Centre Network and Security News

Month: February 2016

Choosing good passwords!

Long passwords are strong passwords!  

Your password can be:

  • passphrase(password phrase or sentence), or
  • A complex combination of characters.

Passphrase:   The easiest way to create a secure password is to use a passphrase, a password consisting of a sentence or phrase.   Passphrases may be easier to remember and more secure than a shorter, more complex password.   A passphrase must:

  • Be between 15 and 127 characters in length, consisting of letters and spaces, AND
  • Contain at least 1 number OR 1 symbol, such as   ( !”# $%&'()*+,-./:;<=>?@[]^_`{|}~).
  • Passphrase tips:
    • Consider a passphrase of several (5 or more) random words strung together, e.g. strainer walking trusty comic giraffe.
    • Make up a sentence that is relevant to you but is stated in such a way that it is not easily guessable, e.g., jazz is a passion, pizza too.
    • Remember that incorrect grammar and misspellings are passphrase strengtheners.
    • DON’T use quotations, popular song lyrics or well-known lines from books, movies, plays, TV shows, etc. exactly as published.   Individuals attempting to crack your password will try them.   You can base your passphrase on one of these, but vary the text in a unique way, e.g.,   “ not all those who wander are lost” (J.R.R Tolkein) could be modernized to “not all those who wander lost their GPS” (we’re sure you can do better).
    • DON’T use something that is public knowledge or has been shared on social media, such as Facebook or Twitter.
    • DON’T use any sample passphrases or passwords shared as tips.

Complex Password:   If you choose to set a shorter but complex password (less than 15 characters in length), your password must contain ALL of the following:

  • A minimum of 10 characters,
  • 1 uppercase letter,
  • 1 lowercase letter,
  • 1 number, AND
  • 1 symbol, such as    ( !”# $%&'()*+,-./:;<=>?@[]^_`{|}~)
  • Complex password tips:
    • Base your password on things relevant to you, but not easily discoverable.
    • Consider using incomplete words, uncommonly misspelled words or number or letter substitutions.
    • Create a unique password for your university account.
    • DON’T use the kinds of passwords that are easy hacking targets, such as:
      • Common dictionary words.
      • Sequential letters or numbers (e.g.   1234567890, abcdefghij, qwertyuiop).
      • Trivial passwords (e.g. password, passwd,mypassword,p@ssw0rd).
      • Easily discoverable personal data (e.g., Account name, Centre ID, names, birthday, address, pets).
      • Things that you’ve posted on social media sites (e.g. Facebook, Twitter).
    • DON’T ever leave a password blank or keep its default value intact.
    • DON’T use the same password to secure your university account as you use (or have used) for other sites, e.g., online shopping, Facebook.
    • DON’T reuse passwords.

Be creative!   The best passphrases and passwords are ones that have never been used before. 

Finally, remember: ITS will never ask you to disclose your password!

Tags: ,

Protecting Yourself from “Phishing Scams”

What is Phishing?

For those that are unfamiliar with this term, Phishing describes an attempt by a disreputable entity to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. While the most common platforms for Phishing are in e-mail or instant messaging, it is becoming more common on social networking sites as well that include chat rooms or other environments where web links can be shared and where attackers can disguise their identity.

How does this happen at Centre College?

One of the most common forms of phishing attack in higher education environments is still the official looking emails claiming be from the institution’s technical support team and usually take the form of an message asking for their user ID and password, with a threat of account deactivation if they fail to reply.  These specifically crafted phishing attempts are primarily focused on gaining access to email accounts to enable them to send malicious email to other systems with the appearance of coming from our legitimate mail system.

How do I spot a Phishing message?

  1. Asks for sensitive information such as usernames, passwords, account number, SSN, credit card numbers, etc.
  2. You did not initiate the communication (it is unsolicited).
  3. Includes a link that you are somehow encouraged to “click on.”
  4. Obvious typographical and grammatical errors that the sender they are masquerading as would not make.
  5. Legitimate emails from ITS will contain one of the following in the subject line: [CentreITS:CIO] [CentreITS:SYSADMIN] [CentreITS:ADMINCOMP] [CentreITS:HELPDESK]


So, why are these qualities a strong indication of a Phishing message?

  1. 1.     No reputable institution that you have dealings with would ever ask for or attempt to obtain sensitive information via unsolicited electronic communication.
  2. 2.     On the rare occasions where password resets and similar communication are conducted via electronic message, it should only be as a result of an action that you initiated. (NOTE: If you receive such a message from an institution you are affiliated with, you should be sure to contact them using your normal methods of communication,do not use those prescribed in the message.)
  3. 3.     Web links force a user to enter an electronic environment controlled by an attacker. Not only can they solicit your sensitive information but they can perform further automated attacks on your computer. This greatly increases the value of the attacker’s interaction with you.
  4. 4.     Phishing attempts are by definition a malicious act and as such are more frequently perpetrated by attackers for whom attention to detail is not as common a trait. The Phishing “industry” is one that prizes quantity over quality. 


What do I do if I accidently respond to one?

  1. 1.     If possible,change the password or access credentials immediately. (NOTE: make sure to record this new information securely until you are able to commit it to memory)
  2. Contact the ITS Helpdesk for the resource that you may have compromised.  Speed is critical, attackers can begin exploiting your information in minutes!  At Centre College, you should contact the ITS helpdesk at 859-238-5575 or e-mail helpdesk@centre.edu.
  3. Keep the original message until the Helpdesk support team tells you that it is okay to delete it.


Additional Resources:

If you would like to read more about Phishing, and look at some examples, any of the links below provide great information from authorities in higher education and beyond:

Think you have it down when it comes to spotting Phishing? Test yourself online at: http://www.sonicwall.com/furl/phishing/. How did you do?

Please feel free to contact the Centre College ITS helpdesk at 859-238-5575 or e-mail helpdesk@centre.edu if you have any questions or concerns.