UWSC Support - Security - Securely Managing Your Credentials
Now that you understand how to secure your workstation, let's consider the credentials that you use to access accounts and services.
What are credentials?
A typical credential is the combination of a username and a password that you use to log into an application, device or service. Attackers want to steal your credentials to then steal information and launch cyber attacks. Your userid /password combination is only one type of credential that you need to protect, as you may use many others to access all of the services and applications that you use in your work.
This module will provide you with an understanding of why it is important to protect your credentials and how you can do so.
Attackers attempt to steal credentials by tricking you into providing your username and password. This social engineering attack is usually known as phishing but it can also occur in other forms. Other methods attackers use to steal your credentials include:
- Installing key loggers on your workstations,
- Attacking systems that store credentials, and
- Simply trying to guess your passwords.
You have a responsibility to ensure your userid/password and other credentials are managed securely. Don’t be the weak link in this system.
One example of why an attacker would want your userid and password is so that they can use your campus email to distribute spam. Attackers want to use campus email to distribute spam because an email address from .edu will often circumvent filtering by other email systems. If an address associated with .edu was sending spam then other external email systems may block all legitimate emails distributed from other .edu accounts. Beyond email, an attacker who has gained control of your userid and password would be able to gain access to other systems that use this credential. Examples include Shared Financials System, Human Resource System, and many more. With access to these systems attackers can gain information about you, our students, faculty and other staff.
So how can you secure your credentials?
Use strong passwords for each of your credentials. A close friend or family member should not be able to guess your password.
Strong passwords are important for testing and training accounts as well. At minimum you should follow the recommended password guidelines. You can even watch a video about creating strong passwords.
- Change your passwords at least twice a year. The reason we suggest changing your password this frequently is to protect against the threat of dictionary attacks.
- Avoid re-using or duplicating passwords between work and personal accounts (e.g. your online banking account or Facebook).
- Never provide your username and password to anyone else. No one should ask for your userid and password, not even other staff. This includes via email, over the phone or in person. Similarly, do not ask anyone else for his or her campusid and password.
- If you are responsible for managing many credentials, the use of a secure password management application is recommended. However, ensure that you are using an exceptionally strong password to secure your password management application. Password safe is one such application.
- Use unique credentials when developing code or setting up new systems.
- Do not use the vendor-supplied default password for any system. Change it immediately to a new, strong password. This includes test environments.
- Do not use the "remember password" feature contained in many newer web browsers (such as Internet Explorer, Firefox)