Letter from the CISO, Vol 3 Issue 8
Washington University Community:
New Year – New Password Discipline
“Password Discipline” certainly sounds like the kind of New Year’s resolution that will be abandoned within 24 hours. But it truly needs to be on everyone’s list. Good password management is critical for protecting yourself, your family, and the university.
Without the good password habits that I’m about to share, accounts have been compromised and major harm resulted. Recent major cyber incidents have involved the Twitter/X account of the U.S. Security and Exchange Commission (SEC), MGM Resorts, 23andMe, and PayPal. Uncountable are the number of individuals who have had their bank accounts and retirement savings stolen, as well as those who have lost their email and social media accounts.
How are passwords stolen or guessed?
Passwords are stolen or guessed in three different ways.
The first way is by the cyber criminals simply asking you for it. Because they are sneaky and good at what they do, they can send you an email, text, or social media message on some issue, leading you to click on a link, which then requires a login. But they have made a fake version of the website you think you are going to and grab your username and password when you try to log in.
Any issue will do, as long as you click on the link. Some are evergreen, while others are seasonal. For example, in November, there are great shopping deals, in December package delivery is hot, and now it is tax season. Elections, disasters, wars, and holidays are all used by the bad guys in hopes that you will click.
The second way passwords are stolen or guessed happens when malicious actors compromise an online system and extract all the user account information. Usually, the passwords are encrypted, but sometimes they are not, or the encryption isn’t strong enough.
Unfortunately, many people use the same password on many different websites. Since many sites use your email address as the username, it’s then easy for the attackers to try the compromised usernames and passwords on many different online services. This was actually the approach used to access about 14,000 accounts and compromise the information of 6.9 million users at 23andMe.
The third way is the saddest. Millions of people routinely use passwords like “Password,” “1111”, “123456”, “Password1!”, or “Password2024!” all of which are in the standard database of passwords all the hackers use to compromise accounts, simply by slowly trying all of them. Unfortunately, using a beloved dog’s name (which is posted all over social media), and the year or an exclamation point aren’t much better.
How can you avoid having your passwords stolen or guessed?
Always, always, always – be “vigilant, skeptical, and a little paranoid”
I say this every month, but it’s absolutely essential. The malicious actors are endlessly creative and persistent, and they continuously find new ways to trick people into giving up their log in information.
Remember, they really are out to get you, so vigilance, skepticism, and a little paranoia are appropriate. If you think you smell a phish, report it to the InfoSec team using the phish alert button, and we’ll check it out for you. Better safe than sorry!
Step 1: Use a Password Manager
On January 4th, the Wall Street Journal published an excellent article titled “A Better New Year’s Resolution: Make Your Passwords Secure.” (https://www.wsj.com/tech/personal-tech/password-security-tips-9fc3a695). The WSJ is available to WashU students and staff via WUSTL Key login at http://wsj.com/WUSTL. The article recommends four steps for securing accounts. The first is to set up a password manager, and especially (per their advice):
- The free password manager Bitwarden;
- The paid version of 1Password ($3 a month for individuals, $5 for up to five accounts), or Dashlane ($5 a month for individuals, $7.49 for up to 10 accounts); or
- The embedded capabilities of your Firefox, Google Chrome, or Safari web browsers.
The top three advantages of using a password manager include:
- helping you create and remember long, hard, unique passwords;
- automatically entering them into websites when logging in; and
- synching across all your devices so you always have the password you need.
Side benefits include NOT entering them into websites that are impersonating the real ones. Some warn you when multiple accounts use the same password and when your password may have been compromised. These features – conscientiously applied – block the three ways passwords are stolen or guessed.
Step 2: Change weak, reused, and compromised passwords
Setting up a password manager without changing your vulnerable passwords isn’t going to do very much good. The WSJ article points to the password manager features that help you do this, and also points us to “the secure website Have I Been Pwned to see if other types of data have been compromised.” (“Pwned” is a corruption of the word “owned”, used to mean “completely annihilated or dominated.”)
Step 3: Use 2-Factor Authentication (2FA) – especially for email
The WSJ article continues by recommending that you set up 2FA, sometimes also called 2-Step Verification, on your accounts. Many online services have limited features for this, but the most important accounts to focus on are email accounts, followed by financial and health services accounts.
Email accounts are the most important ones because they are used to perform password resets on all your other accounts. If a hacker gets access to your personal email account, they can see which financial institutions you use, use your email account to reset the password on your bank and retirement accounts, and probably move all your money to their bank in Russia, North Korea, or another country outside the reach of U.S. law enforcement.
Step 4: Secure your devices
The WSJ wraps up by highlighting the need to protect your devices physically. A thief who steals your phone and your device passcode can do a lot of damage. There are many ways to con people into revealing their phone passcodes or unlocking a device and then stealing it, leading to the emptying of bank accounts and getting locked out of all the accounts you have access to through your phone – which, for many people is a lot!
If your phone is lost or stolen, the first thing to do is to quickly go to a computer and log in to your Apple iCloud or Google account, lock the device, and see if you can use the locate device service to figure out where it is. Apple’s instructions are available to locate and lock an iPhone; Google’s are accessible at find, lock, or erase your lost Android device.
Call to action:
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading this unusually long issue of my column, and for being members of the university’s information security team!
Good luck and be careful out there!
-Chris Shull, CISO