Together, your username and password form what are known as your University credentials. These credentials provide you with access to email and many other online services provided by the University. Criminals consider University credentials to be highly valuable commodities and persistently try and steal them.
How are passwords stolen or abused?
Stolen or abused credentials are a major issue for the University. The security team detects several cases of account misuse every week. The five main ways that credentials are stolen or abused are through:
- Phishing attacks.
- Password sharing.
- Re-using passwords on other poorly secured sites.
- Malware (malicious software) installed on your computer.
- Choosing weak or easily guessed passwords, rather than strong passwords.
Why are University credentials so valuable?
Criminals will try to steal your credentials for many different reasons:
- You are open to identify theft. Criminals can and will go through your mail or online accounts looking for material that they can use for creating and selling fake identities.
- You are open to financial fraud. Criminals will search your email for credit card numbers. Never send anyone your credit card details in an email.
- Your credentials will likely be sold on underground forums (probably in China or Middle East). The people who buy them will probably use them to fraudulently access resources that the University has licensed from third parties (mostly library materials) and if the vendors get alerted they blacklist the whole university until the abuse stops.
- Your credentials may be used to send emails or make posts in your name.
What should I do if I suspect my password is compromised?
Stolen credentials are a major issue for the University. If you suspect that your password has been stolen, use the university's password tools to change your password immediately:
The first line of defence in protecting your password is to create a strong, random, unique password.
While you can choose your own password, the recommended way to create strong passwords is to use the password generator within a password manager.
Where the system permits, use long passwords. Longer passwords are better passwords. The more characters a password cracking program has to crunch, the harder it is to guess.
Passwords must have a minimum of 8 characters and at least 3 out of these 4 requirements:
- at least 1 number (0-9)
- at least 1 lower case letter (a-z)
- at least 1 upper case letter (A-Z)
- at least 1 special character (?, *, %, etc.)
Passwords must not
- be based on a name
- be based on a single dictionary word
- be based on a previous password
- be based on any obvious personal information such as user ID, family name, pet, birthday, etc.
Protecting your password
The following steps will help to protect your password
- Do not write your password down on paper or otherwise store it insecurely.
- If you need to store your password, do so with a password manager.
- Always make sure that you are logging into the real University of Auckland login page.
- When you are logging in, ensure that no one can see you enter your password.
Once you have a University of Auckland account, your University credentials will provide you with access to all of the University systems that you've been granted access to.
- You should never share your username and password with another person. This includes your friends, parents, spouse, your manager, or to any other authority.
- You should not share your username and password with your parents so that they can check your progress.
- Use of your username and password are routinely monitored for abuse. Unusual account activity such as accounts being used from different places at the same time will be investigated.
More information about passwords can be found in the Password management guidelines.
- You will never be asked for your password by University staff - all such requests are fraudulent.
- Never send your password in an email.
Re-using your password on other sites
Never use your University password when you register for any other site which asks you to set a password. Password re-use is a more complex issue than password sharing, but just as important.
The problem is that many computer systems have not been setup to protect user's data very well. Even big name brands are not immune. Adobe lost several hundred thousand passwords in 2013, along with email addresses and password hints. For that breach, there were about 50 accounts which were easily linked to members of the University community. Some had hints like "Uni password". If another site leaks your username and password and these are the same as your University credentials, you put yourself and the University at risk.
All sites on the Internet are under constant attack from criminals trying to steal credentials. We see these attempts every day against our own web sites.
This problem has increased in the last few years for several reasons:
- With most sites now using email address as identifiers. If the password leaks from such a site then all an attacker has to do is log into any other site that uses those same credentials, and they will gain access.
- Better configured web sites do not store passwords themselves. Instead, they store what we call a 'hash'. Converting the password to the hash is quick and easy. Getting the password from the hash is difficult but with the amount of cheap computer power available to criminals it is not that difficult and there are plenty of groups who are routinely breaking hashes. Many websites do not use good methods of hashing, making password cracking easy.
- There is a thriving market in some parts of the world for stolen university credentials.
You should have a separate password not just for your University account, but for every site that you are registered with. Having a separate password for each site means that you reduce your overall risk if the password for any individual site is compromised. The problem is that this can quickly add up to a lot of passwords! Too many to remember.
The secure solution to managing all these passwords is to use a password manager. A password manager is a software application that is used to create, manage and organise a list of encrypted passwords.
You access your list of passwords with a master password. The master password needs to be very strong.
When selecting a password manager, some of the key features you should look for include:
- Support for multiple operating systems. For example, Windows, OS X, iOS, Android, etc.
- Passwords are encrypted locally on your device (not stored in the cloud).
- Passwords can be synchronised across devices.
- Support for two-factor authentication, to make your password manager even more secure.
Some of the more popular password managers (in no particular order) include:
Limitations of the built-in password managers in browsers
Most browsers provide built-in functionality to remember passwords that you enter online. Unless turned off, they will regularly prompt you to remember the password for the current username on the current site. On the surface this can seem like a good idea, but browsers typically do a poor job of securing passwords. The following are common weaknesses of built-in password managers:
- They lack random password generators.
- They do not require the master password to be entered before they can be used to recall passwords.
- Encryption is not as strong as with dedicated password managers, and in some cases passwords are stored in clear text.
- Even when passwords are encrypted, passwords can be extracted through software running on the computer. This is the first thing most malware will attempt to do.
If a malicious user or malware is able to gain access to a system where passwords are stored within a browser, then all of those passwords will be compromised.
While the built-in managers in browsers continue to improve, they are not suitable for storing important passwords such as your University or banking passwords.
University Administrative Staff
University administrative staff who manage shared credentials must use the University's password manager for this purpose. For more information contact email@example.com.
Changing your password
The University requires you to change your password at least once a year to reduce the risk from passwords that do leak. In particular if encrypted passwords are stolen, it may well take many months to break them. With luck your password will have changed by the time it is broken.