Earlier this year, Jisc informed several universities and colleges that compromised usernames and passwords belonging to some of their staff and students had appeared in the public domain, on one of several legitimate websites often used for this purpose.
This is not unusual and, while the compromised user credentials were not taken from the organisations concerned and were not directly associated with their user accounts, it was of immediate concern as thousands of individuals were involved.
The website where this information was spotted, and sites like it, are double-edged swords.
On the one hand, listing compromised credentials acts as an alert to security analysts. On the other hand, those with malicious intensions can use the information to hack accounts and commit crime.
In most cases, however, the fraud will usually have been committed long before the information is posted to such websites. The data is traded between criminals and the final act of posting it online is simply to boast.
Part of Jisc’s role is to protect the national research and education network, the Janet Network, and our members (universities, colleges and research centres) from cyber crime and to share intelligence on security threats with our community. As such, the Janet Network Computer Security Incident Response Team (CSIRT) quickly alerted those universities and colleges concerned – something we do quite regularly.
Such incidents highlight the risks of weak password management. The galling thing is that, this problem could so easily be avoided, if only people and organisations would take better care of their online security.
What are the risks?
A report published in March 2018 on behalf of the Government’s Cyber Aware campaign raises just this point and describes “the worryingly large misconceptions the public has about cyber crime compared to the reality of the threat”.
It identifies three key myths:
- That cyber crime isn’t "real crime"
- That it "won’t happen to me"
- That there’s "nothing I can do about it"
The minister for security and economic crime, Ben Wallace, warns in the report that such misconceptions lead to “dangerous inertia”. He goes on:
“As a result of the perception gap, millions of people are leaving themselves, UK businesses and UK infrastructure vulnerable by failing to follow even the most basic secure online behaviours…criminals frequently exploit the weak cyber security of individuals to facilitate their attacks.”
How can we protect ourselves?
In February 2018 we published a blog from Cyber Aware that highlighted the importance of having a separate, strong password for your email account.
The point is that, if you use the same old password for everything, hackers who get into your emails will be able to help themselves to all sorts of other goodies.
But what does a strong password look like, and how do we convince people that having separate, complex passwords for each online account is not a nightmare for all but those with super-human memories?
There is a simple, two-step solution: use a password management application in tandem with multi-factor authentication (MFA).
Using a password manager (there are many opensource/ freeware variations, such as Dashlane and LastPass) will allow you to create unique passwords for all your accounts, store them, and have them automatically entered online when you log in.
This is far from a complicated procedure and requires remembering only one master password.
When combined with MFA, each user will have greatly increased the strength of their credential security.
MFA gives the user three lines of defence that are required to access accounts:
- Something you know: your master password, which you remember
- Something you have: your mobile phone or hardware crypto logical key generator (such as a Yubico), or virtual MFA (such as AWS Virtual MFA)
- Something you are: iris scans are not far away, but this currently refers to a fingerprint, which can be used to unlock your smart phone
Password management applications allow you to generate passwords that are up to 100 random characters long, although something of 30 characters is the current “unbreakable” standard.
There is no easy way to force the use of true password complexity without employing software, other than to generate random passwords and hand them out to users, which is bound to be unpopular. It also leads to a greater concern that users will write down their passwords, which makes them – and their organisations – even more vulnerable. Using the secure password generators included in most of the password management applications mostly voids this issue.
Educating to ensure good practice
We advise our members that educating staff and students in good security practice is an essential part of cyber protection because, not only are they the first line of defence against attack, but also the biggest weakness.
The most common method of infiltration by cyber criminals is through phishing emails, which trick people into revealing confidential information such as their username and passwords. As you can imagine, if users pick the same password for multiple accounts, the risk of multiple attacks increases.
A survey we conducted among members in 2017 showed:
- 83% of universities provide training for staff, which is compulsory in 46% of cases
- Only 40% train students and a disappointing 8% insist that students take a course
We’d like to see mandatory security training for all users, which includes advice on how to spot phishing emails, iffy websites, dodgy links and, of course, good password health.
We’d also like to see blanket use of password management applications.
When creating, storing, and using personal credentials, a heightened security awareness is as important to organisations as it is to individuals. So clearly it makes little sense to leave individual students and staff to carry on using authentication practices that put both themselves and their college or university at such risk. Both password management and MFA offer a cost-effective solution that is easy to use and gives a clearly defined advantage over maintaining the status quo.