1. IT Services Policy and Rules
Passwords on IT Services systems:
- Must not be simple words, names or other easily-guessed items such as postcodes or car number plates
- Must be changed at least once a year
- Must not be given to anybody else. Your account is for your use only.
The policy of requiring passwords to be changed at least once a year is in direct compliance with the advice of OxCERT, operating under the above University policy. There is another web page giving more details about password expiry policy.
2. What is password security?
A password is a string of characters you give to verify that you are you when you log onto a computer system. Password security mainly consists of these things:
- Don't tell anyone your password.
- Don't write your password down and then allow others to read it.
- Never include your password in an email message.
- When you decide on a password, make sure it can't be guessed.
- If you think there is even a chance someone else might know your password, change it immediately.
- Change your password regularly.
3. Why is password security important?
Keeping your Oxford Single-Sign On (SSO) password secure is something on which IT Services places a great deal of importance. People sometimes query this with comments such as "it's just my email - it wouldn't matter if someone else did get in to read it." In fact the consequences of someone else knowing your SSO password could be very much more serious. Here's just a few examples of what they could do:
- read all your old emails, especially copies of messages you've sent - you may be inadvertently storing confidential information such as credit-card details in these.
- send emails from your account to another person or to a mailing list and cause you widespread embarrassment.
- modify personal web pages you may have on the University web site.
- change the passwords on your other accounts such as Remote Access.
- obtain VPN access to the University network and from there:
- make use of restricted University resources
- access illegal software/movie/pornography internet download sites
- launch attacks on University systems from inside the University firewall
- send large amounts of junk mail
- email a "forgotten password" request, e.g. to Amazon, and then order goods in your name to be delivered to some other address.
- access any Weblearn resources that you may own or administer.
- make you appear to be responsible for any of the above misdemeanours and consequently subject to investigation by the University authorities.
Revealing your password to anyone else (even IT Services Staff) is against University IT regulations - you risk having your IT facilities removed.
Remember: treat your password like your toothbrush - never share it, and change it frequently. If you believe that someone else may know your password then change it immediately.
4. Why can't I tell anyone my password?
Because you don't know where the information will go after it leaves your lips. Even if you only tell one other person, they could tell one other person, and so on, until your password is in the hands of a criminal. Besides, why do you want to tell someone your password, anyway? You are not allowed to share your username with someone else, so there is no legitimate reason for anybody else to know your password.
5. What about writing my password down?
If you must write your password down, make sure that you keep it safe. Writing your password on a post-it note and then sticking the note to your computer is asking for trouble! In general, it is better to remember your password and not write it down anywhere.
6. Why shouldn't I include my password in an email message?
Because email is insecure. Anybody might be able to intercept your message before it reaches the intended recipient. If that person is a criminal, your account, and potentially the whole system, is vulnerable to attack.
7. What is a Cracker?
Traditionally, a Cracker was a person who obtained unauthorised access to a computer system. Your password is stored on the system in encrypted form, that is, the computer only knows a coded version of each password. When you log in, the password you type is encrypted in the same way and your login is allowed if the result matches. It is not possible to obtain the original password direct from the encrypted version so some form of trial and error is needed to "crack" the code.
This term is largely deprecated. People trying to break into computers are now generally known as "hackers". They are much more interested in using social engineering to get the right password first time, and bank details are more useful to a criminal than limited access to a powerful computer (but for sending out spam, access to a powerful computer is what they want).
8. Where else do I need to take care?
When you receive an email which gives you a link to a web page, great care is needed. If you are asked to fill in computer account details, or banking information, then the message is not legitimate and you must not respond. The methods used to persuade you come under the heading of social engineering as explained below
9. What is Social Engineering?
Social engineering is the term used to describe crackers' attempts to get users to tell them about their passwords and other information about the system. This is also called phishing.
Here are some of the approaches used:
- "There is something wrong with your account - please confirm your details so we can avoid cutting you off": No member of the system administration staff or other Computing Services staff will ever ask you to reveal your password or any other information about the system.
- The "something wrong" above may be a disk quota warning - IT Services does not cut off accounts for this reason. In any case, the values given are unlikely to match your actual usage figures.
- "I'm new to the college/department - can you help with such-and-such information". You cannot be sure of the person's bona fides, so refer them direct to your IT staff.
- Beware of messages from "your Bank". These may look credible but genuine ones will never ask for account details.
Guidance on recognising and dealing with fake emails is available from the InfoSec website.