October 2019: Passwords and Password Managers

Tags NSCAM2019

As part of National CyberSecurity Awareness Month - this is the first of our posts targeted to a specific topic which you can use to help keep yourself safe online.

One overlooked aspect of security are passwords.  We all have a ton of sites (at New Paltz and elsewhere) that we use (to get to our social networks, our bank accounts, our email, to order food/services/stuff online, etc.).  We have so many that most of us tend to reuse our passwords on multiple sites.  This can be dangerous.

Why is this a problem?  If you reuse passwords then your accounts are only as safe as the site with the weakest safeguards.  An example of this can be seen with the recent Chegg data breach.  Since Chegg was compromised, and had weak protections on their passwords, criminals used those Chegg passwords to try to compromise other accounts.  They were successful at New Paltz - to the tune of a couple dozen accounts - and at college's across the country.

So what can you do to prevent this?  There are a few options here.

Use a password manager

A password manager lets you store strong and unique passwords for all of the sites and services you use.  This way - if a site is compromised, then you won't have secondary accounts breached.

We are listing a few password managers here - though New Paltz does not endorse any specific option.  These password managers can be installed on your computer, or your phones in most cases.

All of these are only as strong as your master password - which you use to encrypt/protect your passwords.  If you use one of these - ensure you're using a strong password.  Read on for making strong passwords.

 

Creating strong passphrases

Let's say you don't want to use a password manager (or need a memorable password for the password manager itself or for sites you commonly use).  First step is to stop thinking of passwords and think of passphrases.  When it comes to passwords - length is far more important than worrying about whether or not you have the right number of upper case/lower case/special characters.

You can create a phrase that you can associate with each site.

 

You can also find more about strong password creation at our Passphrase Guidance page.

Multi-Factor Authentication

Another really good step you can take to protect your accounts is to enable Multi-Factor Authentication or MFA (also known as Two-Step Verification or Two-Factor Authentication).

In addition to your password (something you know), MFA protects your account with something you have (typically your smartphone, either via a dedicated app, or text messages to your phone).

This means that in order for someone to get into your account they need both your password and your device (or at least to get you to provide them the code from your device).

Note: When this article was originally published - the college did not have the Duo MFA service licensed for students but as of 2020 we do.  

You can enable MFA on your Hawkmail account (and on many personal accounts as well).  

To enable MFA (what Google calls 2-Step Verification) on your Hawkmail account, or any personal Google account, see the following page on Google's site: https://support.google.com/accounts/answer/185839

Other accounts which you may want to consider MFA for are those which are most targeted by hackers, including: email accounts, banking/financial sites, or social networking accounts.

 

Stay tuned for more security tips throughout October 2019 as part of Cyber Security Awareness Month!

National Cyber Security Awareness Month Logo