Letter from the CISO, Vol 4 Issue 3
WashU Community:
As we all return to school and the fall semester, I wanted to emphasize the criticality of securing the most important online account you have.
No, not your WashU account! (Although that is important, too.)
Rather, it is your humble and largely taken-for-granted personal email account.
Whether you use Gmail, Microsoft Outlook (formerly Hotmail,) Yahoo! Mail, Spectrum, Verizon, or any other email service, the security for nearly all your other online accounts and services hinges on your personal email account.
In other words, if I have access to your personal email account, I can probably get into many of your other accounts as well. Kind of like a master key that can open all the locks.
How should you secure your email account?
Three questions can guide you in securing your account:
- Do you use this password only for this account?
- Is this password long enough?
- Is 2-Factor Authentication (2FA) enabled?
Why a unique password?
If you use the same password(s) in different accounts, it may be easier for you to remember it (them). It also means that if one of the online systems has a cyber incident where passwords are compromised, malicious actors can now try the same username and password everywhere. This is called a “password-spraying” attack, and the bad actors will inevitably find your other accounts and gain access.
How long should your password be?
Passwords should be longer than most people are accustomed to. Eight (8) character passwords used to be good enough, but now the best advice is to use a long “passphrase,” comprised by stringing together 3, 4, or even more random words. As I wrote in my July 22, 2021 column, “look around the room when creating a passphrase, selecting several objects for inspiration, such as ‘big red book green sofa.’”
Check some of the ill-considered passwords people use here.
Try a Password Manager
Many companies and websites still require the inclusion of upper-and-lowercase characters, numbers, and symbols, resulting in nearly impossible-to-remember-or-type passwords. To help in these situations, I strongly recommend the use of a password manager. They not only remember passwords but automatically enter them into the right websites and only the right websites. They don’t enter them into fraudulent, “copycat” websites set up to steal your login information. Many also recommend unique and hard passwords, as well as warn you of places you’ve used the same password at multiple sites. See “Ask The Experts: Password Management” and “The Magical World of Password Managers” for more information.
2-Factor Authentication (2FA) is critical
My July 22, 2021 column also emphasized the importance, nay the criticality of 2FA, which is also known as Multi-Factor Authentication (MFA) or 2-Step Verification (2SV)).
If your personal email provider doesn’t allow for 2FA, you should switch to a new provider. Microsoft Outlook is scheduled to require 2FA over the coming months, and using Gmail without 2FA has become increasingly difficult over the past few years as they encourage its use.
2FA is great but not perfect
The Office of Information Security regularly detects situations where passwords have been compromised, but we are often able to prevent a break-in to the account due to the requirement that all WUSTL Key accounts have Duo 2FA.
Beware, however, that cyber criminals are continuously looking to con you out of not only your password, but your 2nd Factor as well. Just this last May, we shared information about how scammers were successfully convincing users to do the Duo Verified Push. They are very sneaky and always innovating.
Bonus idea – secure your devices
Returning again to 2021 themes, back on September 30, 2021, I wrote about how important physical security is. This is particularly true for mobile devices like smartphones.
And the security code you use to unlock it is also vitally important. These Personal Identification Numbers (PINs) are also very important. With most phones now doing facial or thumbprint logins, except after reboots, I strongly recommend switching from a 4, 5, or 6 digit PIN to a 7, 8, or 9 digit code. And avoid the most common PIN codes like 0000, 1234, and the ones shown on this chart.
Call to action
As we return to class, I encourage you to be vigilant, skeptical, and a little bit paranoid.
And if you know more about cyber security than your friends – if you’ve read this far, you probably do – please share this information with them, and then help them put it to use.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO