IT Services



Password Security


Contents



1. IT Services Policy and Rules

Passwords on IT Services systems:
  1. Must not be simple words, names or other easily-guessed items such as postcodes or car number plates
  2. Must be changed at least once a year
  3. Must not be given to anybody else. Your account is for your use only.

The IT Committee's Security and Privacy Policy Group has drawn up a security policy for the University. Suspected breaches of security are handled by the Oxford University Computer Emergency Response Team (OxCERT), which also has an advisory role.

The policy of requiring passwords to be changed at least once a year is in direct compliance with the advice of OxCERT, operating under the above University policy. There is another web page giving more details about the policy of password expiry.



2. What is password security?

A password is a string of characters you give to verify that you are you when you log onto a computer system. Password security mainly consists of these things:

  1. Don't tell anyone your password.
  2. Don't write your password down and then allow others to read it.
  3. Never include your password in an email message.
  4. When you decide on a password, make sure it can't be guessed.
  5. If you think there is even a chance someone else might know your password, change it immediately.
  6. Change your password regularly.


3. Why is password security important?

Keeping your Oxford Single-Sign On (SSO) password secure is something on which IT Services places a great deal of importance. People sometimes query this with comments such as "it's just my email - it wouldn't matter if someone else did get in to read it."

In fact the consequences of someone else knowing your SSO password could be very much more serious. Here's just a few examples of what they could do:

Revealing your password to anyone else (even IT Services Staff) is against University IT regulations - you risk having your IT facilities removed.

Remember: treat your password like your toothbrush - never share it, and change it frequently. If you believe that someone else may know your password then change it immediately.



4. Why can't I tell anyone my password?

Because you don't know where the information will go after it leaves your lips. Even if you only tell one other person, they could tell one other person, and so on, until your password is in the hands of a Cracker (see below). Besides, why do you want to tell someone your password, anyway? You are not allowed to share your username with someone else, so there is no legitimate reason for anybody else to know your password.



5. What about writing my password down?

If you write your password down, make sure that you keep it safe. Writing your password on a post-it note and then sticking the note to your computer is asking for trouble! In general, it is better to remember your password and not write it down anywhere.



6. Why shouldn't I include my password in an email message?

Because email is insecure. Anybody might be able to intercept your message before it reaches the intended recipient. If that person is a Cracker, your account, and potentially the whole system, is vulnerable to attack.



7. What is a Cracker?

Traditionally, a Cracker was a person who obtained unauthorised access to a computer system using a password which had been produced by trying likely variants, usually by using software tools and/or system data to produce passwords with a better than random chance of being valid. Once access has been gained to an interactive computer, the chances of gathering useful data are greatly increased and there are increased risks for the entire system, not simply the first account to be accessed.

Your password is stored on the system in encrypted form, that is, the computer only knows a coded version of each password. When you log in, the password you type is encrypted in the same way and your login is allowed if the result matches. It is not possible to obtain the original password direct from the encrypted version so some form of trial and error is needed to "crack" the code.

With faster processors and cheap disk storage, it became possible to use very sophisticated software to try many passwords and the word "cracker" was more often used to describe this software. However, systems can impose a time delay when, say, three wrong passwords have been given, so any speed advantage is lost. In fact, it is now a lot easier to use social engineering to get the right password first time, and bank details for a few people are more use to a criminal than limited access to a powerful computer.



8. Where else do I need to take care?

When you receive an email which gives you a link to a web page, great care is needed. If you are asked to fill in computer account details, or banking information, then the message is not legitimate and you must not respond. The methods used to persuade you come under the heading of social engineering as explained below



9. Social Engineering

Social engineering is the term used to describe crackers' attempts to get users to tell them about their passwords and other information about the system. This is also called phishing.

Here are some of the approaches used:

See http://www.oucs.ox.ac.uk/email/fake/ for detailed guidance on recognising and dealing with fake emails..

Report any suspicious questions that anyone asks you to IT Services Help Centre or OxCERT right away.