Happy Data Privacy Day!

This is a day, internationally, to help remind everyone that their personal data is being processed every second of the day—whether it is through interactions at  work, the health field, public authorities, online purchases , or casual web surfing. On top of all that, if you are a smart phone user,  Apple or Google can likely tell exactly where you are at any minute of the day.

For these reasons, I’d like to offer a friendly reminder to be aware of your personal responsibility to protect your data to the best of your abilities.  The National Cyber Security Alliance offers some sage advice in the title of their online safety, security and privacy campaign:  Stop. Think. Connect.

Basically, the general idea is for you, as a responsible internet user, to always wade with caution into the open waters of the internet.  In the same way that you would not simply leap off a cliff into the rushing waters of a river without taking your personal safety into account, you shouldn’t randomly click every link that comes across your internet browser on your phone or computer.  This is also true of links in your email—even if it is coming from a friend.

TIP

If I can offer one action that everyone should do as they browse the internet or check mail, it would be to check the links you are clicking.  Whether you are using a browser or an email client, you have a status bar.  As you prepare to click on a button or web address  (STOP) glance down at the status bar to (THINK) make certain that the address looks legitimate and then (CONNECT) click it to go on to read and/or see more.

Here are two examples:

Figure 1: Checking a URL in your web browser
Figure 1: Checking a URL in your web browser

In Figure 1, you can see my browsing with Firefox to that bastion of good news, Buzzfeed.  You’ll notice that I’m pointing to a link (1) while the status bar indicates the URL where the link will take me if I click it (2).  In that status bar, read the URL address to see if it looks safe.  This works the same if you are using the university’s Outlook web interface (Wayne Connect), Gmail, or any other email provider.

Figure 2: Checking web addresses in Outlook email client.
Figure 2: Checking a URL in Outlook email client.

In Figure 2, While using Outlook to read Today@Wayne, I decide I want to read more about an article on the web.  I’m pointing to a link (1),  a tool tip pops up to tell me the URL that will open up in my browser (2), and the status bar also tells me the URL that will open up in my browser (3). Again, decide whether that link looks reliable.

By taking a few extra seconds, you can protect yourself from malicious code on a website or a phishing attempt via your email.

EXCITING NEWS TO CELEBRATE DATA PRIVACY DAY!

I am happy to announce that our cyber security team has been working on a project that will make life easier for all university users.

Currently, every six months, you receive a message that informs you that you must change your password to access all the WSU systems (Academica, Wayne Connect, Canvas, STARS, etc.). At that point, you try to come up with something you know you will remember and something you haven’t used before. To make certain it is accepted, you figure out a password phrase that uses lower case letters, upper case letters and numbers.

Well, here’s the good news.

In about a week, you can create a password and never have to make another one again.

How, you ask?  Simple. Using the same requirements, make a password that has 15 or more characters in it. If you do that, you’ll never be asked to change your password again.

Now, the question:  How will I remember a password with 15 characters?

You can choose random words that are easy for you to remember and simply put a space between them.  Security experts have learned that using multiple random words (three and up is best) provides a great balance between usability and security.  These types of passwords are actually difficult for hackers to determine.

So, after Feb. 5, take the time to make a new password. Investing a small amount of time now will save you lots of time later because you’ll never have to do it again.

 

Don’t share passwords, even with yourself…

You have probably noticed Wayne State has been inundated lately with phishing messages. Some of these have been from ‘compromised’ (that is hacked) computers on campus, while others were disguised to elude our spam filters.

In any case, Provost Winters sent out a message explaining how we can all help keep this deluge down to a manageable level. One of her points, however, might seem strange, and I’d like in this post to explain the rationale behind it.

We all know that passwords are a pain in the neck. Remembering a password is not too difficult, but remembering more than one gets to be a strain on our memories. And, since we have passwords for lots of functions it’s very tempting to reuse them. That is, it’s tempting to use the same (memorable, complex) password for a number of different sites.

Unfortunately, that turns out not to be a good idea, because some websites are not very good at properly protecting your password. Normally passwords are stored on the servers that run websites in an encrypted form (that is, they are scrambled by a computer algorithm that is very difficult to unscramble without a key). There are complex technical details in Bruce Schneier’s first book if you are interested in pursuing this.

The important point is that website owners have a choice about how they store the passwords their customers set up, and they don’t always make the most secure choices. This became clear when a very widely used professional social networking site, which many of us use, LinkedIn was hacked and the encrypted password file was stolen, decrypted and posted online on a Russian site.

While we don’t know exactly how many further breaches and identity thefts occurred because of this break-in, it’s clear that many people got access to pairs of email addresses and passwords. If any of those email addresses were also used to log in to credit card sites, or bank sites hackers had access to lots of sources of money.

So, the ideal solution is not to reuse passwords at all. Just use a different password for every site you visit. This, of course, is highly impractical if that’s all you do. But there are two different ways you can manage this task and still keep your passwords safe.

First, use long passwords that include information about which site they are for. One trick I learned from an IT policy buddy of mine is to start with some string of letters and numbers that is very memorable (your nickname, for example, or your first girl/boyfriend’s name or something) and perhaps the current date, but then to append some reference to the website as part of the password. Say, for example, your first girlfriend’s name was Suzy. Then you could have passwords that look like this:

Facebook: $uzyFB2015
Bank: $uzymybankJune15
Amazon: $uzyBooks15
These are very secure passwords because they have at least ten characters, mixed case and numbers and ‘special’ characters.

Of course, it’s still a non-trivial cognitive task to remember all these passwords, which brings us to the second option: a ‘password wallet’. There are a number of these on the market. They require that you set one memorable, but complex password for the manager itself, and then store all your other passwords in the wallet. They all have the same features—a spreadsheet-like interface that includes the name of the website, its URL and your username and password. They always have some button that copies the password to your computer’s memory, so you can just paste it into the relevant box on the website you’re logging in to. The advantage to this system is that you can have very long, totally non-memorable and therefore completely uncrackable passwords. As long as you can open the wallet, you can just copy the password without your even having seen it. This means you can actually have lots of passwords you don’t even know. Talk about a secure password….

Of course, you really need to remember the password to your manager or you are out of luck. Some of them are free, and some have free and relatively low-cost premium editions. Here are several password wallet apps that I and Kevin Hayes, our Chief Security officer, recommend:

Lastpass https://lastpass.com/
Keepass http://keepass.info/ (this one is free)
PC Magazine recently rated a number of premium managers.

Finally, here’s XKCD’s thoughts on the matter:

https://xkcd.com/792/