The policy of requiring passwords to be changed at least once a year is in direct compliance with the advice of OxCERT, operating under the above University policy. There is another web page giving more details about the policy of password expiry.
- Don't tell anyone your password.
- Don't write your password down and then allow others to read it.
- Never include your password in an email message.
- When you decide on a password, make sure it can't be guessed.
- If you think there is even a chance someone else might know your password, change it immediately.
- Change your password regularly.
Keeping your Oxford Single-Sign On (SSO) password secure is something on which IT Services places a great deal of importance. People sometimes query this with comments such as "it's just my email - it wouldn't matter if someone else did get in to read it."
- read all your old emails, especially copies of messages you've sent - you may be inadvertently storing confidential information such as credit-card details in these.
- send emails from your account to another person or to a mailing list and cause you widespread embarrassment.
- modify personal web pages you may have on the University web site.
- change the passwords on your other accounts such as Remote Access.
- obtain VPN access to the University network and from there:
- email a "forgotten password" request, e.g. to Amazon, and then order goods in your name to be delivered to some other address.
- access any Weblearn resources that you may own or administer.
- make you appear to be responsible for any of the above misdemeanours and consequently subject to investigation by the University authorities.
Revealing your password to anyone else (even IT Services Staff) is against University IT regulations - you risk having your IT facilities removed.
Because you don't know where the information will go after it leaves your lips. Even if you only tell one other person, they could tell one other person, and so on, until your password is in the hands of a Cracker (see below). Besides, why do you want to tell someone your password, anyway? You are not allowed to share your username with someone else, so there is no legitimate reason for anybody else to know your password.
If you write your password down, make sure that you keep it safe. Writing your password on a post-it note and then sticking the note to your computer is asking for trouble! In general, it is better to remember your password and not write it down anywhere.
Because email is insecure. Anybody might be able to intercept your message before it reaches the intended recipient. If that person is a Cracker, your account, and potentially the whole system, is vulnerable to attack.
Traditionally, a Cracker was a person who obtained unauthorised access to a computer system using a password which had been produced by trying likely variants, usually by using software tools and/or system data to produce passwords with a better than random chance of being valid. Once access has been gained to an interactive computer, the chances of gathering useful data are greatly increased and there are increased risks for the entire system, not simply the first account to be accessed.
Your password is stored on the system in encrypted form, that is, the computer only knows a coded version of each password. When you log in, the password you type is encrypted in the same way and your login is allowed if the result matches. It is not possible to obtain the original password direct from the encrypted version so some form of trial and error is needed to "crack" the code.
With faster processors and cheap disk storage, it became possible to use very sophisticated software to try many passwords and the word "cracker" was more often used to describe this software. However, systems can impose a time delay when, say, three wrong passwords have been given, so any speed advantage is lost. In fact, it is now a lot easier to use social engineering to get the right password first time, and bank details for a few people are more use to a criminal than limited access to a powerful computer.
When you receive an email which gives you a link to a web page, great care is needed. If you are asked to fill in computer account details, or banking information, then the message is not legitimate and you must not respond. The methods used to persuade you come under the heading of social engineering as explained below
- "There is something wrong with your account - please confirm your details so we can avoid cutting you off": No member of the system administration staff or other Computing Services staff will ever ask you to reveal your password or any other information about the system.
- The "something wrong" above may be a disk quota warning - IT Services does not cut off accounts for this reason. In any case, the values given are unlikely to match your actual usage figures.
- "I'm new to the college/department - can you help with such-and-such information". You cannot be sure of the person's bona fides, so refer them direct to your IT staff.
- Beware of messages from "your Bank". These may look credible but genuine ones will never ask for account details.
See http://www.oucs.ox.ac.uk/email/fake/ for detailed guidance on recognising and dealing with fake emails..