1. IT Services Policy and Rules

Passwords on IT Services systems:
  1. Must not be simple words, names or other easily-guessed items such as postcodes or car number plates
  2. Must be changed at least once a year
  3. Must not be given to anybody else. Your account is for your use only.

The IT Committee's Security and Privacy Policy Group has drawn up a security policy for the University. Suspected breaches of security are handled by the Oxford University Computer Emergency Response Team (OxCERT), which also has an advisory role.

The policy of requiring passwords to be changed at least once a year is in direct compliance with the advice of OxCERT, operating under the above University policy. There is another web page giving more details about the policy of password expiry.

2. What is password security?

A password is a string of characters you give to verify that you are you when you log onto a computer system. Password security mainly consists of these things:

  1. Don't tell anyone your password.
  2. Don't write your password down and then allow others to read it.
  3. Never include your password in an email message.
  4. When you decide on a password, make sure it can't be guessed.
  5. If you think there is even a chance someone else might know your password, change it immediately.
  6. Change your password regularly.

3. Why is password security important?

Keeping your Oxford Single-Sign On (SSO) password secure is something on which IT Services places a great deal of importance. People sometimes query this with comments such as "it's just my email - it wouldn't matter if someone else did get in to read it."

In fact the consequences of someone else knowing your SSO password could be very much more serious. Here's just a few examples of what they could do:

  • read all your old emails, especially copies of messages you've sent - you may be inadvertently storing confidential information such as credit-card details in these.
  • send emails from your account to another person or to a mailing list and cause you widespread embarrassment.
  • modify personal web pages you may have on the University web site.
  • change the passwords on your other accounts such as Remote Access.
  • obtain VPN access to the University network and from there:
    • make use of restricted University resources
    • access illegal software/movie/pornography internet download sites
    • launch attacks on University systems from inside the University firewall
    • send large amounts of junk mail
  • email a "forgotten password" request, e.g. to Amazon, and then order goods in your name to be delivered to some other address.
  • access any Weblearn resources that you may own or administer.
  • make you appear to be responsible for any of the above misdemeanours and consequently subject to investigation by the University authorities.

Revealing your password to anyone else (even IT Services Staff) is against University IT regulations - you risk having your IT facilities removed.

Remember: treat your password like your toothbrush - never share it, and change it frequently. If you believe that someone else may know your password then change it immediately.

4. Why can't I tell anyone my password?

Because you don't know where the information will go after it leaves your lips. Even if you only tell one other person, they could tell one other person, and so on, until your password is in the hands of a Cracker (see below). Besides, why do you want to tell someone your password, anyway? You are not allowed to share your username with someone else, so there is no legitimate reason for anybody else to know your password.

5. What about writing my password down?

If you write your password down, make sure that you keep it safe. Writing your password on a post-it note and then sticking the note to your computer is asking for trouble! In general, it is better to remember your password and not write it down anywhere.

6. Why shouldn't I include my password in an email message?

Because email is insecure. Anybody might be able to intercept your message before it reaches the intended recipient. If that person is a Cracker, your account, and potentially the whole system, is vulnerable to attack.

7. What is a Cracker?

Traditionally, a Cracker was a person who obtained unauthorised access to a computer system using a password which had been produced by trying likely variants, usually by using software tools and/or system data to produce passwords with a better than random chance of being valid. Once access has been gained to an interactive computer, the chances of gathering useful data are greatly increased and there are increased risks for the entire system, not simply the first account to be accessed.

Your password is stored on the system in encrypted form, that is, the computer only knows a coded version of each password. When you log in, the password you type is encrypted in the same way and your login is allowed if the result matches. It is not possible to obtain the original password direct from the encrypted version so some form of trial and error is needed to "crack" the code.

With faster processors and cheap disk storage, it became possible to use very sophisticated software to try many passwords and the word "cracker" was more often used to describe this software. However, systems can impose a time delay when, say, three wrong passwords have been given, so any speed advantage is lost. In fact, it is now a lot easier to use social engineering to get the right password first time, and bank details for a few people are more use to a criminal than limited access to a powerful computer.

8. Where else do I need to take care?

When you receive an email which gives you a link to a web page, great care is needed. If you are asked to fill in computer account details, or banking information, then the message is not legitimate and you must not respond. The methods used to persuade you come under the heading of social engineering as explained below

9. Social Engineering

Social engineering is the term used to describe crackers' attempts to get users to tell them about their passwords and other information about the system. This is also called phishing.

Here are some of the approaches used:

  • "There is something wrong with your account - please confirm your details so we can avoid cutting you off": No member of the system administration staff or other Computing Services staff will ever ask you to reveal your password or any other information about the system.
  • The "something wrong" above may be a disk quota warning - IT Services does not cut off accounts for this reason. In any case, the values given are unlikely to match your actual usage figures.
  • "I'm new to the college/department - can you help with such-and-such information". You cannot be sure of the person's bona fides, so refer them direct to your IT staff.
  • Beware of messages from "your Bank". These may look credible but genuine ones will never ask for account details.

See http://www.oucs.ox.ac.uk/email/fake/ for detailed guidance on recognising and dealing with fake emails..

Report any suspicious questions that anyone asks you to IT Services Help Centre or OxCERT right away.