Use a phrase. Using more than one word increases its security. Use a phrase no one else would know.
  4. Vary the characters. Combine uppercase, lowercase, numbers, and special characters in your password. This has become a requirement for many accounts. As an example, using this and the last suggestion, if you wanted to set your password as “happy birthday”, write it as “H@ppyB1r+hD@y.”
  5. Avoid personal information and common words. Do not use information that someone could easily find out. If someone can learn your child’s name and the day they were born from a simple Facebook post, you are not choosing a good password.

With those thoughts, I would highly suggest that you consider using a password manager to create and maintain unique credentials for all of your profiles. A password manager is a type of software that creates, stores, and protects passwords. The best of these services should have an app for your mobile device that works in conjunction with add-ons for your computer’s browsers. This allows you to have your information everywhere you go.

Some of the top password managers are Dashlane, LastPass, and Keeper. Though there are free versions of some of these, they are often limited to the number of passwords they will store or how much you can share a password. Given the cost and hassle that goes along with identity theft, these programs are generally worth the cost. Since most of us have many accounts we are juggling in our lives, we would all be best served by using one.

Good news to remember for NCSAM!  I know how much people complain when our Wayne State accounts require us to change our password.  Because we would want to encourage all of the Wayne State family to use better passwords, C&IT instituted a policy where we will never again ask you to change your password if it meets certain strength requirements.

Have a wonderful National Cyber Security Awareness Month! Celebrate by spending a little time making certain that your information is safe both at home and work.

If you’d like some more tips for creating a secure password, see this excellent infographic from Mike’s Gear Reviews below.

Create Secure Password Infographic

Happy Data Privacy Day!

This is a day, internationally, to help remind everyone that their personal data is being processed every second of the day—whether it is through interactions at  work, the health field, public authorities, online purchases , or casual web surfing. On top of all that, if you are a smart phone user,  Apple or Google can likely tell exactly where you are at any minute of the day.

For these reasons, I’d like to offer a friendly reminder to be aware of your personal responsibility to protect your data to the best of your abilities.  The National Cyber Security Alliance offers some sage advice in the title of their online safety, security and privacy campaign:  Stop. Think. Connect.

Basically, the general idea is for you, as a responsible internet user, to always wade with caution into the open waters of the internet.  In the same way that you would not simply leap off a cliff into the rushing waters of a river without taking your personal safety into account, you shouldn’t randomly click every link that comes across your internet browser on your phone or computer.  This is also true of links in your email—even if it is coming from a friend.

TIP

If I can offer one action that everyone should do as they browse the internet or check mail, it would be to check the links you are clicking.  Whether you are using a browser or an email client, you have a status bar.  As you prepare to click on a button or web address  (STOP) glance down at the status bar to (THINK) make certain that the address looks legitimate and then (CONNECT) click it to go on to read and/or see more.

Here are two examples:

Figure 1: Checking a URL in your web browser
Figure 1: Checking a URL in your web browser

In Figure 1, you can see my browsing with Firefox to that bastion of good news, Buzzfeed.  You’ll notice that I’m pointing to a link (1) while the status bar indicates the URL where the link will take me if I click it (2).  In that status bar, read the URL address to see if it looks safe.  This works the same if you are using the university’s Outlook web interface (Wayne Connect), Gmail, or any other email provider.

Figure 2: Checking web addresses in Outlook email client.
Figure 2: Checking a URL in Outlook email client.

In Figure 2, While using Outlook to read Today@Wayne, I decide I want to read more about an article on the web.  I’m pointing to a link (1),  a tool tip pops up to tell me the URL that will open up in my browser (2), and the status bar also tells me the URL that will open up in my browser (3). Again, decide whether that link looks reliable.

By taking a few extra seconds, you can protect yourself from malicious code on a website or a phishing attempt via your email.

EXCITING NEWS TO CELEBRATE DATA PRIVACY DAY!

I am happy to announce that our cyber security team has been working on a project that will make life easier for all university users.

Currently, every six months, you receive a message that informs you that you must change your password to access all the WSU systems (Academica, Wayne Connect, Canvas, STARS, etc.). At that point, you try to come up with something you know you will remember and something you haven’t used before. To make certain it is accepted, you figure out a password phrase that uses lower case letters, upper case letters and numbers.

Well, here’s the good news.

In about a week, you can create a password and never have to make another one again.

How, you ask?  Simple. Using the same requirements, make a password that has 15 or more characters in it. If you do that, you’ll never be asked to change your password again.

Now, the question:  How will I remember a password with 15 characters?

You can choose random words that are easy for you to remember and simply put a space between them.  Security experts have learned that using multiple random words (three and up is best) provides a great balance between usability and security.  These types of passwords are actually difficult for hackers to determine.

So, after Feb. 5, take the time to make a new password. Investing a small amount of time now will save you lots of time later because you’ll never have to do it again.

 

Don’t share passwords, even with yourself…

You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.

In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.

We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.

Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.

The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.

While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.

So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.

First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:

Facebook: $uzyFB2015
Bank: $uzymybankJune15
Amazon: $uzyBooks15
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.

Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….

Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:

Lastpass https://lastpass.com/
Keepass http://keepass.info/ (this one is free)
PC Magazine recently rated a number of premium managers.

Finally, here’s XKCD’s thoughts on the matter:

https://xkcd.com/792/